What ICAT Is
ICAT stands for the Integrated Consulting and Assessment Toolkit. It is the practical framework this site uses to move a physical-security project from a vague concern to a verified result. It covers risk analysis, technology specification, and project delivery in a Canadian context.
Be clear on one point. ICAT is a structured method, not a certification. There is no exam, no badge, and no governing body behind it. It organizes work that good security practitioners already do, so the steps are repeatable and the decisions are traceable.
The Four Phases
ICAT runs in four phases. They are ordered, but real projects loop back as new facts surface.
Consult and Define
The first phase sets scope. You meet the people who own the risk, the site, and the budget. You define what the project is meant to protect, the constraints that apply, and what success looks like. Outputs include a scope statement, a stakeholder list, and a record of operational and regulatory constraints. Skipping this phase is the most common reason projects drift.
Assess Risk
The second phase identifies assets, threats, and vulnerabilities, then rates risk by likelihood and impact. This is where Crime Prevention Through Environmental Design (CPTED) principles enter, alongside a structured risk register. The risk and threat assessment article covers this phase in detail.
Specify Technology
The third phase turns risk findings into requirements. You write a performance-based specification that states what the system must do, references the standards that apply, and sets acceptance criteria. Products are named only as a basis of design, never as the whole answer. The technology specification article covers this phase.
Deliver and Verify
The fourth phase is procurement, installation oversight, commissioning, and verification against the criteria written in phase three. Verification is the part most often cut for time. It is also the part that proves the money was well spent. Outputs include test records, as-built documentation, and a handover package.
Who It Serves
ICAT is meant for the people who carry the project: facility and security managers, independent consultants, architects coordinating security scope, and public-sector teams that must show due diligence. It also helps owners who are not security specialists ask better questions of their vendors.
How It Maps to Recognized Practice
ICAT does not replace established standards. It borrows their structure and applies it to physical security.
The phase order mirrors ISO 31000, the international risk-management standard, which frames risk work as establishing context, then assessment, then treatment, then monitoring and review. ICAT’s Consult and Define maps to context. Assess Risk maps to assessment. Specify Technology and Deliver and Verify map to treatment, monitoring, and review.
The Assess Risk phase draws on NIST SP 800-30 for the mechanics of threat, vulnerability, likelihood, and impact analysis. Although SP 800-30 is written for information systems, its method transfers cleanly to physical risk.
For Canadian projects, the Canadian Centre for Cyber Security publishes guidance worth consulting where physical and cyber security overlap, such as protecting access-control systems and networked cameras.
Using the Framework
Run the phases in order on a first pass. Keep a single living document per phase so decisions stay traceable. When a later phase exposes a gap, return to the earlier one and update it rather than patching forward. The value of ICAT is the paper trail it leaves, which lets you defend a recommendation and revisit it when the site, the threat, or the budget changes.
References
Last updated 2026-06-14.