Quality, Expert-Derived Cybersecurity Documentation To Keep Organizations Secure, Compliant & Resilient - No AI Slop!
Secure Controls Framework
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Cart
Start Here
Products
Bundles
Updates
Reasons To Buy
Certification Options
No items found.
Policies & Standards - ISO 27001 / 27002
$ 1,980.00 USD
This version of the Cybersecurity & Data Protection Program (CDPP) is based on the ISO 27001 / 27002 framework. It contains the necessary ISO 27001 / 27002 policies and standards that help achieve compliance. You get fully-editable Microsoft Word and Excel documents that you can customize for your specific needs.
Product Category:
Policies & Standards
SKU:
P01-CDPP-ISO
Availability:
Email Delivery Within 1-2 Business Days
ComplianceForge documentation is written to follow industry-recognized secure practices, but you are still expected to tailor the documentation to suit your organization's specific security, compliance & resilience requirements. By providing your company name and your logo (your logo is optional), we tailor the documentation to include this information.
How Do I Request A Quote?
To request a quote, select the "Request a Quote" button beside the "Add To Cart" button. This will direct you to a page where you can request a custom quote.
Can I Pay By Invoice?
Yes. To pay by invoice, add the product to your cart, go through the checkout process, and fill out your billing information. Once you get to the payment method, select "Offline Payment via Invoice / Purchase Order (PO)" and then select "Place Order."
Can I Pay By Wire / ACH?
Yes. To pay by Wire / ACH, you can request an invoice by following the instructions above. Once you have the invoice, it will contain the necessary info for you to finalize payment by Wire / ACH.
No logo uploaded. Maximum file size: 5 MB. Acceptable file types: PNG, JPG, JPEG, GIF, BMP, TIFF, WEBP, SVG.
Request A Quote
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Cybersecurity Data Protection Program (CDPP) - ISO 27001 & 27002
  • Editable cybersecurity documentation that is focused on ISO 27001 & 27002 alignment.
  • Compliance-focused policies and standards that come with a wealth of free resources.
  • Affordable solution that is designed to be efficient and scalable. Written to be business-friendly.
  • One-time purchase - no subscription or software to install. Comes with editable Microsoft Word and Microsoft Excel documentation.
Go To Examples Section
Product Overview

Don't Write It From Scratch.

Pursuing ISO 27001 certification, or need to prove ISO 27002 alignment to a customer? With what you have right now, could you produce the ISMS policies and standards an auditor expects, or are they incomplete, outdated, or scattered across your team?

For most teams, building ISO-aligned documentation from scratch takes hundreds of hours of senior staff time. The ISO 27001/27002 Cybersecurity & Data Protection Program (CDPP) gives you a running start: editable policies, control objectives, standards, and guidelines structured to the ISO 27002 taxonomy (2013 and 2022), built on the Secure Controls Framework (SCF) so it also maps to 100+ other laws, regulations, and frameworks. The templates get you roughly 80 to 90 percent of the way there. From there you tailor the details to your environment and move toward certification readiness in far less time than writing it yourself.

ISO 27001 Appendix A contains the basic overview of the security controls needed to build an Information Security Management System (ISMS), but ISO 27002 provides those specific controls that are necessary to actually implement ISO 27001. Essentially, you can't meet ISO 27001 without implementing ISO 27002:

ISO/IEC 27001:2022
Information security, cybersecurity and privacy protection - Information security management systems - Requirements
ISO/IEC 27002:2022
Information security, cybersecurity and privacy protection - Information security controls

To keep things simple, remember that ISO 27001 lays out the framework to create an “Information Security Management System (ISMS)” (e.g., a comprehensive IT security program), whereas ISO 27002 contains the actual “best practices” details of what goes into building a comprehensive IT security program. Since ISO’s information security framework has been around since the mid-1990s, it was in “right time at the right place” to evolve into the de facto IT security framework outside of the United States. You will find ISO 27002 extensively used by multinational corporations and for companies that do not have to specifically comply with US federal regulations. ISO 27002 is also “less paranoid” than NIST 800-53, which has an advantage of being less complex and therefore easier implement.

