How Project Managers Can Improve Cybersecurity Accreditation Processes

In the previous issue, we delved into several critical considerations for approaching cybersecurity accreditation. These points, resulting from lessons learned through my ISACA CISM and CRISC training, highlighted foundational aspects such as asset protection, risk ownership, clear definition of requirements, and the need for early incorporation of cybersecurity assessments in project lifecycles.

Reflecting on these insights, we saw how important it is for project managers to align with cybersecurity requirements from the beginning. By embedding risk management practices, defining risk appetites, and using tools like RACI matrices, we established the groundwork for smoother cybersecurity assessments. These considerations provided valuable guidance on handling complexities in ICT deliveries that require strong security postures.

However, while these points laid a solid foundation, there is still much to be explored in terms of how these ideas can be operationalised into a structured, repeatable process. In this edition, we’ll take these previous lessons and shift our focus towards a more structured approach to improving the cybersecurity accreditation process from a project manager’s point of view.

We consider the following four phases to form the applicable end-to-end process for achieving cybersecurity accreditation:

1. Requirements & Planning

This phase focuses on defining clear requirements and aligning them with organisational risk appetites and compliance needs. Proper planning ensures that the accreditation project is well-structured, with risk ownership and success criteria clearly outlined, setting the stage for smooth execution.

2. Execution & Monitoring

During this phase, the project team executes the security strategies, closely monitoring the implementation of security controls. Continuous tracking ensures progress stays on course, and any deviations are promptly addressed. Here, regular communication with stakeholders is essential to manage risk and avoid unexpected delays.

3. Completion

This stage involves finalising the cybersecurity accreditation process, including validating that all requirements have been met. Thorough testing and evaluation of security measures are conducted, and stakeholders sign off on the successful completion of security assessments.

4. Security Posture Improvements

Cybersecurity doesn’t end with accreditation. This phase ensures that the system’s security posture is maintained through regular updates, risk reviews, and improvements based on emerging threats. Continuous improvement is critical to maintaining compliance and securing the organisation's assets in the long term.

Now, let’s take a closer look at each of these phases and see how the previously considered critical assessment components align with the main phases of the process.

Phase 1: Requirements & Planning

The Requirements & Planning phase is the foundation for any cybersecurity accreditation project. It focuses on defining clear security requirements, aligning them with the organisation’s risk appetite and compliance needs, and establishing a detailed plan for the project’s successful execution. This phase ensures that all stakeholders are on the same page and prepares the project for smooth progression through the following phases.

?

Key components of this phase include:

1. Conduct Impact Assessment & Identify Protected Assets

The first step in this phase is conducting an Impact Assessment, which identifies the organisation’s critical assets and assesses the level of protection required. This is based on how losing or exposing a given asset would impact the enterprise. Properly identifying protected assets ensures that the security strategy is aligned with the organisation's needs and potential risks are minimised from the outset.

?

2. Assign Risk Ownership & Define Decision-Making Authorities

?? It is essential to establish clear risk ownership and decision-making authorities early in the process. By assigning responsibility to the correct stakeholders, we can ensure that all subsequent assessments and decisions are made efficiently and by the right people. This minimises confusion and enhances accountability throughout the project.

?

3. Define Risk Appetite

?Understanding the organisation's risk appetite is a critical aspect of planning. Whether the company is a risk-averse financial institution or a more agile startup with a higher tolerance for risk, this definition shapes the security strategy. Identifying the level of risk the organisation is willing to accept helps guide compliance and security control decisions, ensuring that they align with business objectives.

?

4. Establish RACI Framework

The RACI (Responsible, Accountable, Consulted, Informed) matrix defines the roles and responsibilities of team members and participating organisations in the accreditation project. It also outlines accountability lines and decision-making authorities. The RACI matrix serves as a centralised reference point throughout the project, ensuring that tasks are assigned to the appropriate resources and accountability is maintained.

?

5. Define Requirements & Success Criteria

Defining well-structured requirements is crucial for the cybersecurity accreditation process. In this step, the team focuses on two key components:

Regulatory Requirements: The project must comply with all relevant regulations. For example, Australian organisations may need to adhere to the Australian ISM or Protective Security Policy Framework (PSPF), while others may need to comply with NIST in the United States, ISO 27001, or EU-GDPR. The specific regulations depend on the organisation’s location and industry, and practitioners must conduct thorough research to determine which apply.

