When you look at your company’s existing documentation, is it old enough to:
For companies that have been around for decades that lack strong governance practices, it is possible some of its core cybersecurity documentation is stagnant. When you compare the past 10 years with the previous 10 years, the volume of change in cybersecurity-related laws, regulations and frameworks is staggering. Depending on the industry, this means businesses are no just reviewing but entirely revamping policies, standards and procedures every few years to keep current with the changes.
ComplianceForge sells editable documentation templates that are affordable and designed to meet the needs of businesses like yours. These templates are professionally written and are a small fraction of the cost compared to hiring a consultant or dedicated existing employees to write similar documentation. Each product page has an examples section so you can see the level of quality for yourself.
|
In the context of good IT security documentation, key components are hierarchical and build on each other to build a strong governance structure that utilizes an integrated approach to managing requirements. Well-designed IT security documentation is generally comprised of six (6) main parts:
|
 |
The foundation for an organization's cybersecurity and privacy program is its policies and standards. These components form the alignment with leading practices to help ensure applicable statutory, regulatory and contractual requirements for cybersecurity and data protection are adequately addressed. From these policies and standards, procedures and other program-level guidance provide the specific details of how these policies and standards are implemented. With our cybersecurity framework-specific solutions, you can demonstrate compliance with nearly any legal and/or regulatory requirement for cybersecurity and data protection.
The most common frameworks to align an organization's cybersecurity program documentation with are:
Do you need to align with one of these common cybersecurity frameworks? The answer depends on your specific compliance requirements. You may have a contractual obligation to align with a certain framework or you may have compliance obligations that do not specify a framework, as long as the requirements are met. If you are unsure, speak with your legal, procurement, IT and privacy specialists to see if there is statutory, regulatory and/or contractual obligation to align with a specific cybersecurity framework.
|
|
Effective cybersecurity and data protection is a team effort involving the participation and support of every user that interacts with your company’s data and/or systems, it is a necessity for your company’s cybersecurity & data protection requirements to be made available to all users in a format that they can understand. That means your company must publish those requirements in some manner, generally in either PDF format or published to an internal source (e.g., wiki, SharePoint, Jira, GRC, etc.). Our goal is to make that process as efficient, cost-effective and scalable, as possible. Since words have meanings, it is important to provide examples from industry-recognized sources for the proper use of these terms that make up cybersecurity & privacy documentation. Simply because you have heard a term used in one manner for the last decade, it does not mean that is correct. That is why we wrote the following guide to help explain how cybersecurity and data protection documentation is meant to be developed, based on authoritative definitions of the components that make up documentation (e.g., policies, standards, procedures, controls, etc.). As a "rule of thumb" to understand how documentation ages, if your cybersecurity policies, standards and procedures are old enough to start kindergarten (4-5 years old) then it is time to perform a thorough refresh / update cycle. Cybersecurity and privacy are evolving fields and your documentation needs to be current to address these new requirements and threats. |
|
The concept of a "best" cybersecurity framework is misguided, since the most appropriate framework to align with is entirely dependent upon your business model. The applicable laws, regulations and contractual obligations that your organiation must comply with will most often point you to one of four (4) starting points to kick off the discussion about "Which framework is most appropriate for our needs?":
|
 |
 |
While policies, standards and procedures form the foundation of any cybersecurity and data protection program, there are many other components that build off of those documents:
|
Give us a call or send us an email - we are happy to help you find the right solution for your needs!
There are a lot of choices to pick from when selecting a cybersecurity framework. If you are not sure what works best for you, you can read more here. The most common frameworks are NIST 800-53, ISO 27002, the NIST Cybersecurity Framework and the Secure Controls Framework (SCF). To do NIST CSF, ISO 27002 or NIST SP 800-53 properly, it takes more than just a set of policies and standards. While those are foundational to building a cybersecurity program aligned with that framework, there is a need for program-specific guidance that helps operationalize those policies and standards (e.g., risk management program, third-party management, vulnerability management, etc.). It is important to understand what is required to comply with NIST CSF vs ISO 27002 vs NIST SP 800-53, since there are significantly different levels of expectation.
It is important to understand that picking a cybersecurity framework is more of a business decision and less of a technical decision. Realistically, the process of selecting a cybersecurity framework must be driven by a fundamental understanding of what your organization needs to comply with from a statutory, regulatory and contractual perspective, since that understanding establishes the minimum set of requirements necessary to:
This understanding makes it easy to determine where on the "framework spectrum" (shown above) you need to focus for selecting a set of cybersecurity principles to follow. This process generally leads to selecting the NIST Cybersecurity Framework, ISO 27002, NIST SP 800-53 or SCF as a starting point.
Secure Controls Framework (SCF)
Secure Controls Framework (SCF) "Premium Content" - Editable Policies, Control Objectives, Standards, Guidelines, Controls & Metrics. Product Walkthrough Video When you click the image or the link below, it will direct you to a different page on...
ComplianceForge NIST Cybersecurity Framework Compliance Documentation Templates
NIST Cybersecurity Framework 2.0 (NIST CSF 2.0) Policy Template - Editable Policies & Standards Product Walkthrough Video When you click the image or the link below, it will direct you to a different page on our website that contains a short...
ComplianceForge ISO 27001 & 27002 Compliance Documentation Templates
ISO 27001 & 27002 Policy Template UPDATED FOR ISO 27001:2022 & 27002:2022 Product Walkthrough Video When you click the image or the link below, it will direct you to a different page on our website that contains a short...
ComplianceForge NIST 800-53 Compliance Documentation Templates
NIST 800-53 Rev5 Policy Template LOW & MODERATE BASELINE Product Walkthrough Video When you click the image or the link below, it will direct you to a different page on our website that contains a short product walkthrough video...
ComplianceForge NIST 800-53 Compliance Documentation Templates
NIST SP 800-53 Rev5 Policy Template LOW, MODERATE & HIGH BASELINE Product Walkthrough Video When you click the image or the link below, it will direct you to a different page on our website that contains a short product walkthrough...
Secure Controls Framework (SCF)
Secure Controls Framework (SCF) CORE Fundamentals - Policies & Standards The Secure Controls Framework (SCF) created the Cybersecurity Oversight, Resilience and Enablement (CORE) initiative as a means to help an organization tailor cybersecurity...
