Quality, Expert-Derived Cybersecurity Documentation To Keep Organizations Secure, Compliant & Resilient - No AI Slop!
Secure Controls Framework
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Cart
Start Here
Products
Bundles
Updates
Reasons To Buy
Certification Options
No items found.
Procedures - NIST CSF 2.0
$ 4,700.00 USD
This version of the Cybersecurity Standardized Operating Procedures (CSOP) is based on the NIST Cybersecurity Framework 2.0 (NIST CSF 2.0) framework. It contains the necessary NIST CSF procedures that help achieve compliance with NIST CSF. You get fully-editable Microsoft Word documents that you can customize for your specific needs.
Product Category:
Procedures
SKU:
P12-CSOP-CDPP-CSF
Availability:
Email Delivery Within 1-2 Business Days
ComplianceForge documentation is written to follow industry-recognized secure practices, but you are still expected to tailor the documentation to suit your organization's specific security, compliance & resilience requirements. By providing your company name and your logo (your logo is optional), we tailor the documentation to include this information.
How Do I Request A Quote?
To request a quote, select the "Request a Quote" button beside the "Add To Cart" button. This will direct you to a page where you can request a custom quote.
Can I Pay By Invoice?
Yes. To pay by invoice, add the product to your cart, go through the checkout process, and fill out your billing information. Once you get to the payment method, select "Offline Payment via Invoice / Purchase Order (PO)" and then select "Place Order."
Can I Pay By Wire / ACH?
Yes. To pay by Wire / ACH, you can request an invoice by following the instructions above. Once you have the invoice, it will contain the necessary info for you to finalize payment by Wire / ACH.
No logo uploaded. Maximum file size: 5 MB. Acceptable file types: PNG, JPG, JPEG, GIF, BMP, TIFF, WEBP, SVG.
Add to Cart
Request A Quote
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Cybersecurity Standardized Operating Procedures (CSOP) - NIST CSF 2.0
  • Editable cybersecurity & privacy procedures teamplate that aligns with NIST CSF.
  • 1-1 mapping to the standards within the NIST CSF Cybersecurity & Data Protection Program (CDPP).
  • Leverages the NIST NICE Cybersecurity Workforce Framework for roles and responsibilities.
  • Immense time & cost savings - enables subject matter experts to fill in the details that only they know.
Go To Examples Section
Product Overview

Don't Write It From Scratch.

Your NIST CSF profile tells you which outcomes to pursue across Govern, Identify, Protect, Detect, Respond, and Recover. But when someone asks how each of those outcomes is actually carried out day to day, who owns it, and how often, can you show it? Procedures are the operational evidence that turns a framework profile into a working program, and they are usually the gap. The NIST CSF Cybersecurity Standardized Operating Procedures (CSOP) gives you a running start: editable, step-by-step procedures aligned to the CSF 2.0 Functions, with standardized fields for process owner, operator, and cadence. The templates get you roughly 80 to 90 percent of the way there, then your subject-matter experts fill in the details only they know.

Developed by the United States National Institute of Standards and Technology (NIST), the NIST Cybersecurity Framework (NIST CSF) has the least coverage of the major cybersecurity frameworks. NIST CSF works great for smaller and unregulated businesses that just want to align with a recognized cybersecurity framework. The downside to the NIST CSF is that its brevity makes it incompatible with common compliance requirements, such as NIST 800-171, GDPR, CPRA/CCPA and PCI DSS (depending on SAQ level). For those, more comprehensive frameworks, such as NIST 800-53 or ISO 27002 are recommended.

Overall, NIST CSF does not introduce new standards or concepts. It leverages and integrates industry-leading cybersecurity practices developed by organizations like NIST and ISO.

NIST CSF version 1.0 is organized into five categories of controls:

  • Identify;
  • Protect;
  • Detect;
  • Respond; and
  • Recover.

