Quality, Expert-Derived Cybersecurity Documentation To Keep Organizations Secure, Compliant & Resilient - No AI Slop!
Secure Controls Framework
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Cart
Start Here
Products
Bundles
Updates
Reasons To Buy
Certification Options
No items found.
Policies & Standards - Security, Compliance & Resilience Program (SCRP)
$ 10,400.00 USD
This version of the SCRP is a hybrid, "best in class" approach to cybersecurity documentation that covers dozens of statutory, regulatory and contractual frameworks to create a comprehensive set of cybersecurity policies & standards. The SCRP has a 1-1 mapping relationship with the Secure Controls Framework (SCF) so it maps to over 200 leading practices!
Product Category:
Policies & Standards
SKU:
P02-SCRP
Availability:
Email Delivery Within 1-2 Business Days
ComplianceForge documentation is written to follow , but you are still expected to tailor the documentation to suit your organization's specific security, compliance & resilience requirements. By providing your company name and your logo (your logo is optional), we tailor the documentation to include this information.
How Do I Request A Quote?
To request a quote, select the "Request a Quote" button beside the "Add To Cart" button. This will direct you to a page where you can request a custom quote. Within 1-2 business days, you will receive a finalized quote.
Can I Pay By Invoice?
Yes. To pay by invoice, add the product to your cart, go through the checkout process, and fill out your billing information. Once you get to the payment method, select "Offline Payment via Invoice / Purchase Order (PO)" and then select "Place Order."
Can I Pay By Wire / ACH?
Yes. To pay by Wire / ACH, you can request an invoice by following the instructions above. Once you have the invoice, it will contain the necessary info for you to finalize payment by Wire / ACH.
No logo uploaded. Maximum file size: 5 MB. Acceptable file types: PNG, JPG, JPEG, GIF, BMP, TIFF, WEBP, SVG.
Request A Quote
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Security, Compliance & Resilience Program (SCRP)
  • Editable cybersecurity & privacy policies, control objectives, standards, metrics & more!
  • Formatting enables CSV content imports by GRC tools. Contains editable Microsoft Word & Excel documentation or you can import directly into your GRC.
  • Based on the Secure Controls Framework (SCF). Maps to over 200+ laws, regulations & frameworks.
  • Comes with quarterly updates to keep you current on evolving cybersecurity & privacy requirements.
Go To Examples Section
Product Overview

Don't Write It From Scratch.

If a regulator showed up today, could you pass an audit? With the documentation you have in-hand right now, would your documentation withstand external scrutiny, or is it outdated, incomplete, and/or is the knowledge living in a few people's heads?

For most security teams, the honest answer is uncomfortable. Building this documentation from scratch can take hundreds of hours of senior staff time, and the result still has to hold up under an assessor's scrutiny. The Security, Compliance & Resilience Program (SCRP) gives you a running start. It is a complete, editable governance program of policies, control objectives, standards, guidelines, controls, and metrics, built on the Secure Controls Framework (SCF) and mapped to 200+ laws, regulations, and frameworks. The SCRP get you roughly 80 to 90 percent of the way and from there you tailor the details to your environment that only you and your team know. You can even import this documentation into your GRC tool and move toward audit readiness in far less time than writing it yourself.

The SCRP is the next evolution of the Digital Security Program (DSP) that ComplianceForge first released the DSP in 2016 to address needs for comprehensive cybersecurity governance documentation. With the SCF's publishing its Security, Compliance & Resilience Management System (SCRMS) that is focused on helping companies be secure, compliant and resilient, ComplianceForge evolved the DSP to support the SCF's new focus on being secure, compliant and resilient. The DSP is now the SCRP.

Product Details

What Is The Security, Compliance & Resilience Program (SCRP)?

The SCRP enables organizations to efficiently maintain evidence of secure, compliant and resilient capabilities that are able to withstand external scrutiny. In cybersecurity compliance matters , if it is not documented then it does not exist!

The SCRP is an enterprise-class solution for cybersecurity and data protection documentation that consists of thirty-four (34) domains that help any-sized organization be secure, compliant, and resilient. While designed for enterprise environments, the SCRP scales down to smaller organizations with complex cybersecurity and compliance requirements.