Applicability of Controls to Technical Components: Not all regulatory controls apply to every system or technical component. By mapping the relevant controls to the technical environment, the team ensures that the security requirements are both comprehensive and targeted, allowing for effective design, implementation, and testing.

The success criteria are established during this phase, providing a "To-Be" model of the desired security state and enabling clear benchmarking of the accreditation progress.

?

6. Compile Risk Profile: As-Is & To-Be

?? This step involves developing an As-Is risk profile to understand the current risk landscape of the system. Based on the defined risk appetite and the accreditation requirements, the team will also establish a To-Be risk profile—the target risk state needed for a successful production launch. The goal is to transition from the current risk rating (which may be high or moderate) to a lower, acceptable level that aligns with the organisation’s risk tolerance.

?

7. Conduct Gap Analysis

?A Gap Analysis is essential for identifying the discrepancies between the current “As-Is” risk profile and the desired “To-Be” model. The team identifies areas where risks exceed acceptable levels, pinpointing missing security controls, vulnerabilities, and compliance gaps. This analysis enables the project team to create a clear roadmap for addressing these gaps and achieving the target security posture.

?

8. Perform Cost-Benefit Analysis

A Cost-Benefit Analysis is conducted to weigh the investment required to implement security controls against the value of the protected assets and the cost of potential security breaches. This analysis supports the development of a strong business case for security measures and helps inform decision-making throughout the project.

?

9. Develop a Plan to Close the Gap

Another step in the Requirements & Planning phase is to develop a detailed plan to close the gap between the current and desired risk states. This involves identifying the necessary activities, allocating resources, and setting realistic timelines for completion. The plan must align with the organisation’s risk appetite, compliance requirements, and the established "To-Be" risk profile. Tracking progress and maintaining traceability from requirements through to implementation is critical to ensuring success.

?

10. Compile Communication Plan

As part of the planning phase, a comprehensive communication plan must be developed to ensure effective stakeholder engagement throughout the project. This plan outlines what content will be delivered to specific audiences, how often, and through which communication channels. It is essential to tailor the communication strategy to each group—whether process owners, system administrators, or senior stakeholders—ensuring that everyone receives the information they need to stay informed and aligned with project goals.

?

Additionally, the communication plan will specify lines of escalation for resolving issues or risks that arise. By defining these paths upfront, the project team ensures that potential obstacles are addressed promptly and escalated to the appropriate decision-makers when necessary. This structured approach to communication prepares the team for seamless execution during later phases, keeping stakeholders informed and aligned from the outset.

?

The Requirements & Planning phase provides the structure and clarity needed for the project to proceed efficiently. By focusing on risk, compliance, and strategic alignment, this phase sets the foundation for effective execution, ensuring that all team members understand their roles and that the project adheres to security standards and organisational objectives.

?

Phase 2: Execution & Monitoring

During the execution and monitoring phase, the project team focuses on putting the security strategies into action while continuously tracking the implementation of security controls. It's vital to monitor progress closely to ensure that the project stays on course and that any deviations are promptly addressed. Regular communication with stakeholders—especially process owners, data owners, and system owners—is essential to manage risk effectively and avoid unexpected delays. Keeping them informed about the progress of security controls ensures alignment with organisational security policies and applicable technical architecture patterns.

Key components of this phase include:

1. Align Security Architecture with Solution Architecture (Information, Process, Infrastructure)

In this phase, it's essential to ensure that the security architecture aligns seamlessly with the overall solution architecture across three critical vectors: business, information, and technical components. From a business perspective, security controls must support and not impede the desired outcomes, ensuring that the security strategy enables the organisation’s goals rather than becoming a bottleneck. On the information side, data must be appropriately classified and protected, ensuring confidentiality, integrity, and availability while flowing through the system in line with regulatory and business requirements. The technical alignment involves embedding security controls into the infrastructure and technology stack without introducing unnecessary complexity or performance issues. Ensuring that these three vectors—business, information, and technical—are consistently aligned allows for a cohesive solution where security measures enhance, rather than disrupt, operational effectiveness and business functionality.

?

