- Procedures for SCF Cybersecurity Oversight, Resilience & Enablement (CORE) Fundamentals.
- Straightforward compliance solution for Texas SB2610 (procedures).
- Editable Microsoft Word templates - enables tailoring for an organization's specific needs.
- Immense time & cost savings - procedures require minimal effort to customize.
Don't Write It From Scratch.
If a regulator or insurer asked your small business to show how it actually runs its security controls day to day, could you produce it? For SMBs pursuing a safe-harbor posture under laws like Texas SB 2610, written policies are only half the story; procedures are the operational evidence that proves the controls are real. Writing them from a blank page is exactly the work a lean team has no time for. The CORE Fundamentals Cybersecurity Standardized Operating Procedures (CSOP) gives you a running start: editable, step-by-step procedures built on the SCF CORE set of 68 controls across 20 domains, scoped specifically for smaller organizations. The templates get you roughly 80 to 90 percent of the way there, then your team fills in the details only they know.
The CORE Fundamentals Procedures is a Secure Controls Framework (SCF) Licensed Content Provider (LCP) product that provides 68 controls across 20 domains, specifically tailored for Small and Medium Businesses (SMBs). It is built on the SCF's Cybersecurity Oversight, Resilience and Enablement (CORE) baseline.
As some context, The Secure Controls Framework (SCF) created the Cybersecurity Oversight, Resilience and Enablement (CORE) initiative as a means to help an organization tailor cybersecurity and data protection controls for its specific needs. The SCF CORE Fundamentals, a tailored set of sixty-eight (68) controls that are specifically designed for smaller organizations to protect People, Processes, Technologies, Data and Facilities (PPTDF) against common threats. The SCF CORE Fundamentals Procedures contains the procedures necessary to comply with Texas SB 2610.
The genesis of the SCF CORE Fundamentals came from Texas SB 2610 that named the SCF as one of a select few cybersecurity frameworks with adequacy to provide necessary security coverage. The SCF created the SCF CORE Fundamentals as a SMB-focused control set to address this law and others that may follow. Texas SB 2610 is latest in a line of US State-level “cybersecurity safe harbor” laws that provide legal protection for businesses if at the time of the incident the business can prove it implemented reasonable cybersecurity practices. This type of legislation is meant to encourage SMBs to invest in cybersecurity to reduce legal exposure and this incentivization can enhance business resilience that benefits the everyone.
The CORE Fundamentals was created in response to Texas SB 2610, which named the SCF as one of a select few cybersecurity frameworks with adequacy to provide necessary security coverage. The control set is scoped to protect People, Processes, Technologies, Data, and Facilities (PPTDF) against common threats while remaining attainable for SMBs.
What Is The CORE Fundamentals CSOP?
The CORE Fundamentals CSOP is editable cybersecurity procedure documentation delivered as a Microsoft Word document. The CSOP addresses the how questions in an audit because procedures provide the means for how the organization's policies and standards are actually implemented day to day.
Implementing cybersecurity has to be attainable for Small and Medium Businesses (SMB) and the SCF CORE Fundamentals is designed to enable SMBs to successfully implement and maintain fundamental cybersecurity practices. This control set includes many of the requirements found in the NIST Cybersecurity Framework 2.0 (NIST CSF 2.0), so the SCF CORE Fundamentals can be an excellent starting point towards a path of maturity towards NIST CSF 2.0 alignment. SMBs have to start somewhere and the SCF CORE Fundamentals makes for an achievable objective in cybersecurity.
The controls in the SCF CORE Fundamentals are scoped for SMBs and are designed to meet the requirements in Texas SB 2610:
- Contain administrative, technical, and physical safeguards for the protection of personal identifying information and sensitive personal information (Section 542.004(1));
- Protect the security of personal identifying information and sensitive personal information (Section 542.004(3)(a));
- Protect against any threat or hazard to the integrity of personal identifying information and sensitive personal information (Section 542.003(4)(b)); and
- Protect against unauthorized access to or acquisition of personal identifying information and sensitive personal information that would result in a material risk of identity theft or other fraud to the individual to whom the information relates (Section 542.004(3)(c)).