Editable Cybersecurity Documentation Templates (Microsoft Word & Excel)

The SCRP is editable cybersecurity documentation (e.g., Microsoft Word, Microsoft Excel, etc.). These are templates that are end-user friendly to tailor for your specific business needs and use cases. Specifically, the SCRP contains editable:

PoliciesControl ObjectivesStandardsGuidelinesControls (SCF)Metrics

Nested within these thirty-four (34) policies are the control objectives, standards, guidelines, metrics, and more that enable an organization to govern its cybersecurity and data privacy program. The SCRP was developed to meet the need for growing organizations that want to avoid being locked into alignment with a single framework or have complex compliance requirements that span multiple frameworks. This approach is a "best in class" hybrid framework structure that provides you with the ability to align with multiple frameworks in an efficient and scalable manner.

The SCRP is our recommended solution if you are currently using or plan to use a  Governance, Risk & Compliance (GRC) or Integrated Risk Management (IRM) solution. The SCRP is ready to import into your GRC/IRM instance, since it comes in both Microsoft Word and Excel formats. This makes the import from Excel straightforward and that allows you to then do you any customization and collaboration directly from your GRC portal.

How It's Delivered

No Software To Install

The SCRP is a one-time purchase of editable Microsoft Office-based documentation templates. There is no software to install, no agent to deploy, no account to provision, and no cloud environment to configure. If your organization can open and edit Microsoft Word or Excel files (or compatible tools like OpenOffice and Google Workspace), you can use the SCRP. While the SCRP does come in Microsoft Word like the CDPP, the included Excel version of the SCRP comes with the following content so it is easy to import into a GRC/IRM solution.

Microsoft Word & Excel

Delivered as fully editable .docx and .xlsx files. Compatible with Word 2016 and newer, Microsoft 365, OpenOffice, LibreOffice, and Google Docs/Sheets.

Email Delivery

Documentation is delivered via email download link within 1-2 business days of purchase. There is no installer, no license server, and no activation step.

One-Time Purchase

A single-entity license is included with purchase. There is no recurring subscription requirement, although an optional update subscription is available to stay current as frameworks evolve.

This deployment model is intentional. Cybersecurity documentation benefits from being in the organization's own hands, inside the organization's own version control and document management systems, rather than locked inside a vendor's SaaS tool. Once delivered, the SCRP belongs to the buyer.

The Problem

What Problems Does The SCRP Solve?

Most organizations face one or more of the following documentation challenges. The SCRP was designed specifically to address them:

Lack Of In-House Security Experience

Writing security documentation is a skill that many good cybersecurity professionals simply are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. The SCRP is an efficient method to obtain comprehensive security policies, standards, controls and metrics for your organization!

Compliance Requirements

Nearly every organization, regardless of industry, is required to have formally-documented security policies and standards. Requirements range from PCI DSS to HIPAA to NIST 800-171. The SCRP is designed with compliance in mind, since it focuses on leading security frameworks to address reasonably-expected security requirements.

Audit Failures

Security documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. The SCRP's standards provides mapping to leading security frameworks to show you exactly what is required to both stay secure and compliant.  

Vendor Requirements

It is very common for clients and partners to request evidence of a security program and this includes policies and standards. The SCRP provides this evidence!

The Solution

How Does The SCRP Solve These Problems?

The SCRP addresses each challenge above with specific, measurable outcomes:

Clear Documentation

The SCRP provides comprehensive documentation to prove that your security program exists. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!

Time Savings

The SCRP can provide your organization with a semi-customized solution that requires minimal resources to fine tune for your organization's specific needs.

Alignment With Leading Practices

The SCRP is written to support over two hundred laws, regulations, and industry frameworks, enabling organizations with complex, multi-framework compliance obligations to use one documentation set.

Pairs With CSOP For Full Coverage

The SCRP and its corresponding Cybersecurity Operating Procedures (CSOP) come together to provide premium GRC content that enables an organization to establish or refresh its GRC practices.

