Quality, Expert-Derived Cybersecurity Documentation To Keep Organizations Secure, Compliant & Resilient - No AI Slop!
Secure Controls Framework
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Cart
Start Here
Products
Bundles
Updates
Reasons To Buy
Certification Options
No items found.
Information Assurance Program (IAP)
$ 4,235.00 USD
The IAP is focused on pre-production testing and based on established processes used by the US Government (e.g., FISMA, DIACAP, DIARMF) to validate the existence and functionality of controls, prior to a system, application or service going into production. It is not only the right thing to do from a security and privacy perspective, but it is serious job security.
Product Category:
Data Protection (Privacy) & Secure Engineering
SKU:
P17-IAP
Availability:
Email Delivery Within 1-2 Business Days
ComplianceForge documentation is written to follow industry-recognized secure practices, but you are still expected to tailor the documentation to suit your organization's specific security, compliance & resilience requirements. By providing your company name and your logo (your logo is optional), we tailor the documentation to include this information.
How Do I Request A Quote?
To request a quote, select the "Request a Quote" button beside the "Add To Cart" button. This will direct you to a page where you can request a custom quote.
Can I Pay By Invoice?
Yes. To pay by invoice, add the product to your cart, go through the checkout process, and fill out your billing information. Once you get to the payment method, select "Offline Payment via Invoice / Purchase Order (PO)" and then select "Place Order."
Can I Pay By Wire / ACH?
Yes. To pay by Wire / ACH, you can request an invoice by following the instructions above. Once you have the invoice, it will contain the necessary info for you to finalize payment by Wire / ACH.
No logo uploaded. Maximum file size: 5 MB. Acceptable file types: PNG, JPG, JPEG, GIF, BMP, TIFF, WEBP, SVG.
Add to Cart
Request A Quote
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Information Assurance Program (IAP)
  • Cybersecurity & privacy-focused to implement a program-leel pre-production control validation function.
  • Holistic approach to validating cybersecurity & privacy controls at specific points in the SDLC.
  • Supports evolving requirements for Secure System Development Practices (SSDP).
  • Immense time & cost savings - enables subject matter experts to implement SSDP in SDLC processes.
Go To Examples Section
Product Overview

Don't Write It From Scratch.

Before a new system, application, or service goes live, can you prove its security and privacy controls were actually validated, not just assumed? Skipping pre-production control validation is how insecure systems reach production and how "security" ends up bolted on at the end as a roadblock. Standing up that assurance process from a blank page takes expertise most teams do not have in-house. The Information Assurance Program (IAP) gives you a running start: an editable, program-level control-validation framework that adapts government-grade Certification & Accreditation and Security Testing & Evaluation practices into your existing SDLC/PDLC, with customized Minimum Security Requirements defined per project. It gets you roughly 80 to 90 percent of the way there, then your team tailors it to your development lifecycle and tooling.

Is your organization looking for a cybersecurity assurance program? ComplianceForge's Information Assurance Program (IAP) is focused on pre-production testing and based on established processes used by the US Government (e.g., FISMA, DIACAP, DIARMF) to validate the existence and functionality of controls, prior to a system, application or service going into production. In US Government language, this is commonly referred to as Certification & Accreditation (CA) or Security Testing & Evaluation (ST&E). We "civilianized" this concept of CA/ST&E to create a method to enable cybersecurity and privacy personnel to work with your organization's existing System Development Life Cycle (SDLC) / Project Development Life Cycle (PDLC) to ensure privacy and cybersecurity principles are designed and built-into your systems, applications and services!

The end state with control validation testing is:

  • Removal of "security roadblocks" by embedding cybersecurity and privacy into the SDLC/PDLC from project kick-off through the "go live" data.
  • Having evidence of both cybersecurity and privacy principles being identified and implemented by design (e.g., EU GDPR compliance)
  • Utilizing a customized control sets that defines Minimum Security Requirements (MSR) specific to the project undergoing review.
  • A data-centric view across systems, applications, services and third-parties that enables situational awareness of both cybersecurity and privacy risks.
  • A Project Risk Register (PRR) that tracks risks and the associated remediation actions (e.g., Plan of Action & Milestones (POA&M)).
  • A formal method of getting stakeholder accountability for residual risk.
Product Details

What Is The IAP?