2. Bring Cyber to the Left

Cybersecurity should be integrated from the very beginning of the software development lifecycle (SDLC). This approach—often referred to as "shifting cybersecurity left"—ensures that security is embedded into every stage of development, rather than being an afterthought. By incorporating security tools and practices early on, vulnerabilities can be identified and addressed during the coding phase, significantly reducing the need for costly rework and project delays later.

Current CI/CD pipelines and testing automation tools should be leveraged to automate the testing of technical deliverables for security compliance as early as possible. This allows the development team to continuously assess code for security vulnerabilities, ensuring that both functional and security requirements are met throughout the delivery process.

By testing for security early and often, teams can avoid last-minute delays and additional work during the later phases of project delivery. Furthermore, this proactive approach supports the seamless implementation of security controls—whether delivering a system for the first time or significantly enhancing an existing one. Ultimately, bringing cybersecurity to the left improves the overall security posture, reduces the risk of security breaches, and ensures smoother, more cost-effective project execution.

?

3. Maintain Traceability of Documentation

Maintaining traceability is a crucial aspect of the cybersecurity accreditation process. The project team must ensure that all project artefacts—such as requirements, design documents, test cases, and testing results—are meticulously linked to provide clear visibility into how each security requirement is addressed and validated.

By establishing this traceability, the team can track the lifecycle of every security control from initial requirement definition through to implementation and testing. This ensures that no security objective is overlooked and that the system’s compliance with security standards is thoroughly documented. Additionally, this linkage helps identify any potential gaps in coverage early, reducing the risk of security vulnerabilities going unnoticed.

A well-maintained traceability matrix or similar tool can also streamline audits and reviews by providing a clear, structured view of how the system meets its security requirements, simplifying the validation process for stakeholders. Ultimately, maintaining robust traceability enhances accountability and ensures that the project stays aligned with its security goals throughout its lifecycle.

?

4. Communicate with Teams and Stakeholders

During the execution phase, the project team will implement the previously compiled communication plan, ensuring regular, structured updates are delivered to all relevant parties. In line with the plan, specific content—such as project progress, security updates, and key milestones—will be communicated to the appropriate stakeholders at the designated frequency through established channels like meetings, dashboards, or email reports.

Following the communication plan ensures that stakeholders remain engaged and fully informed. Additionally, the escalation lines defined in the planning phase will be activated as needed, allowing for the swift resolution of any issues or risks that arise. This proactive communication strategy reinforces transparency, secures continued support, and helps the project stay on track by ensuring that any challenges are effectively managed.

5. Implement Security Controls

During the execution phase, the focus shifts to putting the gap-closing plan into action. This involves executing the activities identified in the Requirements & Planning Phase to bridge the gap between the current "As-Is" risk state and the desired "To-Be" risk profile. The plan, carefully aligned with the organisation’s risk appetite, compliance requirements, and security objectives, serves as the roadmap for this phase.

The key activities in this phase may include:

Implementing Required Security Controls: The project team will deploy the necessary security controls, processes, and technologies to meet the defined regulatory and security requirements. Each control must be applied in line with the specific technical environment, ensuring that all components are covered appropriately and aligned with the organisation's security posture.

Allocating Resources and Tracking Progress: Ensuring that the correct resources—both technical and human—are in place is critical to successful implementation. The team will track the progress of each task, ensuring that timelines are adhered to, and adjustments are made as necessary.

Adapting to Changes: If any unforeseen issues arise, the team will make adjustments while ensuring that the project remains on course to meet the security and compliance goals. Escalation pathways, defined in the communication plan, will be followed to resolve any blockers or risks that emerge during execution.

By executing these activities effectively, the project team ensures that the system transitions from its current risk state to the desired, compliant security posture, closing gaps and achieving the project's accreditation objectives.

?

6. Perform Testing of Implemented Controls

After the required security controls have been implemented, comprehensive testing is crucial to ensure that these controls meet the security objectives defined in the Requirements & Planning Phase. The primary goal is to verify that the implemented changes effectively mitigate identified risks, achieve the desired "To-Be" risk profile, and comply with regulatory and organisational security standards.

Key activities during this phase include:

Rigorous Security Testing: The project team will perform a range of tests, including:

?

·???????? Penetration Testing: Simulating real-world cyberattacks to identify potential vulnerabilities in the system.

·???????? Vulnerability Scanning: Scanning the system for security weaknesses, misconfigurations, or unpatched components.