Difference Between the SCRP and the CDPPs

Similar to our framework-specific Cybersecurity & Data Protection Program (CDPP) products, the SCRP provides alignment with the underlying cybersecurity standards that must be complied with, as stipulated by statutory, regulatory and contractual requirements. However, the SCRP provides robust coverage for over 200 laws, regulations and other cybersecurity and privacy frameworks. The SCRP is essentially a "superset" of ISO 27002, NIST CSF, NIST 800-171, NIST 800-53 and other frameworks for organizations that do not want to be locked into alignment with just one framework [scroll to the bottom of the page to see a list of everything the SCRP currently maps to].

What You Get

What Is Included With The SCRP?

The SCRP is delivered as editable Microsoft Office documents. Purchase includes a single-entity license, the first year of product updates, and all of the following content components organized across the 34 policies:

Microsoft Word Version

  • Cover page and executive summary template
  • 34 domain sections with 1,400+ controls.
  • Supporting standards and guidelines for each policy.
  • Guidelines, parameters, and recommended defaults
  • Footnoted authoritative references for statutory, regulatory, and contractual requirements
  • Revision history and change management structure

Microsoft Excel Version

SCF Integration Content

Support & Updates

  • First year of quarterly product updates included
  • Email delivery within 1-2 business days of purchase
  • Single-entity license for one legal entity
  • Optional company logo embedded in delivered files
  • Lifetime right to use the delivered version
  • Optional annual subscription available after year one
Optional: Pairs With CSOP For Full Coverage

The SCRP covers policies, standards, and control objectives. For step-by-step procedures that have a 1-to-1 mapping to the SCRP's standards, the companion Cybersecurity Standardized Operating Procedures (CSOP) SCRP Version is sold separately and is frequently bundled.

Your ROI

Cost Savings Estimate

When you look at the costs associated with either (1) hiring an external consultant to write cybersecurity documentation for you or (2) tasking your internal staff to write it, the cost comparisons paint a clear picture that buying from ComplianceForge is the logical option. Compared to hiring a consultant, you can save months of wait time and tens of thousands of dollars. Whereas, compared to writing your own documentation, you can potentially save hundreds of work hours and the associated cost of lost productivity. Purchasing the SCRP from ComplianceForge offers these fundamental advantages when compared to the other options for obtaining quality cybersecurity documentation:

Internal Staff Cost

For your internal staff to generate comparable documentation, it would take them an estimated 900 internal staff work hours, which equates to a cost of approximately $90,000 in staff-related expenses. This is about 12-24 months of development time where your staff would be diverted from other work.

The SCRP is approximately 12% of the cost for your internal staff to generate equivalent documentation.

External Consultant Cost

If you hire a consultant to generate this documentation, it would take them an estimated 800 consultant work hours, which equates to a cost of approximately $260,000. This is about 6-12 months of development time for a contractor to provide you with the deliverable.

The SCRP is approximately 4% of the cost for an external consultant to generate equivalent documentation.

See It First

Product Examples

Our customers choose the Security, Compliance & Resilience Program (SCRP) because they need a scalable and comprehensive solution. The SCRP is a hybrid, "best in class" approach to cybersecurity documentation that covers dozens of statutory, regulatory and contractual frameworks to create a comprehensive set of cybersecurity policies, standards, controls and metrics. The SCRP has a 1-1 mapping relationship with the Secure Controls Framework (SCF) so it maps to over 200 leading practices!

Below are PDF examples of what you would expect from our Microsoft Word and Excel documentation, so you can see the quality and structure of the documentation you will receive.

Policies & Standards

Below is a PDF example containing a sample of what you would receive upon purchasing the SCRP.

Domains & Sources

Below is a PDF example containing a summary of all SCF Domains and sources covered within the SCRP.

The PDF document shown below provides additional context into what to expect from ComplianceForge documentation and two, side-by-side examples as to what policies, control objectives, all the way through metrics, should look like. This provides a bit of a teaser into what the actual content looks like.

Your Effort

How Much Customization Remains?

Given the difficult nature of writing templated policies and standards, ComplianceForge aims for approximately a "90% solution" because it is impossible to write a 100% cookie-cutter document that can be equally applied across every organization. ComplianceForge did the heavy lifting, and the remaining work is to fine-tune the policies and standards with the specific information that only your organization knows.

