- Policies and standards form the foundation of every cybersecurity program. Without them, there is nothing for procedures to operationalize and nothing for auditors to evaluate against.
- ComplianceForge offers framework-specific CDPP products (NIST CSF, ISO 27001/27002, NIST 800-53 R5 Moderate/High) and the SCRP metaframework for organizations with multi-framework obligations.
- If you have a single primary framework, pick the matching CDPP. If you have many compliance obligations, pick the SCRP.
- Every product in this category is delivered as editable Microsoft Word and Excel documents with footnoted source references.
- Policy and standard products pair with a matching CSOP (procedures) for complete documentation coverage.
Policies, Standards & Control Objectives
Policies are the governing directives of a cybersecurity program. Standards operationalize those policies with specific, measurable requirements. Together they form the foundational layer that procedures build on.
The most common frameworks to align an organization's cybersecurity program documentation with are:
- NIST Cybersecurity Framework 2.0 (NIST CSF 2.0)
- ISO 27001:2022 & ISO 27002:2022
- NIST SP 800-53 R5 (low, moderate, high and privacy baselines)
- NIST SP 800-171 R2 and NIST 800-171 R3 (CMMC Levels 1-3)
- Secure Controls Framework (SCF)
If you are unsure which framework is best for your needs, we have a free guide that can help. You can also give us a call or email us to discuss your specific needs, since we are here to help!
For IT Security Policies, Standards & Procedures Documentation, What Do Right Looks Like?
In the context of good IT security documentation, key components are hierarchical and build on each other to build a strong governance structure that utilizes an integrated approach to managing requirements. Well-designed IT security documentation is generally comprised of six (6) main parts:
The foundation for an organization's cybersecurity and privacy program is its policies and standards. These components form the alignment with leading practices to help ensure applicable statutory, regulatory and contractual requirements for cybersecurity and data protection are adequately addressed. From these policies and standards, procedures and other program-level guidance provide the specific details of how these policies and standards are implemented. With our cybersecurity framework-specific solutions, you can demonstrate compliance with nearly any legal and/or regulatory requirement for cybersecurity and data protection.
Start Here Guide
Effective cybersecurity and data protection is a team effort involving the participation and support of every user that interacts with your company’s data and/or systems, it is a necessity for your company’s cybersecurity & data protection requirements to be made available to all users in a format that they can understand. That means your company must publish those requirements in some manner, generally in either PDF format or published to an internal source (e.g., wiki, SharePoint, Jira, GRC, etc.). Our goal is to make that process as efficient, cost-effective and scalable, as possible.
Since words have meanings, it is important to provide examples from industry-recognized sources for the proper use of these terms that make up cybersecurity & privacy documentation. Simply because you have heard a term used in one manner for the last decade, it does not mean that is correct. That is why we wrote the following guide to help explain how cybersecurity and data protection documentation is meant to be developed, based on authoritative definitions of the components that make up documentation (e.g., policies, standards, procedures, controls, etc.).
As a "rule of thumb" to understand how documentation ages, if your cybersecurity policies, standards and procedures are old enough to start kindergarten (4-5 years old) then it is time to perform a thorough refresh / update cycle. Cybersecurity and privacy are evolving fields and your documentation needs to be current to address these new requirements and threats.
What Is The "Best" Cybersecurity Framework For Your Needs?
The concept of a "best" cybersecurity framework is misguided, since the most appropriate framework to align with is entirely dependent upon your business model. The applicable laws, regulations and contractual obligations that your organiation must comply with will most often point you to one of four (4) starting points to kick off the discussion about "Which framework is most appropriate for our needs?":
- NIST Cybersecurity Framework (NIST CSF);
- ISO 27001/27002;
- NIST SP 800-53 (moderate or high baselines); or
- Secure Controls Framework (SCF) (or a similar metaframework).
What Is The "Best" Cybersecurity Framework For Your Needs?
While policies, standards and procedures form the foundation of any cybersecurity and data protection program, there are many other components that build off of those documents:
- Foundational Policies, Standards & Procedures;
- Risk Management;
- Vulnerability Management;
- Incident Response & Crisis Management;
- Supply Chain Risk Management; and
- Privacy & Secure Engineering.
Available Policies & Standards Products
Select the product aligned with your primary compliance framework. Prices shown are one-time purchase prices. Annual update subscriptions are sold separately for organizations that want to stay current as frameworks evolve.
Comprehensive Coverage
Give us a call or send us an email - we are happy to help you find the right solution for your needs!
There are a lot of choices to pick from when selecting a cybersecurity framework. If you are not sure what works best for you, you can read more here. The most common frameworks are NIST 800-53, ISO 27002, the NIST Cybersecurity Framework and the Secure Controls Framework (SCF). To do NIST CSF, ISO 27002 or NIST SP 800-53 properly, it takes more than just a set of policies and standards. While those are foundational to building a cybersecurity program aligned with that framework, there is a need for program-specific guidance that helps operationalize those policies and standards (e.g., risk management program, third-party management, vulnerability management, etc.). It is important to understand what is required to comply with NIST CSF vs ISO 27002 vs NIST SP 800-53, since there are significantly different levels of expectation.
It is important to understand that picking a cybersecurity framework is more of a business decision and less of a technical decision. Realistically, the process of selecting a cybersecurity framework must be driven by a fundamental understanding of what your organization needs to comply with from a statutory, regulatory and contractual perspective, since that understanding establishes the minimum set of requirements necessary to:
- Not be considered negligent with reasonable expectations for cybersecurity & data protection;
- Comply with applicable laws, regulations and contractual obligations; and
- Implement the proper controls to secure your systems, applications and processes from reasonable threats, based on your specific business case and industry practices.
This understanding makes it easy to determine where on the "framework spectrum" (shown above) you need to focus for selecting a set of cybersecurity principles to follow. This process generally leads to selecting the NIST Cybersecurity Framework, ISO 27002, NIST SP 800-53 or SCF as a starting point.