Cybersecurity Policies, Standards & Procedures Bundles

Every company needs cybersecurity policies, standards and procedures to be secure and compliant. Our cybersecurity documentation bundles can save you hundreds of hours and tens of thousands of dollars! Instead of waiting months, you can have your documentation in as little as a business day! We now offer NIST SP 800-53 R5 policies, standards and procedures! We also offer policies, standards and procedures that can enable a company to align with NIST Cybersecurity Framework, ISO 27001/27002, NIST 800-171 / CMMC, NIST 800-53 and the Secure Controls Framework (SCF). These bundles are centered around our Cybersecurity & Data Protection Program (CDPP), but we do offer bundles for our Digital Security Program (DSP) for organizations that need to align with multiple frameworks.  

Is The NIST Cybersecurity Framework (NIST CSF) The Best Framework For My Needs?

It depends. NIST CSF 2.0 is essentially a subset of NIST 800-53, but it does have coverage for many controls found in ISO 27001 / 27002. While NIST CSF 2.0 incorporates parts of ISO 27001 / 27002 and parts of NIST 800-53, it is not inclusive of both - this is what makes NIST CSF is a common choice for smaller companies that need a set of "industry-recognized secure practices" to align with.  

• NIST CSF is a good choice for organizations that "fly under the radar" where they do not have obligations for cybersecurity from a law, regulation or contract. They just want to align with an industry-recognized secure practice.
• NIST CSF can be used to demonstrate compliance with the HIPAA Security Rule and some levels of PCI DSS compliance.

Is ISO 27001 or ISO 27002 The Best Framework For My Needs?

It depends. ISO 27001 / 27002 are more common internationally than within the United States. ISO ISO 27001 / 27002 is essentially a subset of the content that can be found in NIST 800-53 R5. Organizations can get certified against ISO 27001, where they use the controls found in ISO 27002 to establish what makes up the organization's Information Security Management System (ISMS).  

• ISO 27001 / 27002 is solid middle ground in the "cybersecurity framework spectrum" where it is flexible to address a wide range of cybersecurity requirements.
• ISO 27001 / 27002 is not a good choice for compliance with NIST 800-171 / Cybersecurity Maturity Model Certification (CMMC) or where contracts "speak NIST 800-53" since it just adds complexities that can be avoided.

Is NIST 800-53 The Best Framework For My Needs?

If you are contracting with the US Government (Federal or state-level), then it might be a great choice to simplify compliance needs since you can "speak NIST 800-53" to address contract requirements. However, if you do not have to adopt NIST 800-53, there are better choices available for robust coverage.

• NIST 800-53 is generally what other frameworks point to as a "master control set" but it is also very difficult to implement.
• Unless you specifically need to implement NIST 800-53 as part of a contract, there are better options.

Is NIST 800-171 The Best Framework For My Needs?

If you have to comply with NIST 800-171 and/or earn Cybersecurity Maturity Model Certification (CMMC), then you have to implement NIST 800-171 controls. The Controlled Unclassified Information (CUI) controls that make up NIST 800-171 requirements are based on the moderate baseline from NIST 800-53. 

• NIST 800-171 is non-negotiable if you store/process/transmit Contolled Unclassified Information (CUI).
• You can demonstrate compliance with NIST 800-171 in a few ways, so it depends on your other compliance needs. Often, companies have more than just NIST 800-171/CMMC that they have to comply with.

Is The Secure Controls Framework (SCF) The Best Framework For My Needs?

It depends. If you have to comply with more than 2-3 cybersecurity laws, regulations and/or frameworks, then the SCF is an excellent option. However, if you only have 1-2 compliance needs, the SCF might be overkill, especially for smaller teams.

• The SCF is a free metaframework (framework of frameworks) that covers 33 domains and over 100 cybersecurity laws, regulations and frameworks.
• The SCF can scale to meet the needs of any organization, so it has unrivaled flexibility.

How Does Being Secure & Compliant Start With Framework Alignment?

