The 9P Model™ is Seven Step Consulting’s holistic, human-centered approach to cyber defence and data privacy. It connects executive strategy to operational capability through nine interdependent pillars: People, Policy, Process, Practice, Platform, Partners, Performance, Preparedness and Persistence.
Why the 9P Model™ Matters
The cybersecurity landscape has evolved — and so must our defence models. The 9P Model™ shifts organisations from compliance-only thinking to capability-driven resilience where people, processes and platforms are aligned for continuous learning and recovery.
Firewalls and detection tools remain necessary but insufficient. The 9P Model™ integrates governance, human behaviour, and continuous improvement to build an adaptive defence — one that protects systems, data and trust.
The Nine Pillars
Each pillar forms a loop of defence and improvement — People → Policy → Process → Practice → Platform → Partners → Performance → Preparedness → Persistence → back to People.
People
Tagline: Empower minds before machines — the human firewall redefined.
Definition: Every security strategy begins with people. Focus on awareness, role-based responsibilities, insider threat mitigation and ethical data handling
Outcome: A human firewall mindset where awareness, accountability and vigilance form a resilient first layer.
Practice
Tagline: Embed security in daily operations, not just audits.
Definition: Practice is rehearsal — regular drills, vulnerability management and PDCA cycles to turn policy into habit.
Outcome: Security as muscle memory and readiness under pressure.
Performance
Tagline: Metrics that matter — track, improve, repeat.
Definition: KPIs, compliance scorecards and dashboards align security work to business outcomes.
Outcome: Visibility and accountability — transforming security into a performance enabler.
Policy
Tagline: Strong governance starts with clear, actionable policies.
Definition: Policies define what ‘secure’ means — setting governance, acceptable use, data classification, and regulatory alignment (ISO, GDPR, DPDP, HIPAA).
Outcome: Clarity replacing confusion; accountability replacing assumption.
Platform
Tagline:Build on trusted technology with security by design.
Definition:Platforms are the digital backbone: SOC, SIEM, CSPM, identity governance and zero trust architectures.
Outcome:Intelligent, adaptive infrastructure that reduces false positives and speeds detection.
Preparedness
Tagline:Plan, test, adapt — readiness for any scenario.
Definition:Crisis management, DR, tabletop exercises and scenario simulations ensure recovery under pressure.
Outcome:Confidence under pressure and minimized downtime costs.
Process
Tagline: Standardize, automate and measure — excellence through flow.
Definition: Processes translate policy into repeatable workflows: risk registers, change management, incident playbooks and BCMS alignment.
Outcome: Consistency, traceability and auditability across the enterprise.
Partners
Tagline:;Stronger together — collaboration drives resilience.
Definition:Partner risk management, vendor SLAs, sector collaboration and law-enforcement engagement strengthen the collective shield.
Outcome:Shared accountability and ecosystem-level defense.
Persistence
Tagline: Sustain security through culture and leadership.
Definition: Continuous improvement, lessons learned, and leadership-driven culture embed resilience long-term.
Outcome: Sustained excellence where security becomes organizational DNA.
The 9P Model™ complements and strengthens established frameworks like ISO 27001, ISO 27701, ISO 22301, NIST CSF, SOC 2 and regional privacy regulations (GDPR, DPDP). Map each control domain to corresponding Ps to gain clarity, streamline audits and improve board visibility.
- Map maturity across each P and identify quick wins.
- Automate controls and monitoring using a unified GRC or “Compliance First” approach.
- Use the 9Ps to structure board reporting and executive dashboards.
Applying the 9P Model to Data Privacy
Privacy must be embedded across the 9Ps — from People training on lawful use to Platform controls like encryption and anonymization, and Partners scrutiny for cross-border data transfers.
| Pillar | Privacy Action |
|---|---|
| People | Training on lawful, ethical data use |
| Policy | Data classification, consent and retention rules |
| Process | Privacy by design workflows and DPIAs |
| Practice | Periodic audits, PIA reviews |
| Platform | Encryption, tokenization, identity governance |
| Partners | Processor due diligence and contracts |
| Performance | Privacy KPIs and reporting |
| Preparedness | Breach response and recovery playbooks |
| Persistence | Continuous regulatory watch and adaptation |
- Assess current maturity across the 9Ps.
- Map existing controls (ISO, NIST, SOC 2) to the 9P dimensions.
- Identify quick wins: People training, Policy refresh, Practice simulation.
- Automate and measure via a unified compliance/GRC platform.
- Report to the board quarterly and iterate.