- Procedures are the operational layer of cybersecurity documentation, explaining exactly how standards are implemented in practice.
- The CSOP pairs 1-to-1 with a matching CDPP or SCRP, so procedures reference specific standards and maintain traceability back to framework controls.
- Every CSOP uses the NIST NICE Cybersecurity Workforce Framework to suggest role owners for each procedure, accelerating RACI assignment.
- Procedures are the most neglected layer of documentation in most organizations, yet they are the most-scrutinized layer in operational audits.
- CSOP products are available in framework-specific variants matching each CDPP/SCRP, and in a CORE Fundamentals variant for framework-agnostic coverage.
Operationalizing Policies & Standards With Procedures
Procedures are the "how" layer of cybersecurity documentation. While policies govern what must be done and standards specify how to measure it, procedures document the step-by-step operational activities that actually implement the standards.
ComplianceForge's CSOP products are designed to pair 1-to-1 with a corresponding policies-and-standards product. A NIST CSF CSOP pairs with the NIST CSF CDPP. An ISO CSOP pairs with the ISO CDPP. The SCRP CSOP pairs with the SCRP itself. This 1-to-1 mapping ensures consistent language, maps to the same framework control IDs, and keeps cross-references intact.
Unlike policies and standards which are typically centrally managed at the corporate level, procedures are inherently de-centralized. Implementation happens at the team and individual contributor level. Every CSOP includes suggested role owners drawn from the NIST NICE Cybersecurity Workforce Framework, simplifying the question of "who should own this procedure?" across the organization.
Look at the example shown below for how to make a peanut butter & jelly sandwich. A good procedure is clear and concise with just enough detail to do a quality job. Procedures should not be long-winded documents, since that information quickly gets stale and becomes irrelevant.
- Put peanut butter on bread.
- Put jelly on bread.
- Eat.
- Place two (2) slices of bread on a plate.
- Open the jar of peanut butter and use a butter knife to spread approximately two (2) tablespoons of peanut butter on one (1) slice of bread.
- Open the jar of jelly and use a butter knife to spread approximately two (2) tablespoons of jelly on the other slice of bread.
- Put the bread slices together with the peanut butter and jelly sides facing each other.
- Take one (1) bite-sized portion, then chew and swallow.
- Repeat Step 5 until the sandwich is gone.
Cybersecurity Generally Does Not "Own" Cybersecurity Procedures - This Is The Control Owner's Responsibility
One of the most important things to keep in mind with procedures is that the "ownership" is different than that of policies and standards:
- Policies, standards and controls are designed to be centrally-managed at the corporate level (e.g., governance, risk & compliance team, CISO, etc.)
- Controls are assigned to stakeholders, based on applicable statutory, regulatory and contractual obligations
- Procedures are by their very nature de-centralized, where control implementation at the control level is defined to explain how the control is addressed.
Given this approach to how documentation is structured, based on "ownership" of the documentation components:
- Policies, standards and controls are expected to be published for anyone within the organization to have access to, since it applies organization-wide. This may be centrally-managed by a GRC/IRM platform or published as a PDF on a file share, since they are relatively static with infrequent changes.
- Procedures are "living documents" that require frequent updates based on changes to technologies and staffing. Procedures are often documented in "team share" repositories, such as a wiki, SharePoint page, workflow management tool, etc.
Procedures Operationalize Cybersecurity Policies & Standards
We leverage the Operationalizing Cybersecurity Planning Model in creating a practical view towards implementing cybersecurity requirements. Organizations are often not at a loss for a set of policies, but executing those requirements often fall short due to several reasons. Standardized Operating Procedures (SOPs) are where the rubber meets the road for Individual Contributors (ICs), since these key players need to know (1) how they fit into day-to-day operations, (2) what their priorities are and (3) what is expected from them in their duties. When looking at it from an auditability perspective, the evidence of due diligence and due care should match what the organization's cybersecurity business plan is attempting to achieve.
The central focus of any procedures should be a Capability Maturity Model (CMM) target that provides quantifiable expectations for People, Processes and Technologies (PPT), since this helps prevent a “moving target” by establishing an attainable expectation for “what right looks like” in terms of PPT. Generally, cybersecurity business plans take a phased, multi-year approach to meet these CMM-based cybersecurity objectives. Those objectives, in conjunction with the business plan, demonstrate evidence of due diligence on behalf of the CISO and his/her leadership team. The objectives prioritize the organization’s service catalog through influencing procedures at the IC-level for how PPT are implemented at the tactical level. SOPs not only direct the workflow of staff personnel, but the output from those procedures provides evidence of due care.