·???????? Other Security Assessments: Conducting additional evaluations such as code reviews, configuration checks, and policy audits to ensure that all controls are functioning as intended.

Verification of Risk Profile Alignment: The testing phase will confirm whether the residual risk levels—the risk that remains after controls are implemented—fall within the acceptable thresholds defined by the organisation’s risk appetite. The results will be compared to the As-Is and To-Be risk profiles established in the planning phase to ensure the system has transitioned to a compliant and secure state.

Establishing Key Control Indicators (KCIs): To monitor the effectiveness of security controls over time, Key Control Indicators (KCIs) will be defined. These indicators provide ongoing insight into how well the controls are performing and whether they continue to meet security and compliance objectives.

Validation of Business Continuity: In addition to security functionality, testing will also ensure that the controls support business continuity. This means that the implemented measures should protect the system without causing disruptions to daily operations. Testing should demonstrate that the security controls safeguard the system while allowing for smooth business processes and operational activities.

Documenting and Addressing Remaining Gaps: If any gaps or weaknesses are identified during testing, these will be documented and remediated. Additional mitigation strategies may be implemented to further reduce risk or close any remaining gaps, ensuring the system meets the desired security posture.

?

Successful testing serves as a final validation that the system’s security controls are robust and fit for purpose. It ensures that the system is prepared for production deployment with all identified risks effectively mitigated, and the target security posture achieved.

?

Phase 3: Completion

The Completion phase is a critical stage in the cybersecurity accreditation process, involving the final validation and sign-off from various key stakeholders. This phase ensures that all security requirements have been met, the system is ready for production, and all associated risks are fully understood and accepted by the relevant parties. Achieving these signoffs can be complex, as it requires the alignment of multiple stakeholders across technical, business, and security domains.

Key components of this phase include:

1. Complete Final Validation and Evaluation

After the successful testing of implemented security controls, a final round of security evaluations is conducted to ensure that all requirements defined in the Requirements & Planning Phase have been met. This includes verifying that the system’s residual risk profile aligns with the organisation’s risk appetite and that all regulatory and compliance obligations are satisfied. The completion of this step is essential for moving forward to the sign-off stage.

?

2. Archive System Owners Sign-Off

System owners, typically from the ICT management team, are responsible for running the business systems and ensuring the security controls are effectively implemented and maintained. Their sign-off indicates that the system is operationally secure and that the technical aspects of cybersecurity have been adequately addressed. System owners must validate that all security controls are in place, properly functioning, and aligned with the organisation’s technical and operational needs.

?

3. Business Owners and Data Owners Sign-Off

Once the system owners approve, business owners and data owners must also provide sign-off. Their role is to evaluate and accept the residual risk profile. This means they must be comfortable with the level of risk that remains after all mitigation measures have been applied. Importantly, they also need to assess the impact of the implemented security controls on business operations—ensuring that the system’s security does not impede critical business functions or data availability. These stakeholders are responsible for the broader business impact, and their sign-off signifies that they are confident the system can support business objectives while maintaining an acceptable security posture.

?

4. Compile Risk Acceptance and Documentation

?? At this stage, all parties formally acknowledge and accept any remaining risks. The residual risk—the risk that remains after all controls are implemented and tested—must be fully understood by both technical and business stakeholders. Comprehensive documentation of the accreditation process, including security assessments, risk evaluations, and testing results, is prepared and stored for audit purposes. This documentation serves as a critical resource for future reviews, audits, and any required updates to the system.

?

5. Final Accreditation Sign-Off;

The culmination of this phase is the formal sign-off of the cybersecurity accreditation. This signals that the system has met all security objectives, and both the technical and business risks are acceptable. With the signoffs from system owners, business owners, and data owners, the system is now fully accredited and ready for production deployment. This final sign-off provides the confidence that the system is secure, compliant, and aligned with the organisation’s operational needs and risk appetite.

?

The Completion phase represents the final convergence of technical and business perspectives, ensuring that all security controls are not only implemented but also accepted at an organisational level. By coordinating signoffs from system, business, and data owners, this phase ensures that both the technical integrity and business continuity of the system are secured before moving to full operational status.

?

Phase 4: Security Posture Improvement

Cybersecurity is not a one-time activity, and achieving accreditation is just the beginning. The Security Posture Improvement phase ensures that the system’s security is not only maintained but continuously enhanced in response to new risks, vulnerabilities, and business needs. This phase is critical for sustaining compliance, adapting to evolving threats, and safeguarding the organisation’s assets over the long term.