NIST CSF version 2.0 adds a sixth category of controls:

  • Identify;
  • Protect;
  • Detect;
  • Respond;
  • Recover; and
  • Governance

We leverage the Operationalizing Cybersecurity Planning Model in creating a practical view towards implementing cybersecurity requirements. Organizations are often not at a loss for a set of policies, but executing those requirements often fall short due to several reasons. Standardized Operating Procedures (SOPs) are where the rubber meets the road for Individual Contributors (ICs), since these key players need to know (1) how they fit into day-to-day operations, (2) what their priorities are and (3) what is expected from them in their duties. When looking at it from an auditability perspective, the evidence of due diligence and due care should match what the organization's cybersecurity business plan is attempting to achieve.

One of the most important things to keep in mind with procedures is that the "ownership" is different than that of policies and standards:

  • Policies, standards and controls are designed to be centrally-managed at the corporate level (e.g., governance, risk & compliance team, CISO, etc.).
  • Controls are assigned to stakeholders, based on applicable statutory, regulatory and contractual obligations.
  • Procedures are by their very nature de-centralized, where control implementation at the team-level is defined to explain how the control is addressed (e.g., network team, desktop support, HR, procurement, etc.).

Given this approach to how documentation is structured, based on "ownership" of the documentation components:

  • Policies, standards and controls are expected to be published for anyone within the organization to have access to, since it applies organization-wide. This may be centrally-managed by a GRC/IRM platform or published as a PDF on a file share, since they are relatively static with infrequent changes.
  • Procedures are "living documents" that require frequent updates based on changes to technologies and staffing. Procedures are often documented in "team share" repositories, such as a wiki, SharePoint page, workflow management tool, etc.

The central focus of any procedures should be a Capability Maturity Model (CMM) target that provides quantifiable expectations for People, Processes and Technologies (PPT), since this helps prevent a “moving target” by establishing an attainable expectation for “what right looks like” in terms of PPT. Generally, cybersecurity business plans take a phased, multi-year approach to meet these CMM-based cybersecurity objectives. Those objectives, in conjunction with the business plan, demonstrate evidence of due diligence on behalf of the CISO and his/her leadership team. The objectives prioritize the organization’s service catalog through influencing procedures at the IC-level for how PPT are implemented at the tactical level. SOPs not only direct the workflow of staff personnel, but the output from those procedures provides evidence of due care.

Product Details

What Is The NIST CSF CSOP?

Does your organization need NIST CSF procedure documentation? Our NIST Cybersecurity Framework 2.0 (NIST CSF 2.0)-based Cybersecurity Standardized Operating Procedures (CSOP) is a set of cybersecurity procedures that is tailored for smaller organizations that do not need to address more rigorous requirements that are found in ISO 27002 or NIST 800-53. The NIST CSF version of the CSOP leverages the Secure Controls Framework (SCF) control naming and domains to provide the structure for the procedures. This approach makes the CSOP scalable and maps to over 200 other laws, regulations and frameworks. Since it is editable documentation, you can use the provided structure or rename it according to your specific needs.

In reality, NIST CSF is a "dumbed down" and civilianized version of NIST 800-53. It came out nearly a decade ago when NIST 800-53 was entirely focused on the US Government, so there was a need for a subset of the controls that NIST 800-53 provided but for the non-enterprise space in private industry (e.g., tailored for small to medium businesses). Over the past decade, different US Federal agencies have published documents describing how NIST CSF v2.0 controls can be leveraged to comply with HIPAA, FINRA, etc.

This product is intended for small and medium organizations whose primary regulatory or contractual driver is alignment with NIST CSF 2.0. If your organization needs to address multiple frameworks simultaneously, consider the SCRP (Security, Compliance & Resilience Program) instead, which covers 200+ frameworks.

The CSOP contains editable procedure statements in an editable Microsoft Word format:

  • The CSOP addresses the “how?” questions in an audit, since procedures provide the means for how your organization's policies and standards are actually implemented.
  • The CSOP provides the underlying cybersecurity procedures that must be documented, as may be stipulated by statutory, regulatory and contractual requirements.
  • The procedure statements in the CSOP can be cut & pasted into other tools (e.g., wiki page) or left in a single document. There is no wrong answer for how procedures are maintained, since every organization is unique in the tools used and the location of users.
NIST CSF can be used for:
  • General Businesses;
  • Retail;
  • Healthcare (small); and
  • Insurance.
NIST CSF should not be used for:
  • Defense Contractors.
How It's Delivered

No Software To Install

This product is a one-time purchase of editable Microsoft Office-based documentation templates. There is no software to install, no agent to deploy, no account to provision, and no cloud environment to configure. If the organization can open and edit Microsoft Word and Excel files, the NIST CSF CSOP is ready to use.