In practice, customization is essentially filling in the blanks and following the guidance provided to identify the who, what, when, where, why, and how for your specific environment. Typical customization tasks include adding your company name and logo, tailoring parameters such as review cadences and access thresholds, naming specific owner roles, and removing sections that do not apply to your organization.

Need A Hand?

Professional Services

ComplianceForge offers optional professional services to customize purchased documentation. Professional services are not required to customize ComplianceForge documentation. However, some clients want our subject matter expertise to help customize their documentation to meet their specific business needs. If you have any questions about our professional services, please contact us at:

Contact Us

We offer the following professional service bundles:

5-Hour Bundle

This includes five (5) hours of professional services, which may be beneficial for companies that need some guidance on getting started with how to tailor their documentation.

10-Hour Bundle

This includes ten (10) hours of professional services, which may be beneficial for companies that need additional guidance on tailoring their documentation to meet their compliance requirements.

20-Hour Bundle

This includes twenty (20) hours of professional services, which may be beneficial for companies that need robust services, beyond just 10 hours, to assist in tailoring their documentation to meet their compliance requirements.

Important Details About Professional Services

Purchased professional service hours expire 120 days (4 months) from the time of purchase if unused. Hours are intended to supplement, not replace, your own customization work, since only your organization knows the exact details to tailor your documentation. For questions regarding scoping a professional services engagement or configuring a custom package, contact ComplianceForge directly through the Contact Us page.

View Options
Unified Objective

Security + Compliance + Resilience = Unified Goal Of Your Cybersecurity & Data Protection Program

The Security, Compliance & Resilience Program (SCRP) is the next evolution of the Digital Security Program (DSP). ComplianceForge first released the DSP in 2016 to address the need for comprehensive cybersecurity governance documentation. With the SCF publishing its Security, Compliance & Resilience Management System (SCRMS), which focuses on helping organizations be secure, compliant, and resilient, ComplianceForge evolved the DSP to align with the SCF's updated direction. The DSP is now the SCRP.

Executive Alignment

The SCRP's Focus Benefits A CISO's Ability To Gain Executive Support

CISOs need to communicate in language that executives understand. This includes the real-world concept of negligence, which can be exposed during external scrutiny such as class action lawsuits, regulator reviews, or insurer evaluations. Effective communication requires the CISO to frame current and target capabilities in terms of how they help the organization be secure, compliant, and resilient, while supporting the broader mission and business functions.

When you look at the options below, which quadrant do you want to be in? Even more important, which quadrant can you prove you are in?

Option 1. Not Secure, Resilient, or Compliant

Organizations in this state lack both the technical safeguards and the documentation needed to demonstrate due care. This is the highest-risk position from both a security and regulatory perspective.

Option 2. Compliant, but Not Secure or Resilient

Documentation exists and audits pass, but the underlying technical environment cannot withstand attack or disruption. Compliance becomes a paper exercise rather than a real assurance of safety.

Option 3. Secure & Resilient, but Not Compliant

Strong technical safeguards exist, but the organization cannot prove due diligence to regulators, customers, or insurers. Negligence exposure remains high despite the underlying defensive posture.

Option 4. Target State: Secure, Resilient & Compliant

The organization is technically defended, can recover from disruption, and has the documentation to prove reasonable practices. This is the position the SCRP is designed to help organizations achieve and demonstrate.

The comprehensive nature of the SCRP enables a CISO to build secure, compliant, and resilient cybersecurity and data protection capabilities based on the organization's unique requirements.

SCRP's Two Supporting Goals

1. Minimize an entity's attack surface.
2. Promote defensible evidence of reasonable practices.

Official Designation

ComplianceForge Is A SCF Licensed Content Provider (SCF LCP)

The SCRP's policies and standards are intricately aligned with the SCF's controls, offering a direct, one-to-one mapping. This alignment allows the SCRP to leverage key SCF components, providing more than just policies and standards by incorporating maturity criteria, a comprehensive threat catalog, and a detailed risk catalog. These elements enable organizations to operationalize several of the SCF's notable capabilities, enhancing their security posture and compliance efforts.