Because the CORE Fundamentals has a 1-to-1 mapping to the SCF, it inherits cross-walks to over 200 leading laws, regulations, and frameworks. The control set includes many requirements from the NIST Cybersecurity Framework 2.0, making it an excellent starting point for SMBs on a path toward NIST CSF 2.0 alignment.
The CORE Fundamentals version of the CSOP contains a catalog of procedure statements applicable to sixty-eight (68) SCF controls! While the control catalog of the SCF contains 1,342 unique controls, the 68 controls of the SCF CORE Fundamentals represents a mere 5% of the SCF and that is by design. Ever since the SCF was first released in 2018, there has never been an expectation for any organization, regardless of its size or industry, to implement every SCF control. The reason is simple - the SCF was designed to be tailored to an organization’s specific needs, based on “must have” versus “nice to have” requirements:
No Software To Install
This product is a one-time purchase of editable Microsoft Office-based documentation templates. There is no software to install, no agent to deploy, no account to provision, and no cloud environment to configure. If the organization can open and edit Microsoft Word and Excel files, the CORE Fundamentals CSOP is ready to use.
Microsoft Word & Excel
Delivered as a fully editable .docx file with companion .xlsx mapping. Compatible with Word 2016 and newer, Microsoft 365, OpenOffice, LibreOffice, and Google Docs.
Email Delivery
Documentation is delivered via email download link within 1-2 business days of purchase. There is no installer, no license server, and no activation step.
One-Time Purchase
A single-entity license is included with purchase. There is no recurring subscription requirement, although an optional update subscription is available to stay current as the SCF evolves.
This deployment model is intentional. Procedures benefit from being in the organization's own hands, inside its own wiki, SharePoint, or document management systems, rather than locked inside a vendor's SaaS tool. Procedures are living documents that need to live where the teams that execute them work.
What Problems Does the CSOP Solve?
The CORE Fundamentals addresses the most common problems SMBs face when operationalizing the SCF CORE Fundamentals control set into day-to-day procedures.
Lack Of In-House Security Documentation Experience
Writing security documentation is a skill that many good cybersecurity professionals simply are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. The CORE Fundamentals is an efficient method to obtain comprehensive security policies, standards, controls and metrics for your organization!
Compliance Requirements
Nearly every organization, regardless of industry, is required to have formally-documented security policies and standards. Requirements range from PCI DSS to HIPAA to NIST 800-171. The CORE Fundamentals is designed with compliance in mind, since it focuses on leading security frameworks to address reasonably-expected security requirements.
Audit Failures
Security documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. The CORE Fundamentals' standards provides mapping to leading security frameworks to show you exactly what is required to both stay secure and compliant.
Vendor Requirements
It is very common for clients and partners to request evidence of a security program and this includes policies and standards. The CORE Fundamentals provides this evidence!
Our customers choose the Cybersecurity Standardized Operating Procedures (CSOP) because they:
- Have a need for comprehensive cybersecurity procedures to address their compliance needs.
- Need to be able to edit the document to their specific technology, staffing and other considerations.
- Have documentation that is directly linked to leading frameworks (e.g., NIST 800-53, NIST 800-171, ISO 27002, HIPAA and others).
- Need an affordable and timely solution to address not having procedures.
How Does the CSOP Solve These Problems?
Until now, developing a template to provide worthwhile cybersecurity procedures is somewhat of a "missing link" within the cybersecurity documentation industry. The good news is that ComplianceForge solved this issue with the Cybersecurity Standardized Operating Procedures (CSOP) product. We are the only provider to have an affordable and comprehensive procedures template! Our CSOP can save a business several hundred hours of work in developing control activities / procedure statements, so the CSOP is worth checking out! The focus of a control activity is to mitigate risks and assist in compliance with cybersecurity policies, while the CSOP procedure statements assist in the implementation of cybersecurity policies & standards to create secure baseline configurations that enhance the cybersecurity stance of the organizaion.