Microsoft Word & Excel

Delivered as a fully editable .docx file with companion .xlsx mapping. Compatible with Word 2016 and newer, Microsoft 365, OpenOffice, LibreOffice, and Google Docs.

Email Delivery

Documentation is delivered via email download link within 1-2 business days of purchase. There is no installer, no license server, and no activation step.

One-Time Purchase

A single-entity license is included with purchase. There is no recurring subscription requirement, although an optional update subscription is available to stay current as frameworks evolve.

This deployment model is intentional. Procedures benefit from being in the organization's own hands, inside its own wiki, SharePoint, or document management systems, rather than locked inside a vendor's SaaS tool. Procedures are living documents that need to live where the teams that execute them work.

The Problem

What Problems Does the NIST CSF CSOP Solve?

The NIST CSF CSOP addresses the most common problems organizations face when trying to operationalize NIST CSF 2.0 policies and standards into day-to-day procedures.

Lack of In House Security Experience

Writing cybersecurity procedures is a skill that most cybersecurity professionals simply are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive procedure documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. The CSOP is an efficient method to obtain comprehensive security procedures for your organization!

Compliance Requirements

Nearly every organization, regardless of industry, is required to have formally-documented security procedures. Requirements range from PCI DSS to HIPAA to NIST 800-171. The CSOPis designed with compliance in mind, since it focuses on leading security frameworks to address reasonably-expected security requirements.

Audit Failures

Security documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. The CSOP's procedures provide mapping to leading security frameworks to show you exactly what is required to both stay secure and compliant.  

Vendor Requirements

It is very common for clients and partners to request evidence of a security program and this includes policies, standards and procedures.

Our customers choose the Cybersecurity Standardized Operating Procedures (CSOP) because they:

  • Have a need for comprehensive cybersecurity procedures to address their compliance needs.
  • Need to be able to edit the document to their specific technology, staffing and other considerations.
  • Have documentation that is directly linked to leading frameworks (e.g., NIST 800-53, NIST 800-171, ISO 27002, HIPAA and others).
  • Need an affordable and timely solution to address not having procedures.
The Solution

How Does the NIST CSF CSOP Solve These Problems?

Until now, developing a template to provide worthwhile cybersecurity procedures is somewhat of a "missing link" within the cybersecurity documentation industry. The good news is that ComplianceForge solved this issue with the Cybersecurity Standardized Operating Procedures (CSOP) product. We are the only provider to have an affordable and comprehensive procedures template! Our CSOP can save a business several hundred hours of work in developing control activities / procedure statements, so the CSOP is worth checking out! The focus of a control activity is to mitigate risks and assist in compliance with cybersecurity policies, while the CSOP procedure statements assist in the implementation of cybersecurity policies & standards to create secure baseline configurations that enhance the cybersecurity stance of the organizaion.

Clear Documentation

The CSOP provides a comprehensive template for your procedures to help prove that your security program exists. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!

Time Savings

The CSOP can provide your organization with a templated solution that requires minimal resources to fine tune for your organization's specific procedural needs.

Alignment With Leading Practices

Because the procedure structure is built on SCF control naming, the CSOP inherits cross-walks to over 200 leading laws, regulations, and frameworks at no extra effort.

Standardized Process Criteria

Every procedure identifies process owner, process operator, occurrence cadence, scope of impact, location of additional documentation, performance target, and technology in use. Standardized fields make it straightforward to tailor procedures for the specific environment.

What You Get

What Is Included?

The NIST CSF CSOP is delivered as an editable Microsoft Word document with companion Excel mapping. Purchase includes a single-entity license and the first year of product updates.