The IAP is editable Microsoft Word and Excel documentation that gives an organization the program-level guidance and project-level templates to perform pre-production security and privacy testing. Where most cybersecurity documentation describes what controls should exist, the IAP describes how to test and validate that controls actually work before a system goes into production. This makes the IAP the operational bridge between architecture review and production cutover.

As a CISO or CPO, performing IAP is not only the right thing to do from a security and privacy perspective, but it is serious job security. When things go bad and fingers get pointed, do you have a "get out of jail free card" that you can use? If not, keep reading.

A CISO or CPO should never make the decision to "sign off" and own risk, since it is ultimately a business decision and that director/VP of the business unit should be accepting the risk for their projects, services and vendors needed to operate. It is the responsibility of the CISO and CPO to have a data-centric view of risk from the application, system, service and supply chain perspective. With this understanding of the risks, the CISO and CPO need to educate the business process owners if minimum security requirements are/are not met and if the risk falls within the organization's risk appetite. This is where the CRO role defines what is acceptable risk and works with the business units to get them to hopefully make the correct GO/NO GO decision. If they do choose to do something outside of the risk appetite, the CRO/CISO/CPO has evidence to demonstrate due care in their analysis. A lot of this requires a mature pre-production control validation testing process, which is absent in many organizations beyond a rudimentary security gate for change control.

The following are common statutory, regulatory and contractual requirements that expect “pre-production testing” or "information assurance" activities to be performed:

  • ISO 27002 – 14.2.8
  • European Union General Data Protection Regulation (EU GDPR) – Article 25
  • NIST 800-171 – 3.12.1, 3.12.3 & Non-Federal Organization (NFO)
  • NIST Cybersecurity Framework – PR.IP-2, PR.IP-5 & DE.DP-3
  • Federal Risk and Authorization Management Program (FedRAMP) – Security Assessment & Authorization (CA) controls
  • AICPA Trust Services Principles (TSP) SOC2 – CC7.4
  • Center for Internet Security Critical Security Controls (CIS CSC) – 18.2, 18.4 & 18.8
  • Cloud Security Alliance Cloud Controls Matrix (CSA CCM) – CCC-03
  • Cloud Computing Compliance Controls Catalogue (C5) – BEI-02
  • Monitory Authority of Singapore Technology Risk Management (MAS TRM) Guidelines - 6.0.1, 6.2.2, 6.2.3, 6.2.4, 6.3.4, 6.4.2, 6.4.3, 6.4.4, A.1.1 & A.1.2
  • European Union Agency for Network and Information Security (ENISA) Technical Guideline of Security Measures – SO23
  • National Industry Security Program Operating Manual (NISPOM) – 8-610 & 8-302
  • Criminal Justice Information Services (CJIS) Security Policy – 5.10.4.1, 5.11.1.1, 5.11.1.2, 5.11.2 & 5.13.4.1
  • Massachusetts MA 201 CMR 17.00 – 17.03(2)(d)(B)(i) & 17.03(2)(h)
  • New York Department of Financial Services (23 NYCRR 500) – 500.02
  • Oregon Consumer Identity Theft Protection Act (OCITPA) – 622(2)(B)(i)-(iv)
  • Underwriters Laboratories (UL) 2900-1 – Section 12
  • Payment Card Industry Data Security Standard (PCI DSS) – Requirement 6
  • Motion Picture Association of America (MPAA) Content Security Program – MS-2.0
How It's Delivered

No Software To Install

The IAP is a one-time purchase of editable Microsoft Word and Excel documentation templates. There is no software to install, no agent to deploy, no account to provision, and no cloud environment to configure. If the organization can open and edit Microsoft Word and Excel files, the IAP is ready to use.