Security, compliance & resiliency starts with strong fundamentals. Picking a cybersecurity framework is more of a business decision and less of a technical decision. Realistically, this should be driven by a fundamental understanding of what your organization needs to comply with from a statutory, regulatory and contractual perspective, since that understanding establishes the minimum set of requirements necessary to comply. This understanding makes it pretty easy to determine where on the "compliance spectrum" you need to focus for selecting a set of cybersecurity principles to follow that generally involves NIST Cybersecurity Framework, ISO 27002 or NIST 800-53 as a starting point. A key consideration for picking a cybersecurity framework comes down to the level of content the framework offers, since this governs what you can natively comply without having to bolt-on content to make it work. We currently offer framework-aligned bundles for the three most common "flavors" of cybersecurity frameworks:

• NIST 800-53
• ISO 27002
• NIST Cybersecurity Framework

As visualized in the graphic below, the core of our solutions are based on policies, standards and procedures. From there, we have program-level solutions to address (1) risk management, (2) vulnerability management, (3) incident response & crisis management, (4) supply chain risk management and (5) privacy & secure engineering. Our bundles offer saving up to 45% and can provide near-turnkey documenation solutions for your organization. If you have a unique need, please contact us since we might be able to work with you on your request. 

To better understand how ComplianceForge products fit into your compliance needs, you can see what various frameworks expect there to be from a documentation perspective. This further supports the spectrum chart depicted above.

If you need help deciding which framework best fits your needs, you can contact us or read through this FAQ section that helps address this common question. If you do not want to be locked into a single framework, you should take a look at the Digital Security Program (DSP), since that is a hybrid approach that is designed for organizations that must address multiple statutory, regulatory and contractual requirements that a single framework might not be able to support.

Procedures Operationalize Policies & Standards - This Is A Key Concept To Being Both Secure & Audit-Ready

We leverage the Operationalizing Cybersecurity Planning Model in creating a practical view towards implementing cybersecurity requirements. Organizations are often not at a loss for a set of policies, but executing those requirements often fall short due to several reasons. Standardized Operating Procedures (SOPs) are where the rubber meets the road for Individual Contributors (ICs), since these key players need to know (1) how they fit into day-to-day operations, (2) what their priorities are and (3) what is expected from them in their duties. When looking at it from an auditability perspective, the evidence of due diligence and due care should match what the organization's cybersecurity business plan is attempting to achieve.

One of the most important things to keep in mind with procedures is that the "ownership" is different than that of policies and standards:

• Policies, standards and controls are designed to be centrally-managed at the corporate level (e.g., governance, risk & compliance team, CISO, etc.).
• Controls are assigned to stakeholders, based on applicable statutory, regulatory and contractual obligations.
• Procedures are by their very nature de-centralized, where control implementation at the team-level is defined to explain how the control is addressed (e.g., network team, desktop support, HR, procurement, etc.).

Given this approach to how documentation is structured, based on "ownership" of the documentation components:

• Policies, standards and controls are expected to be published for anyone within the organization to have access to, since it applies organization-wide. This may be centrally-managed by a GRC/IRM platform or published as a PDF on a file share, since they are relatively static with infrequent changes.
• Procedures are "living documents" that require frequent updates based on changes to technologies and staffing. Procedures are often documented in "team share" repositories, such as a wiki, SharePoint page, workflow management tool, etc.

The central focus of any procedures should be a Capability Maturity Model (CMM) target that provides quantifiable expectations for People, Processes and Technologies (PPT), since this helps prevent a “moving target” by establishing an attainable expectation for “what right looks like” in terms of PPT. Generally, cybersecurity business plans take a phased, multi-year approach to meet these CMM-based cybersecurity objectives. Those objectives, in conjunction with the business plan, demonstrate evidence of due diligence on behalf of the CISO and his/her leadership team. The objectives prioritize the organization’s service catalog through influencing procedures at the IC-level for how PPT are implemented at the tactical level. SOPs not only direct the workflow of staff personnel, but the output from those procedures provides evidence of due care.

The diagram below helps show the critical nature of documented cybersecurity procedures in keeping an organization both secure and compliant:

• C-SCRM & NIST 800-161 R1

  For many cybersecurity practitioners, even those well versed in NIST 800-171 and Cybersecurity Matur...

• Secure Software Development Attestation

  Can you tell the difference in these secure software development attestation forms? There isn't one...

• NIST 800-171 R3 ODPs

  ComplianceForge released NIST 800-171 R3 documentation updated to address DoD-provided Organization-...

• SCF Training & Certifications

  ComplianceForge is a Licensed Content Provider (LCP) for the Secure Controls Framework (SC...

---