Microsoft Word Procedures

Cover page and document control template. Procedure statements organized by SCF domain that map to NIST CSF 2.0 functions. Each procedure includes standardized fields for process owner, operator, occurrence, scope, location, performance target, and technology in use.

Excel Crosswalk Mapping

Excel companion mapping document. Each procedure mapped to NIST CSF 2.0 functions, categories, and subcategories, as well as inherited cross-walks to NIST 800-53, NIST 800-171, ISO 27002, HIPAA, PCI DSS, and other leading frameworks.

NIST NICE Workforce Alignment

Every procedure is assigned NIST NICE Cybersecurity Workforce Framework work roles so the procedures direct the work of employees and contractors and minimize assumptions about who is responsible for what.

Pairs With The Matching CDPP

The NIST CSF CSOP provides procedures (the how). The companion NIST CSF 2.0 CDPP provides the policies and standards (the why and what) that these procedures operationalize. Most organizations purchase both as a bundle to ensure their policies and procedures stay aligned.

Your ROI

Cost Savings Estimate

When you look at the costs associated with either (1) hiring an external consultant to write cybersecurity documentation for you or (2) tasking your internal staff to write it, the cost comparisons paint a clear picture that buying from ComplianceForge is the logical option. Compared to hiring a consultant, you can save months of wait time and tens of thousands of dollars. Whereas, compared to writing your own documentation, you can potentially save hundreds of work hours and the associated cost of lost productivity. Purchasing the NIST CSF CSOP from ComplianceForge offers these fundamental advantages when compared to the other options for obtaining quality cybersecurity documentation:

Internal Staff Cost

For your internal staff to generate comparable documentation, it would take them an estimated 600 internal staff work hours, which equates to a cost of approximately $55,000 in staff-related expenses. This is about 6 to 18 months of development time where your staff would be diverted from other work.

The NIST CSF CSOP is approximately 8% of the cost for your internal staff to generate equivalent documentation.

External Consultant Cost

If you hire a consultant to generate this documentation, it would take them an estimated 400 consultant work hours, which equates to a cost of approximately $125,000. This is about 3 to 6 months of development time for a contractor to provide you with the deliverable.

The NIST CSF CSOP is approximately 4% of the cost for an external consultant to generate equivalent documentation.

See It First

Product Examples

The NIST CSF CSOP is scoped specifically for smaller organizations and unregulated industries that need to align with the NIST Cybersecurity Framework 2.0. Every procedure statement is mapped to its parent NIST CSF 2.0 function, category, and subcategory.

Below is a PDF example of what you would expect from our Microsoft Word documentation, so you can see the quality and structure of the NIST CSF CSOP.

Procedures

Below is a PDF example containing a sample of what you would receive upon purchasing the CSOP.

Your Effort

How Much Customization Remains?

Given the difficult nature of writing templated procedures, ComplianceForge aims for approximately an 80% solution for the CSOP since procedure templates can be more comprehensive than policy templates. ComplianceForge did the heavy lifting, and all that remains is to fine-tune procedures with the specific information that only the organization knows to make them applicable to its environment.

In practice, customization is filling in the blanks for each procedure's standardized fields: process owner (e.g., CISO or Cybersecurity Director), process operator (e.g., SOC Analyst or Network Admin), occurrence cadence, scope of impact, location of additional documentation, performance target / SLA, and technology in use. ComplianceForge has done the heavy lifting on the procedure narrative.

Need A Hand?

Professional Services

ComplianceForge offers optional professional services to customize purchased documentation. Professional services are not required to customize ComplianceForge documentation. However, some clients want our subject matter expertise to help customize their documentation to meet their specific business needs. If you have any questions about our professional services, please contact us at:

Contact Us

We offer the following professional service bundles:

5-Hour Bundle

This includes five (5) hours of professional services, which may be beneficial for companies that need some guidance on getting started with how to tailor their documentation.

10-Hour Bundle

This includes ten (10) hours of professional services, which may be beneficial for companies that need additional guidance on tailoring their documentation to meet their compliance requirements.

20-Hour Bundle

This includes twenty (20) hours of professional services, which may be beneficial for companies that need robust services, beyond just 10 hours, to assist in tailoring their documentation to meet their compliance requirements.