Microsoft Word & Excel

Delivered as fully editable .docx and .xlsx files. Compatible with Word and Excel 2016 and newer, Microsoft 365, OpenOffice, LibreOffice, and Google Docs/Sheets. The IAP includes built-in styles, tables, and framework mappings that are ready for customization.

Email Delivery

Documentation is delivered via email download link within 1-2 business days of purchase, often the same business day. There is no installer, no license server, and no activation step.

One-Time Purchase

A single-entity license is included with purchase. There is no recurring subscription requirement, although an optional update subscription is available to stay current as frameworks and leading practices evolve.

This deployment model is intentional. Pre-production testing documentation belongs in the organization's own hands, inside its own version control and project management systems, rather than locked inside a vendor's SaaS tool. Once delivered, this product belongs to the buyer.

The Problem

What Problems Does The IAP Solve?

Lack of In House Security Experience

Writing security documentation is a skill that many good cybersecurity professionals simple are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. The IAP is an efficient method to obtain comprehensive system hardening documentation.

Compliance Requirements

There are numerous requirements (several listed at the top of this page) that require pre-production security testing to be performed and documented. The IAP is designed with compliance in mind, since it focuses on leading "best practices" for ensuring systems, applications and services are verified to address reasonably-expected requirements for cybersecurity and privacy exist and function accordingly.

Audit Failures

A lack of documented pre-production security testing is a common audit failure. The IAP covers traditional SDLC/PDLC models that include Agile, Waterfall and other approaches to project management. This is designed to integrate with your existing processes to bake in cybersecurity and privacy principles.

Vendor Requirements

It is getting more common for clients and partners to request evidence of secure processes, including SDLC/PDLC security and privacy efforts. The IAP provides this evidence!

The Solution

How Does The IAP Solve These Problems?

Clear Documentation

The IAP provides comprehensive cybersecurity and privacy pre-production testing to prove that your security is more than just a set of policies and standards.  

Time Savings

The IAP can provide your organization with a semi-customized solution that requires minimal resources to fine tune for your organization's specific needs.

Alignment With Leading Practices

The IAP is written to align your organization with leading practices for secure engineering processes.

What You Get

What Is Included?

The IAP comes with everything you need to stand up a process to do pre-production security & privacy testing:

  • Core Word document that is the program-level guidance on the Information Assurance Program (IAP) at your organization;
  • Editable Excel spreadsheets that contain mappings to leading practices and other helpful charts to clarify requirements;
  • Security & Privacy Test Plan (SPTP) template to document the plan to perform IAP for a specific project;
  • Security & Privacy Plan (SPP) is essentially a traditional System Security Plan (SSP) with privacy added into it;
  • Project Risk Register (PRR) template to document risks and remediation actions; and
  • Security & Privacy Assessment Report (SPAR) template to write up the overall risk report for the project.

The IAP comes with everything you need to stand up a process to do pre-production security & privacy testing:

Your ROI

Cost Savings Estimate

When you look at the costs associated with either (1) hiring an external consultant to write cybersecurity documentation for you or (2) tasking your internal staff to write it, the cost comparisons paint a clear picture that buying from ComplianceForge is the logical option. Compared to hiring a consultant, you can save months of wait time and tens of thousands of dollars. Whereas, compared to writing your own documentation, you can potentially save hundreds of work hours and the associated cost of lost productivity. Purchasing the IAP from ComplianceForge offers these fundamental advantages when compared to the other options for obtaining quality cybersecurity documentation:

Internal Staff Cost

For your internal staff to generate comparable documentation, it would take them an estimated 20 internal staff work hours, which equates to a cost of approximately $29,500 in staff-related expenses. This is about 3 to 6 months of development time, and it assumes the organization has staff with prior IA/ST&E experience capable of developing this documentation.

The IAP is approximately 18% of the cost for your internal staff to generate equivalent documentation.

External Consultant Cost

If you hire a consultant to generate this documentation, it would take them an estimated 150 contractor work hours, which equates to a cost of approximately $44,500. This is about 2 to 3 months of development time for a contractor to provide you with the deliverable.