Framework Coverage

Accelerating Your Business with 200+ Framework Mappings

Leveraging the Secure Controls Framework (SCF), the SCRP maps over 200 cybersecurity and data privacy laws, regulations, and frameworks. This includes the most common statutory, regulatory, and contractual requirements expected from a cybersecurity and data protection program. The SCRP provides the policies, control objectives, standards, guidelines, and metrics to operationalize the SCF for your organization.

Similar to the framework-specific Cybersecurity & Data Protection Program (CDPP) products, the SCRP provides alignment with the underlying cybersecurity standards required by statutory, regulatory, and contractual requirements. The difference is that the SCRP provides robust coverage for over 200 laws, regulations, and frameworks rather than specializing in one. The SCRP is essentially a superset of ISO 27002, NIST CSF, NIST 800-171, NIST 800-53, and other frameworks for organizations that do not want to be locked into alignment with just one.

Content Structure

The 34 Domains Covered By The SCRP

The SCRP contains thirty-four (34) unique domains that cover a modern cybersecurity and data privacy program. Each domain is structured as a policy supported by standards that provide the granular requirements needed to enforce the policy.

GOVSecurity & Privacy Governance
ASTAsset Management
BCDBusiness Continuity & Disaster Recovery
CAPCapacity & Performance Planning
CHGChange Management
CLDCloud Security
CPLCompliance
CFGConfiguration Management
MONContinuous Monitoring
CRYCryptographic Protections
DCHData Classification & Handling
EMBEmbedded Technology
ENDEndpoint Security
HRSHuman Resources Security
IACIdentification & Authentication
IROIncident Response
IAOInformation Assurance
MNTMaintenance
MDMMobile Device Management
NETNetwork Security
PESPhysical & Environmental Security
PRIPrivacy
PRMProject & Resource Management
RSKRisk Management
SEASecure Engineering & Architecture
OPSSecurity Operations
SATSecurity Awareness & Training
TDATechnology Development & Acquisition
TPMThird-Party Management
THRThreat Management
VPMVulnerability & Patch Management
WEBWeb Security
AATArtificial & Autonomous Technologies
QTSQuantum Security

The diagram below visualizes how the SCRP exists at a strategic level to define the "what" and "why" requirements for being secure and compliant. Those foundational policies and standards influence every other component of your cybersecurity and data protection program.

Enterprise Fit

Hierarchical and Scalable Policies, Standards, Controls & Metrics for the Modern Company

ComplianceForge provides what organizations need to protect themselves: professionally written cybersecurity policies, control objectives, standards, controls, procedures, and guidelines at an affordable cost. The SCRP is used by medium and large organizations including Fortune 500 companies, US and international government agencies, universities, and other organizations with complex compliance requirements that need an efficient, scalable solution for their Governance, Risk & Compliance (GRC) needs.

The SCRP is footnoted to provide authoritative references for the statutory, regulatory, and contractual requirements that need to be addressed. Just as Human Resources publishes an employee handbook to set expectations for staff, the SCRP does the same from a cybersecurity perspective.

The Cybersecurity Standardized Operating Procedures (CSOP) is available as a companion product that provides mapped procedures to the SCRP's standards. It is a 1-to-1 mapping, with a procedure for each standard.

Strategic Design

Operationalize Cybersecurity & Data Privacy By Design

The SCRP can be thought of as a buffet of cybersecurity and privacy policies, standards, controls, and metrics. Once an organization determines which statutory, regulatory, and contractual obligations apply, it is straightforward to identify a customized control set specific to those obligations.

Building cybersecurity and privacy requirements into the governance program is the essence of Security by Design (SbD) and Privacy by Design (PbD). The obligations are understood before projects and initiatives commence, so that secure solutions can be designed, implemented, and maintained. The SCRP forms the cornerstone of an organization's security and privacy program.