The ISO 27002 CDPP is ideal for organizations that need to demonstrate alignment with ISO 27001 and ISO 27002 for compliance, contractual obligations, customer assurance, or audit purposes. Unlike framework-agnostic templates, every policy and standard in this product is structured around the ISO 27002 taxonomy, so cross-references and audit responses are direct.

What Is The ISO 27002 CDPP

What Is The ISO 27002 CDPP?

Does your organization need ISO 27001 policy templates? The Cybersecurity & Data Protection Program (CDPP) is our leading set of ISO 27001/2:2013 / 27001/2:2022-based set of cybersecurity policies and standards. This is a comprehensive, customizable, easily implemented document that contains the policies, control objectives, standards and guidelines that your company needs to establish a world-class IT security program. Being Microsoft Word documents, you have the ability to make edits, as needed. The CDPP contains mappings & coverage for both the 2013 and 2022 versions of ISO 27001 and 27002. The ISO 27001 / 27002 version of the CDPP leverages the Secure Controls Framework (SCF) control naming and domains to provide the structure for the policies, control objectives and standards. This approach makes the CDPP scalable and maps to over 100 other laws, regulations and frameworks. Since it is editable documentation, you can use the provided structure or rename it according to your specific needs.

The ISO 27002 CDPP is organized into approximately 14 domains, each with a parent policy supported by detailed standards. The naming convention and structure deliberately follow ISO 27001 and ISO 27002 so that a control reference in your documentation lines up directly with the source framework.

This product is intended for medium and large organizations, government agencies, and any organization whose primary regulatory or contractual driver is alignment with ISO 27001 and ISO 27002. If your organization needs to address multiple frameworks simultaneously, consider the SCRP (Security, Compliance & Resilience Program) instead, which covers 200+ frameworks.

ISO 27001 / ISO 27002 can be used for:
  • General Business;
  • Retail;
  • Healthcare; and
  • Insurance.
ISO 27001 / ISO 27002 should not be used for:
  • Defense Contractors.
How It's Delivered

No Software To Install

This product is a one-time purchase of editable Microsoft Office documentation templates. There is no software to install, no agent to deploy, no account to provision, and no cloud environment to configure. If your organization can open and edit Microsoft Word or Excel files (or compatible tools like OpenOffice and Google Workspace), you can use this product.

Microsoft Word & Excel

Delivered as fully editable .docx and .xlsx files. Compatible with Word 2016 and newer, Microsoft 365, OpenOffice, LibreOffice, and Google Docs/Sheets.

Email Delivery

Documentation is delivered via email download link within 1 to 2 business days of purchase. There is no installer, no license server, and no activation step.

One-Time Purchase

A single-entity license is included with purchase. There is no recurring subscription requirement, although an optional update subscription is available to stay current as frameworks evolve.

This deployment model is intentional. Cybersecurity documentation benefits from being in the organization's own hands, inside the organization's own version control and document management systems, rather than locked inside a vendor's SaaS tool. Once delivered, this product belongs to the buyer.

The Problem

What Problems Does The ISO 27002 CDPP Solve?

Most organizations face one or more of the following challenges when trying to align with ISO 27001 and ISO 27002. The ISO 27002 CDPP was designed specifically to address them.

Lack Of In-House Security Experience

Writing security documentation is a skill that many good cybersecurity professionals simple are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. The ISO-based CDPP is an efficient method to obtain comprehensive ISO 27002:2022-based security policies and standards for your organization!

Compliance With ISO 27002

Nearly every organization, regardless of industry, is required to have formally-documented security policies and standards. Requirements range from PCI DSS to HIPAA to EU GDPR. The CDPP is designed with compliance in mind, since it focuses on leading security frameworks to address reasonably-expected security requirements. The CDPP maps to several leading compliance frameworks so you can clearly see what is required!

Audit Failures

Security documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. The CDPP's standards provides mapping to leading security frameworks to show you exactly what is required to both stay secure and compliant.  

Vendor & Customer Requirements

It is very common for clients and partners to request evidence of a security program and this includes policies and standards. The CDPP provides this evidence!

The Solution

How Does The ISO 27002 CDPP Solve These Problems?

The ISO 27002 CDPP addresses each challenge above with specific, measurable outcomes.

