- SCF Bundles are ComplianceForge's premium GRC content tier, built around the Security, Compliance & Resilience Program (SCRP) and the Secure Controls Framework (SCF).
- Two bundles available: SCF Bundle 1 (SCRP + CSOP) and SCF Bundle 2 (the Robust Documentation Solution with 13 products).
- SCF Bundle 1 is 25% off ($12,600). SCF Bundle 2 is 45% off ($29,000) and is the most comprehensive single purchase available.
- Both bundles are GRC-importable into platforms like ZenGRC, Archer, MetricStream, and Onspring.
- SCF Bundles are the natural choice for organizations with multiple compliance obligations (HIPAA + PCI DSS + state laws + CMMC, etc.) rather than a single framework.
Premium GRC Content Through The SCF
ComplianceForge is a SCF Licensed Content Provider (LCP) for the Secure Controls Framework (SCF), which allows us to provide policies, standards & procedures based on the 1,400+ controls listed within the SCF! The benefit ComplianceForge brings to operationalizing the SCF is (1) decreased cost and (2) increased speed of adoption. ComplianceForge's SCF-based policies, standards and procedures can save an organization a significant amount of money from the labor-related costs to research, write and refine cybersecurity documentation. ComplianceForge's SCF-based documentation can also be obtained the same day you purchase it, so the time savings is immense.
The Security, Compliance & Resilience Program (SCRP), formally the Digital Security Program (DSP), is a product we developed for companies that need to comply with multiple requirements, but do not want to be locked into documentation that is formatted to conform with the taxonomy ISO 27002 or NIST 800-53. Essentially, the SCRP is a "best in class" approach to security documentation.
Mapped To Over 200 Leading Cybersecurity & Data Privacy Laws, Regulations & Frameworks!
Leveraging the Secure Controls Framework (SCF), the SCRP maps over 200 cybersecurity and data privacy laws, regulations and frameworks! This includes the most common statutory, regulatory and contractual requirements that are expected from a cybersecurity & data protection program. The SCRP provides the necessary policies, control objectives, standards, guidelines and metrics to operationalize the SCF for your organization!
Holistic Approach To Cybersecurity & Privacy With The SCF
The SCF is designed to empower organizations to design, implement and manage both cybersecurity and privacy principles to address strategic, operational and tactical guidance. It is far more than building for compliance - we know that if you build-in security and privacy principles, complying with statutory, regulatory and contractual obligations will come naturally. It is comprised of thirty-four (34) domains that cover the high-level topics that are expected to be addressed by cybersecurity and privacy-related statutory, regulatory and contractual obligations.
These bundles can help you operationalize your cybersecurity and privacy programs by efficiently mapping to over 200 statutory, regulatory and contractual frameworks. This will allow your cyber and privacy teams to speak the same language and more efficiently manage risks.
Understanding "How To GRC" With The SCRP & SCF
The structure of the Security, Compliance & Resilience Program (SCRP) is scalable to make it is easy to add or remove policy sections, as your business needs change. The same concept applies to standards – you can simply add/remove content to meet your specific needs. The SCRP addresses the “why?” and “what?” questions, since policies and standards form the foundation for your cybersecurity program. The following two documents shown below are well worth the time to make a pot of coffee and read through, since you will be able to understand both the structure of the documentation and how you can customize it for your specific needs.
The SCRP is our recommended solution if you are currently using or plan to use a Governance, Risk & Compliance (GRC) or Integrated Risk Management (IRM) solution. The SCRP is ready to import into your GRC/IRM instance, since it comes in both Microsoft Word and Excel formats. This makes the import from Excel straightforward and that allows you to then do any customization and collaboration directly from your GRC portal.
The SCRP is footnoted to provide authoritative references for the statutory, regulatory and contractual requirements that need to be addressed. Just as Human Resources publishes an “employee handbook” to let employees know what is expected for employees from a HR perspective, the SCRP does this from a cybersecurity perspective.
Our products are one-time purchases with no software to install - you are buying Microsoft Office-based documentation templates that you can edit for your specific needs. If you can use Microsoft Office or OpenOffice, you can use the SCRP! While the SCRP does come in Microsoft Word like the CDPP, the included Excel version of the SCRP comes with the following content so it is easy to import into a GRC/IRM solution:
- Policy statements
- Policy intent
- Control objectives
- Standards
- Guidance
- Controls (Secure Controls Framework)
- Secure, Compliant & Resilient Capability Maturity Model (SCR-CMM) criteria
- Secure, Compliant & Resilient Risk Management Model (SCR-RMM) risk & threat catalogs
- Metrics - including suggested Key Performance Indicators (KPIs) & Key Risk Indicators (KRIs)
- Indicators of Compromise (IoC)
- Indicators of Exposure (IoC)
- Target Audience Applicability
- Scoping - Basic or Enhanced Requirement
- Recommended roles / teams with responsibility for each standard (NIST NICE Cybersecurity Workforce Framework-based roles & responsibilities).
Available SCF Bundles
Two bundles in the premium GRC content tier. Bundle 1 is the core SCRP + CSOP combination. Bundle 2 is the comprehensive Robust Documentation Solution.
Comprehensive Coverage
Give us a call or send us an email - we are happy to help you find the right solution for your needs!
There are a lot of choices to pick from when selecting a cybersecurity framework. If you are not sure what works best for you, you can read more here. The most common frameworks are NIST 800-53, ISO 27002, the NIST Cybersecurity Framework and the Secure Controls Framework (SCF). To do NIST CSF, ISO 27002 or NIST SP 800-53 properly, it takes more than just a set of policies and standards. While those are foundational to building a cybersecurity program aligned with that framework, there is a need for program-specific guidance that helps operationalize those policies and standards (e.g., risk management program, third-party management, vulnerability management, etc.). It is important to understand what is required to comply with NIST CSF vs ISO 27002 vs NIST SP 800-53, since there are significantly different levels of expectation.
It is important to understand that picking a cybersecurity framework is more of a business decision and less of a technical decision. Realistically, the process of selecting a cybersecurity framework must be driven by a fundamental understanding of what your organization needs to comply with from a statutory, regulatory and contractual perspective, since that understanding establishes the minimum set of requirements necessary to:
- Not be considered negligent with reasonable expectations for cybersecurity & data protection;
- Comply with applicable laws, regulations and contractual obligations; and
- Implement the proper controls to secure your systems, applications and processes from reasonable threats, based on your specific business case and industry practices.
This understanding makes it easy to determine where on the "framework spectrum" (shown above) you need to focus for selecting a set of cybersecurity principles to follow. This process generally leads to selecting the NIST Cybersecurity Framework, ISO 27002, NIST SP 800-53 or SCF as a starting point.