Clear Documentation
The CORE Fundamentals provides comprehensive documentation to prove that your security program exists. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!
Time Savings
The CORE Fundamentals can provide your organization with a semi-customized solution that requires minimal resources to fine tune for your organization's specific needs.
Alignment With Over 200 Frameworks
Because the CORE Fundamentals has a 1-to-1 mapping to the SCF, it inherits cross-walks to over 200 leading laws, regulations, and industry frameworks at no extra effort.
Texas SB 2610 Safe-Harbor Ready
Designed specifically to satisfy the reasonable-practices requirements of Texas SB 2610 and similar state cybersecurity safe-harbor laws, the CORE Fundamentals provides the documented evidence required to claim that protection.
What Is Included?
The CORE Fundamentals CSOP is delivered as an editable Microsoft Word document with companion Excel mapping. Purchase includes a single-entity license and the first year of product updates.
Microsoft Word Procedures
Cover page and document control template. Procedure statements for the 68 SCF CORE Fundamentals controls, organized by SCF domain. Each procedure includes standardized fields for process owner, operator, occurrence, scope, location, performance target, and technology in use.
Excel Crosswalk Mapping
Excel companion mapping document. Each procedure mapped to its SCF CORE Fundamentals control, with inherited cross-walks to NIST 800-171, NIST CSF, ISO 27002, and the controls named in Texas SB 2610 and similar state safe-harbor laws.
NIST NICE Workforce Alignment
Every procedure is assigned NIST NICE Cybersecurity Workforce Framework work roles so the procedures direct the work of employees and contractors and minimize assumptions about who is responsible for what.
Pairs With The Matching CDPP
The CORE Fundamentals CSOP provides procedures (the how). The companion CORE Fundamentals Policies & Standards product provides the policies and standards (the why and what) that these procedures operationalize. Most SMBs purchase both to ensure their documentation set is internally consistent and audit-ready for safe-harbor purposes.
Cost Savings Estimate
When you look at the costs associated with either (1) hiring an external consultant to write cybersecurity documentation for you or (2) tasking your internal staff to write it, the cost comparisons paint a clear picture that buying from ComplianceForge is the logical option. Compared to hiring a consultant, you can save months of wait time and tens of thousands of dollars. Whereas, compared to writing your own documentation, you can potentially save hundreds of work hours and the associated cost of lost productivity. Purchasing the CORE Fundamentals CSOP from ComplianceForge offers these fundamental advantages when compared to the other options for obtaining quality cybersecurity documentation:
Internal Staff Cost
For your internal staff to generate comparable documentation, it would take them an estimated 360 internal staff work hours, which equates to a cost of approximately $33,000 in staff-related expenses. This is about 4 to 8 months of development time where your staff would be diverted from other work.
The CORE Fundamentals CSOP is approximately 4% of the cost for your internal staff to generate equivalent documentation.
External Consultant Cost
If you hire a consultant to generate this documentation, it would take them an estimated 240 consultant work hours, which equates to a cost of approximately $75,000. This is about 3 to 4 months of development time for a contractor to provide you with the deliverable.
The CORE Fundamentals CSOP is approximately 2% of the cost for an external consultant to generate equivalent documentation.
Product Examples
The CORE Fundamentals CSOP is scoped for Small and Medium Businesses adopting the SCF CORE Fundamentals control set. Every procedure statement is mapped to its parent SCF control and inherits cross-walks to other leading frameworks.
Below is a PDF example of what you would expect from our Microsoft Word documentation, so you can see the quality and structure of the CORE Fundamentals CSOP.