Security by Design (SbD)
  • Cybersecurity Maturity Model Certification (CMMC)
  • International Organization for Standardization (ISO)
  • National Institute for Standards & Technology (NIST)
  • US Government (HIPAA, FedRAMP, DFARS, FAR, FTC Act)
  • Information Systems Audit and Control Association (ISACA)
  • Cloud Security Alliance (CSA)
  • Center for Internet Security (CIS)
  • Open Web Application Security Project (OWASP)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • European Union General Data Protection Regulation (EU GDPR)
Privacy by Design (PbD)
  • Generally Accepted Privacy Principles (GAPP)
  • Fair Information Practice Principles (FIPPs)
  • Organization for the Advancement of Structured Information Standards (OASIS)
  • International Organization for Standardization (ISO)
  • National Institute for Standards & Technology (NIST)
  • Information Systems Audit and Control Association (ISACA)
  • European Union General Data Protection Regulation (EU GDPR)
  • US Government (OMB, HIPAA, FTC Act)
GRC Playbook

Understanding "How To GRC" With The SCRP & SCF

ComplianceForge, in conjunction with the Secure Controls Framework (SCF), literally wrote the book on "how to do GRC" by establishing the Integrated Controls Management (ICM) model that is a principle-based approach to Governance, Risk & Compliance (GRC) operations. The Security, Compliance & Resilience Management System (SCRMS) document (shown below) is a great starting place to understand how the SCRP can help your organization to designing, implementing and managing a security and privacy program that incorporates requirements to be both secure and compliant. This approach leverages the "Deming Cycle" of Plan, Do, Check and Act (PDCA) for continuous improvement.

Understanding the requirements for both cybersecurity and privacy principles involves a simple process of distilling expectations. This process is all part of documenting reasonable expectations that are “right-sized” for an organization, since every organization has unique requirements. The approach looks at the following spheres of influence to identify applicable controls:

Statutory
These are US state, federal and international laws.
Regulatory
These are requirements from regulatory bodies or governmental agencies.
Contractual
These are requirements that are stipulated in contracts, vendor agreements, etc.
Industry-Recognized Practices
These are requirements that are based on an organization’s specific industry, where "industry norms" are established for what constitutes reasonable practices.

There are nine (9) principles associated with SCRMS that are fully-supported by the SCRP to develop, implement and maintain a secure and compliant security and privacy program:

  • Establish Context
  • Identify Applicable Controls
  • Define Maturity Expectations
  • Publish Governance Documentation
  • Assign Stakeholder Accountability
  • Prioritize Capabilities According To Risk
  • Maintain Situational Awareness
  • Manage Risk
  • Evolve Processes

The structure of the Security, Compliance & Resilience Program (SCRP) is scalable to make it is easy to add or remove policy sections, as your business needs change. The same concept applies to standards – you can simply add/remove content to meet your specific needs.

The SCRP addresses the “why?” and “what?” questions, since policies and standards form the foundation for your cybersecurity program. The following two documents shown below are well worth the time to make a pot of coffee and read through, since you will be able to understand both the structure of the documentation and how you can customize it for your specific needs.

Testimonials

What Are Some Of Our Testimonials?

❛❛
Excellent Starting Point
ComplianceForge's SCF-based policy documentation offers consolidated coverage of security and privacy controls requirements in a single, cohesive package. Because it's built on the Secure Controls Framework, a metaframework that tracks security and privacy standards globally and releases quarterly updates, it gives organizations confidence that their documentation stays current as requirements evolve. For any organization standing up a security and privacy program from scratch, it's provides an excellent starting point.
❛❛
Big help
Recently purchased SCRP and supplemental documentation and very satisfied with the contents.
❛❛
Outstanding quality
No one else is doing this. Does it for the most popular Frameworks. Highly recommended. Prompt service and customer support. Through and systematic subject treatment. Links to Standards, Baselines and Controls.
❛❛
SCRP Package is a great investment
Recently purchased the SCRP package since we are an international organization who have numerous compliance requirements including military/government. We are very please with the documentation and level of detail that has been provided. It will most certainly save us money in the long run and will get us up to speed quicker than had we manually created everything from scratch.
❛❛
Straightforward & streamlined elegance!
The power of the SCRP is its straightforward, streamlined elegance. Highly recommend!
Would You Like To Share Your Experiences?
If you are satisfied with your product and would like to leave a review, please fill out our testimonial form and share your experiences with our documentation! We enjoy hearing from satisfied customers, and we are always open to constructive feedback so that we can continue improving our products.
Fill Out Testimonial