?

Key components of this phase include:

1. Run Continuous Monitoring and Risk Reviews

Maintaining a strong security posture requires ongoing monitoring of the system to ensure that controls continue to function as intended. Regular risk reviews are essential to assess whether the residual risk remains acceptable or if new risks have emerged. These reviews should align with the organisation’s risk appetite and consider any changes in the operating environment, new business processes, or updates to compliance requirements. Continuous monitoring also includes the use of tools like intrusion detection systems (IDS) and security information and event management (SIEM) solutions to detect and respond to threats in real-time.

?

2. Perform Regular System and Security Updates

To address emerging vulnerabilities and security gaps, systems must be regularly updated. This includes applying patches and upgrades to software, updating security configurations, and revising security controls to address new attack vectors. Keeping up with threat intelligence feeds and industry security advisories allows the organisation to proactively defend against evolving cyber threats. A regular update schedule ensures that the system remains resilient, compliant, and well-protected against both internal and external threats.

?

3. Conduct Post-Accreditation Audits and Assessments

To ensure ongoing compliance, post-accreditation audits should be conducted periodically. These audits assess whether the system continues to meet the security standards required for accreditation and whether any new risks have developed that could affect the security posture. Internal assessments and third-party audits help verify that the system stays aligned with regulatory and organisational requirements. These reviews also provide an opportunity to identify areas for security enhancements and adjustments.

?

4. Adapt to Emerging Threats

The cybersecurity landscape is constantly evolving, with new threats emerging regularly. This phase requires the project team to remain agile and proactively adapt security measures to counter these threats. As part of this, threat intelligence is continuously gathered, and emerging trends such as zero-day vulnerabilities, ransomware, or advanced persistent threats (APTs) are evaluated. Security controls may need to be adjusted, or new defences introduced to address these evolving risks, ensuring that the organisation stays ahead of potential attackers.

?

5. Implement Improvement of Security Controls

As new technologies and best practices evolve, the security controls implemented during the initial accreditation phase may need to be enhanced or optimised. This could involve refining existing controls, integrating new security tools, or adopting updated security frameworks to improve the overall resilience of the system. Continuous improvement initiatives should be driven by lessons learned from incident responses, audit findings, and evolving business needs, ensuring the system remains secure while adapting to changes in the business environment.

?

6. Regular Stakeholder Reporting

?? Ongoing security maintenance requires consistent communication with key stakeholders, including system owners, business owners, and data owners. Regular reports should highlight the current security posture, any detected threats, mitigation efforts, and changes to the risk profile. Keeping stakeholders informed ensures continued alignment between security initiatives and business objectives, and provides transparency into the system’s ability to protect critical assets.

?

7. Conduct Security Awareness Training

Human error remains a significant risk to security. To mitigate this, continuous security awareness training for employees and relevant stakeholders is essential. Training should be updated regularly to reflect new threats, best practices, and compliance requirements. This ensures that personnel remain vigilant and informed, reducing the likelihood of security breaches caused by negligence or ignorance.

The Ongoing Improvements and Security Posture Maintenance phase is essential for ensuring that the system continues to defend against new and evolving threats while remaining compliant with security standards. Through regular monitoring, updates, audits, and proactive threat management, this phase ensures that the system's security posture is not only maintained but continually strengthened over time, safeguarding the organisation’s assets and maintaining business continuity in the face of ever-changing cyber risks.

In this edition, we explored key phases and considerations for improving the cybersecurity accreditation process, covering essential elements like requirements and planning, risk ownership, security controls implementation, and ongoing security posture maintenance. While the approach outlined provides a structured framework, it’s important to recognise that this is not an exhaustive model, nor are we prescribing its application universally without fully understanding the unique requirements of each organisation or environment.

As always, I would love to hear from our subscribers. Do you believe there are any critical components we may have missed that would be valuable to the broader audience? Your insights and suggestions are highly appreciated, and I look forward to incorporating them into future discussions.

Additionally, if there are any related topics or specific aspects of the cybersecurity accreditation process, you’d like to see explored in greater detail, please feel free to share. I am eager to dive deeper into any areas of interest that could provide further value to our readers.