Clear Documentation

The CDPP provides comprehensive documentation to prove that your security program exists. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!

Time Savings

The CDPP can provide your organization with a semi-customized solution that requires minimal resources to fine tune for your organization's specific needs.

Alignment With Leading Practices

The ISO-based CDPP is written to align your organization with ISO 27001/27002!

Audit-Defensible Format

Documentation is written to withstand scrutiny by external assessors and ISO 27002 auditors. Footnotes provide authoritative source references throughout.

What You Get

What Is Included With The ISO 27002 CDPP?

The ISO 27002 CDPP is delivered as editable Microsoft Office documents. Purchase includes a single-entity license, the first year of product updates, and all of the following content components.

Microsoft Word Version

Cover page and executive summary template, policy sections aligned to ISO 27001 and ISO 27002 structure, supporting standards for each policy domain, guidelines, parameters, recommended defaults, and footnoted references to the ISO 27002 source controls. Revision history and change management structure are included.

Microsoft Excel Version

ISO 27001 and ISO 27002 control catalog with mappings to provide cross-walk mapping from ISO 27001 and ISO 27002 to the CDPP's policies and standards, as well as other common laws, regulations and frameworks.

ISO 27002 Integration Content

Direct mapping to current ISO 27001 and ISO 27002 version, cross-reference matrix to other major frameworks where applicable, assessment-ready language and structure, and evidence requirements identified per control.

Optional: Pairs With CSOP (ISO 27002 Version)

The ISO 27002 CDPP covers policies and standards. For step-by-step procedures with 1-to-1 mapping to the ISO 27002 CDPP's standards, the companion Cybersecurity Standardized Operating Procedures (CSOP) ISO 27002 Version is sold separately and is frequently bundled.

Your ROI

Cost Savings Estimate

When you look at the costs associated with either (1) hiring an external consultant to write cybersecurity documentation for you or (2) tasking your internal staff to write it, the cost comparisons paint a clear picture that buying from ComplianceForge is the logical option. Compared to hiring a consultant, you can save months of wait time and tens of thousands of dollars. Whereas, compared to writing your own documentation, you can potentially save hundreds of work hours and the associated cost of lost productivity. Purchasing the ISO 27002 CDPP from ComplianceForge offers these fundamental advantages when compared to the other options for obtaining quality cybersecurity documentation:

Internal Staff Cost

For your internal staff to generate comparable documentation, it would take them an estimated 400 internal staff work hours, which equates to a cost of approximately $38,000 in staff-related expenses. This is about 4 to 8 months of development time where your staff would be diverted from other work.

The ISO 27002 CDPP is approximately 5% of the cost for your internal staff to generate equivalent documentation.

External Consultant Cost

If you hire a consultant to generate this documentation, it would take them an estimated 300 consultant work hours, which equates to a cost of approximately $95,500. This is about 3 to 6 months of development time for a contractor to provide you with the deliverable.

The ISO 27002 CDPP is approximately 2% of the cost for an external consultant to generate equivalent documentation.

See It First

Product Examples

At ComplianceForge, we sometimes receive questions from customers, asking "Does ComplianceForge sell ISO 27001 information security policy templates?" The short answer is, yes, we do provide this documentation. This version of the Cybersecurity & Data Protection Program (CDPP) is based on the ISO 27001 and 27002 frameworks, and it contains cybersecurity policies and standards that align with ISO 27001/27002. You get fully-editable Microsoft Word and Excel documents that you can customize for your specific needs. To understand the differences between the NIST 800-53, ISO 27001/27002 and NIST CSF versions of the CDPP, please visit here for more details.

Below are PDF examples of what you would expect from our Microsoft Word and Excel documentation, so you can see the quality and structure of the ISO 27002 CDPP.

Policies & Standards

Below is a PDF example containing a sample of what you would receive upon purchasing the CDPP.

Mapping

Below is a PDF example containing crosswalk mappings pertinent to ISO 27001 / 27002.

Your Effort

How Much Customization Is Remaining?

Given the difficult nature of writing templated cybersecurity documentation, ComplianceForge aims for approximately a 90% solution because it is impossible to write a 100% cookie-cutter document that can be equally applied across every organization. ComplianceForge did the heavy lifting, and the remaining work is to fine-tune the ISO 27001/27002 CDPP with the specific information that only your organization knows.