The IAP is approximately 9% of the cost for an external consultant to generate equivalent documentation.

See It First

Product Examples

The IAP is based on leading security engineering practices, including NIST 800-160 and NIST 800-37. You get fully-editable Microsoft Word and Excel documents that you can customize for your specific needs. Please review the examples below to see for yourself!

Coverage spans the program-level guidance and the project-level templates needed to operationalize pre-production security and privacy testing, regardless of whether the organization's primary framework is NIST, ISO, SCF, or another framework.

Policies & Standards

Below is a PDF example containing a sample of the policies & standards you would receive upon purchasing the IAP.

Mappings

Below is a PDF example containing a list of the mappings applicable to the IAP.

Your Effort

How Much Customization Remains?

Given the difficult nature of writing templated pre-production testing documentation, ComplianceForge aims for approximately an 80% solution because it is impossible to write a 100% cookie-cutter document that can be equally applied across every organization. Pre-production testing depends on the specific SDLC/PDLC, the technology stack, the regulatory environment, and the existing project management practices, so the remaining work is fine-tuning the IAP with the specific information that only the organization knows.

In practice, customization is filling in the blanks and following the guidance provided to identify the who, what, when, where, why, and how for the specific organization. Typical customization tasks include adding the company name and logo, naming actual role owners (cybersecurity, privacy, engineering, project management), tailoring the CA/ST&E lifecycle to integrate with the existing SDLC/PDLC, calibrating the SPTP and SPP templates to the typical system architecture, and integrating the PRR with existing risk management workflows.

Need A Hand?

Professional Services

ComplianceForge offers optional professional services to customize purchased documentation. Professional services are not required to customize ComplianceForge documentation. However, some clients want our subject matter expertise to help customize their documentation to meet their specific business needs. If you have any questions about our professional services, please contact us at:

Contact Us

We offer the following professional service bundles:

5-Hour Bundle

This includes five (5) hours of professional services, which may be beneficial for companies that need some guidance on getting started with how to tailor their documentation.

10-Hour Bundle

This includes ten (10) hours of professional services, which may be beneficial for companies that need additional guidance on tailoring their documentation to meet their compliance requirements.

20-Hour Bundle

This includes twenty (20) hours of professional services, which may be beneficial for companies that need robust services, beyond just 10 hours, to assist in tailoring their documentation to meet their compliance requirements.

Important Details About Professional Services

Purchased professional service hours expire 120 days (4 months) from the time of purchase if unused. Hours are intended to supplement, not replace, your own customization work, since only your organization knows the exact details to tailor your documentation. For questions regarding scoping a professional services engagement or configuring a custom package, contact ComplianceForge directly through the Contact Us page.

View Options
IAP Controls

What Controls Does the IAP Rely On?

The IAP is very flexible for the control set that you might want to use for IAP. Assuming you do not have something to use "out of the box" we have that covered with the ability to use the Secure Controls Framework (SCF). If you are not familiar with the SCF, it is a robust set of cybersecurity and privacy controls that maps to over 100 statutory, regulatory and contractual frameworks, so it is a great, free tool for businesses to use! The IAP comes with instructions on paring down the SCF to define just the right "level of effort" for the control set, based on the pertinent compliance needs and risk appetite of your organization.

Testimonials

What Are Some Of Our Testimonials?

❛❛
Excellent Starting Point
ComplianceForge's SCF-based policy documentation offers consolidated coverage of security and privacy controls requirements in a single, cohesive package. Because it's built on the Secure Controls Framework, a metaframework that tracks security and privacy standards globally and releases quarterly updates, it gives organizations confidence that their documentation stays current as requirements evolve. For any organization standing up a security and privacy program from scratch, it's provides an excellent starting point.
Would You Like To Share Your Experiences?
If you are satisfied with your product and would like to leave a review, please fill out our testimonial form and share your experiences with our documentation! We enjoy hearing from satisfied customers, and we are always open to constructive feedback so that we can continue improving our products.
Fill Out Testimonial