Below is a PDF example containing a sample of what you would receive upon purchasing the CSOP.
The PDF document shown below provides two, side-by-side examples from policies, control objectives, all the way through metrics, so you can have a glimpse of the quality you will receive.
How Much Customization Remains?
Given the difficult nature of writing templated procedures, ComplianceForge aims for approximately a 80% solution for the CSOP since procedure templates can be more comprehensive than policy templates. ComplianceForge did the heavy lifting, and all that remains is to fine-tune procedures with the specific information that only the organization knows to make them applicable to its environment.
In practice, customization is filling in the blanks for each procedure's standardized fields: process owner (e.g., owner, CISO, or IT manager), process operator (e.g., MSP technician, in-house IT staff), occurrence cadence, scope of impact, location of additional documentation, performance target / SLA, and technology in use. ComplianceForge has done the heavy lifting on the procedure narrative.
Professional Services
ComplianceForge offers optional professional services to customize purchased documentation. Professional services are not required to customize ComplianceForge documentation. However, some clients want our subject matter expertise to help customize their documentation to meet their specific business needs. If you have any questions about our professional services, please contact us at:
We offer the following professional service bundles:
5-Hour Bundle
This includes five (5) hours of professional services, which may be beneficial for companies that need some guidance on getting started with how to tailor their documentation.
10-Hour Bundle
This includes ten (10) hours of professional services, which may be beneficial for companies that need additional guidance on tailoring their documentation to meet their compliance requirements.
20-Hour Bundle
This includes twenty (20) hours of professional services, which may be beneficial for companies that need robust services, beyond just 10 hours, to assist in tailoring their documentation to meet their compliance requirements.
Purchased professional service hours expire 120 days (4 months) from the time of purchase if unused. Hours are intended to supplement, not replace, your own customization work, since only your organization knows the exact details to tailor your documentation. For questions regarding scoping a professional services engagement or configuring a custom package, contact ComplianceForge directly through the Contact Us page.
Why Procedures Matter
Procedures operationalize policies and standards. This is a key concept to being both secure and compliant. Organizations are often not at a loss for a set of policies, but executing those requirements falls short without documented procedures. Standardized Operating Procedures are where the rubber meets the road for individual contributors who need to know how they fit into day-to-day operations, what their priorities are, and what is expected from them.
One of the most important things to keep in mind with procedures is that the "ownership" is different than that of policies and standards:
- Policies, standards and controls are designed to be centrally-managed at the corporate level (e.g., governance, risk & compliance team, CISO, etc.).
- Controls are assigned to stakeholders, based on applicable statutory, regulatory and contractual obligations.
- Procedures are by their very nature de-centralized, where control implementation at the team-level is defined to explain how the control is addressed (e.g., network team, desktop support, HR, procurement, etc.).
One of the most important concepts in procedure documentation is ownership. Policies, standards, and controls are designed to be centrally managed at the corporate level (GRC team, CISO). Procedures, by their very nature, are de-centralized; control implementation at the team level is defined to explain how the control is addressed (network team, desktop support, HR, procurement). Procedures are living documents that require frequent updates based on changes to technologies and staffing, and they are often documented in team-share repositories such as wikis, SharePoint pages, and workflow management tools.
Your customization will be to help "fill in the blanks" with specific process owners, process operators, where additional documentation can be found, applicable service obligations (e.g., SLAs), and what technology/tools your team has available. We've done the heavy lifting and you just need to fill in the blanks.
- This is name of the individual or team accountable for the procedure being performed.
- Example: Chief Information Security Officer (CISO) / Cybersecurity Director.
- This is the name of the individual or team responsible to perform the actual task.
- Example: SOC Analyst / Risk Analyst / Network Admin.
- This is the annual, semi-annual, quarterly, monthly, bi-weekly, weekly, daily, continuous or as needed cadence for how often the procedure needs to be performed.