In practice, customization is essentially filling in the blanks and following the guidance provided to identify the who, what, when, where, why, and how for your specific environment. Typical customization tasks include adding your company name and logo, tailoring parameters such as review cadences and thresholds, naming specific owner roles, and removing sections that do not apply to your organization.

Need A Hand?

Professional Services

ComplianceForge offers optional professional services to customize purchased documentation. Professional services are not required to customize ComplianceForge documentation. However, some clients want our subject matter expertise to help customize their documentation to meet their specific business needs. If you have any questions about our professional services, please contact us at:

Contact Us

We offer the following professional service bundles:

5-Hour Bundle

This includes five (5) hours of professional services, which may be beneficial for companies that need some guidance on getting started with how to tailor their documentation.

10-Hour Bundle

This includes ten (10) hours of professional services, which may be beneficial for companies that need additional guidance on tailoring their documentation to meet their compliance requirements.

20-Hour Bundle

This includes twenty (20) hours of professional services, which may be beneficial for companies that need robust services, beyond just 10 hours, to assist in tailoring their documentation to meet their compliance requirements.

Important Details About Professional Services

Purchased professional service hours expire 120 days (4 months) from the time of purchase if unused. Hours are intended to supplement, not replace, your own customization work, since only your organization knows the exact details to tailor your documentation. For questions regarding scoping a professional services engagement or configuring a custom package, contact ComplianceForge directly through the Contact Us page.

View Options
Framework Specialization

Why The CDPP Is Specifically Built For ISO 27002

Unlike some of our competition that sell “bronze, silver and gold” levels of documentation, we understand that a standard is a standard for a reason. We remove the guesswork associated with picking an appropriate package level - we focus on providing documentation that offers a straightforward solution to provide the appropriate coverage you need. This focus on providing the best solution for our clients makes us proud that we are providing the best set of IT security policies and standards available. Saving a few dollars on a cheap solution can easily leave you with a false sense of security and may result in gaping holes within your documentation that can leave you liable.

If your organization needs to address multiple frameworks at once and prefers a single, consolidated documentation set, the SCRP is the recommended alternative. If your primary or sole framework is ISO 27002, the ISO 27002 CDPP provides the most direct fit with the lowest customization burden.

Companion Product

Pairs Directly With The ISO 27002 CSOP

The ISO 27002 CDPP answers the what and why questions for ISO 27002 compliance through policies and standards. The matching Cybersecurity Standardized Operating Procedures (CSOP) ISO 27002 Version answers the how question with step-by-step procedures that map 1-to-1 to the ISO 27002 CDPP's standards.

Buying both as a bundle is the most common configuration for organizations that want a complete documentation set. Procedures are not optional from an audit standpoint, since auditors need to verify that standards are actually implemented in operational practice, and procedures are the documented evidence of that implementation.

Executive Alignment

CISO & Executive Reporting Benefits

The ISO 27002 CDPP includes metrics that are designed for executive reporting. CISOs need to communicate program health in language that executives understand, and the ISO 27002 CDPP's metrics are structured to roll up from individual control performance to executive-level dashboards.

This is particularly important for organizations subject to ISO 27002 oversight, where leadership accountability is increasingly explicit. The metrics provided are mapped to common reporting cadences such as monthly, quarterly, and annual, and identify suggested owners, target thresholds, and escalation criteria.

Testimonials

What Are Some Of Our Testimonials?

❛❛
Excellent Starting Point
ComplianceForge's SCF-based policy documentation offers consolidated coverage of security and privacy controls requirements in a single, cohesive package. Because it's built on the Secure Controls Framework, a metaframework that tracks security and privacy standards globally and releases quarterly updates, it gives organizations confidence that their documentation stays current as requirements evolve. For any organization standing up a security and privacy program from scratch, it's provides an excellent starting point.
Would You Like To Share Your Experiences?
If you are satisfied with your product and would like to leave a review, please fill out our testimonial form and share your experiences with our documentation! We enjoy hearing from satisfied customers, and we are always open to constructive feedback so that we can continue improving our products.
Fill Out Testimonial