The diagram below helps show the critical nature of documented cybersecurity procedures in keeping an organization both secure and compliant:
What Can Be Done To Make Writing Procedures Easier?
The good news is that ComplianceForge developed a standardized template for procedures and control activity statements, the Cybersecurity Standardized Operating Procedures (CSOP).
Given the difficult nature of writing templated procedure statements, we aimed for approximately a "80% solution" since it is impossible to write a 100% complete cookie cutter procedure statement that can be equally applied across multiple organizations. What this means is ComplianceForge did the heavy lifting and you just need to fine-tune the procedure with the specifics that only you would know to make it applicable to your organization. It is pretty much filling in the blanks and following the helpful guidance that we provide to identify the who / what / when / where / why / how to make it complete.
What Are Procedures?
Procedures should be both clearly-written and concise, where procedure documentation is meant to provide evidence of due diligence that standards are complied with. Well-managed procedures are critical to a security program, since procedures represents the specific activities that are performed to protect systems and data. The diagram shown below helps visualize the linkages in documentation that involve written procedures:
- CONTROL OBJECTIVES exist to support POLICIES
- STANDARDS are written to support CONTROL OBJECTIVES
- PROCEDURES are written to implement the requirements that STANDARDS establish
- CONTROLS exist as a mechanism to assess/audit both the existence of PROCEDURES / STANDARDS and how well their capabilities are implemented and/or functioning
- METRICS exist as a way to measure the performance of CONTROLS
What Can Go Wrong If I Do Not Have Written Procedures?
What can possibly go wrong with non-compliance with a law, regulation or contract?
Below is a short list of statutory and regulatory requirements, as well as leading cybersecurity frameworks, that EXPECT every organization documents and maintains cybersecurity-related procedures. If you need to address one or more of those frameworks, then you need to maintain documented procedures.
- SOC 2
- CIS CSC 7
- Criminal Justice Information Services (CJIS)
- COBIT5
- COSO
- ENISA
- EU GDPR
- FedRAMP
- FFIEC
- HIPAA
- ISO 27001
- ISO 27002
- ISO 27018
- ISO 29100
- ISO 39100
- New Zealand Information Security Manual (NZISM)
- NIST Cybersecurity Framework
- NIST 800-53
- NIST 800-160
- NIST 800-171
- NY DFS 23 NYCRR 500
- PCI DSS
- UK Cyber Essentials
- UL 2900-1
Available CSOP Products
Select the CSOP variant that matches your policies-and-standards product. Every CSOP is delivered as an editable Microsoft Word document with a single-entity license included.
Comprehensive Coverage
Give us a call or send us an email - we are happy to help you find the right solution for your needs!
There are a lot of choices to pick from when selecting a cybersecurity framework. If you are not sure what works best for you, you can read more here. The most common frameworks are NIST 800-53, ISO 27002, the NIST Cybersecurity Framework and the Secure Controls Framework (SCF). To do NIST CSF, ISO 27002 or NIST SP 800-53 properly, it takes more than just a set of policies and standards. While those are foundational to building a cybersecurity program aligned with that framework, there is a need for program-specific guidance that helps operationalize those policies and standards (e.g., risk management program, third-party management, vulnerability management, etc.). It is important to understand what is required to comply with NIST CSF vs ISO 27002 vs NIST SP 800-53, since there are significantly different levels of expectation.
It is important to understand that picking a cybersecurity framework is more of a business decision and less of a technical decision. Realistically, the process of selecting a cybersecurity framework must be driven by a fundamental understanding of what your organization needs to comply with from a statutory, regulatory and contractual perspective, since that understanding establishes the minimum set of requirements necessary to:
- Not be considered negligent with reasonable expectations for cybersecurity & data protection;
- Comply with applicable laws, regulations and contractual obligations; and
- Implement the proper controls to secure your systems, applications and processes from reasonable threats, based on your specific business case and industry practices.
This understanding makes it easy to determine where on the "framework spectrum" (shown above) you need to focus for selecting a set of cybersecurity principles to follow. This process generally leads to selecting the NIST Cybersecurity Framework, ISO 27002, NIST SP 800-53 or SCF as a starting point.