- Example: Quarterly vulnerability scans / Monthly software patches / Annual risk assessments.
- Purely internal processes;
- Purely external processes (e.g., outsourced vendor processes); or
- Scope covers both internal processes and external ones.
- System;
- Application;
- Process;
- Team;
- Department;
- User;
- Client;
- Vendor;
- Geographic region; or
- The entire company;
- This is the scope of the procedure:
- It also that affects the potential impact from the process, which can be one or more of the following items.
- This is where additional documentation is stored or can be found. You might want to reference a Wiki, SharePoint site, or other documentation repository.
- This addresses targeted timelines for the process to be completed (e.g., Service Level Agreements).
- Not all processes have SLAs or targeted timelines
- Splunk for a Security Incident Event Manager (SIEM) solution to collect logs;
- McAfee ePO for centralized antimalware management; or
- Tripwire Enterprise for File Integrity Monitoring (FIM).
- This addresses the applications/systems/services that are available to perform the procedure.
To help illustrate the importance of well-written procedures, here is an illustration to show the difference between poorly-written procedures and well-written ones.
- Put peanut butter on bread.
- Put jelly on bread.
- Eat.
- Place two (2) slices of bread on a plate.
- Open the jar of peanut butter and use a butter knife to spread approximately two (2) tablespoons of peanut butter on one (1) slice of bread.
- Open the jar of jelly and use a butter knife to spread approximately two (2) tablespoons of jelly on the other slice of bread.
- Put the bread slices together with the peanut butter and jelly sides facing each other.
- Take one (1) bite-sized portion, then chew and swallow.
- Repeat Step 5 until the sandwich is gone.
Companion Product
The CORE Fundamentals CSOP answers the how question for cybersecurity operations through documented procedures. The companion CORE Fundamentals Policies & Standards product answers the why and what questions through policies, control objectives, and standards that these procedures operationalize.
Buying both as a bundle is the most common configuration for SMBs aligning with the SCF CORE Fundamentals. The two products are intentionally mapped to each other: every standard in the Policies & Standards product has a corresponding procedure statement in the CSOP. This 1-to-1 relationship is what makes the documentation set audit-ready for SCF CAP third-party assessment and for safe-harbor purposes under laws like Texas SB 2610.
Alignment With The NIST NICE Framework
One very special aspect of the CDPP and SCRP versions of the CSOP is that it leverages the NIST NICE Cybersecurity Workforce Framework. NIST released the NICE framework in 2017 with purpose of streamlining cybersecurity roles and responsibilities. We adopted this in the CSOP framework since work roles have a direct impact procedures. By assigning work roles, the CSOP helps direct the work of employees and contractors to minimize assumptions about who is responsible for certain cybersecurity and privacy tasks.
The CSOP uses the work roles identified in the NIST NICE Cybersecurity Workforce Framework to help make assigning the tasks associated with procedures/control activities more efficient and manageable. Keep in mind these are merely recommendations and are fully editable for every organization – this is just a helpful point in the right direction!
The CSOP can serve as a foundational element in your organization's cybersecurity program. It can stand alone or be paired with other specialized products we offer.
At the heart of it, the CSOP provides an organization with clear cybersecurity procedures that can scale to meet the needs and complexity of any team. The procedures are mapped to leading frameworks, so it is straightforward to have procedures that directly link to requirements from NIST 800-171, ISO 27002, NIST 800-53 and many other common cybersecurity and privacy-related statutory, regulatory and contractual frameworks!
The value of the CSOP comes from having well-constructed procedure statements that can help you become audit ready in a fraction of the time and cost to do it yourself or hire a consultant to come on-site and write it for you. The entire concept of this cybersecurity procedures template is focused on two things:
- Providing written procedures to walk your team members through the steps they need to meet a requirement to keep your organization secure; and
- Help your company be audit ready with the appropriate level of due diligence evidence that allows you to demonstrate your organization meets its obligations.