Important Details About Professional Services

Purchased professional service hours expire 120 days (4 months) from the time of purchase if unused. Hours are intended to supplement, not replace, your own customization work, since only your organization knows the exact details to tailor your documentation. For questions regarding scoping a professional services engagement or configuring a custom package, contact ComplianceForge directly through the Contact Us page.

View Options
Why Procedures Matter

Why Procedures Matter

Procedures operationalize policies and standards. This is a key concept to being both secure and compliant. Organizations are often not at a loss for a set of policies, but executing those requirements falls short without documented procedures. Standardized Operating Procedures are where the rubber meets the road for individual contributors who need to know how they fit into day-to-day operations, what their priorities are, and what is expected from them.

One of the most important things to keep in mind with procedures is that the "ownership" is different than that of policies and standards:

  • Policies, standards and controls are designed to be centrally-managed at the corporate level (e.g., governance, risk & compliance team, CISO, etc.).
  • Controls are assigned to stakeholders, based on applicable statutory, regulatory and contractual obligations.
  • Procedures are by their very nature de-centralized, where control implementation at the team-level is defined to explain how the control is addressed (e.g., network team, desktop support, HR, procurement, etc.).

One of the most important concepts in procedure documentation is ownership. Policies, standards, and controls are designed to be centrally managed at the corporate level (GRC team, CISO). Procedures, by their very nature, are de-centralized; control implementation at the team level is defined to explain how the control is addressed (network team, desktop support, HR, procurement). Procedures are living documents that require frequent updates based on changes to technologies and staffing, and they are often documented in team-share repositories such as wikis, SharePoint pages, and workflow management tools.

Your customization will be to help "fill in the blanks" with specific process owners, process operators, where additional documentation can be found, applicable service obligations (e.g., SLAs), and what technology/tools your team has available. We've done the heavy lifting and you just need to fill in the blanks.  

Process Owner
  • This is name of the individual or team accountable for the procedure being performed.
  • Example: Chief Information Security Officer (CISO) / Cybersecurity Director.
Process Operator
  • This is the name of the individual or team responsible to perform the actual task.
  • Example: SOC Analyst / Risk Analyst / Network Admin.
Occurrence
  • This is the annual, semi-annual, quarterly, monthly, bi-weekly, weekly, daily, continuous or as needed cadence for how often the procedure needs to be performed.
  • Example: Quarterly vulnerability scans / Monthly software patches / Annual risk assessments.
Scope of Impact
  • Purely internal processes;
  • Purely external processes (e.g., outsourced vendor processes); or
  • Scope covers both internal processes and external ones.
  • System;
  • Application;
  • Process;
  • Team;
  • Department;
  • User;
  • Client;
  • Vendor;
  • Geographic region; or
  • The entire company;
  • This is the scope of the procedure:
  • It also that affects the potential impact from the process, which can be one or more of the following items.
Location of Additional Documentation
  • This is where additional documentation is stored or can be found. You might want to reference a Wiki, SharePoint site, or other documentation repository.
Performance Target
  • This addresses targeted timelines for the process to be completed (e.g., Service Level Agreements).
  • Not all processes have SLAs or targeted timelines
Technology in Use
  • Splunk for a Security Incident Event Manager (SIEM) solution to collect logs;
  • McAfee ePO for centralized antimalware management; or
  • Tripwire Enterprise for File Integrity Monitoring (FIM).
  • This addresses the applications/systems/services that are available to perform the procedure.

To help illustrate the importance of well-written procedures, here is an illustration to show the difference between poorly-written procedures and well-written ones.

Not Enough
How To Make A Peanut Butter And Jelly Sandwich
  • Put peanut butter on bread.
  • Put jelly on bread.
  • Eat.
Whoops!
VS
Just Right
How To Make A Peanut Butter And Jelly Sandwich
  • Place two (2) slices of bread on a plate.
  • Open the jar of peanut butter and use a butter knife to spread approximately two (2) tablespoons of peanut butter on one (1) slice of bread.
  • Open the jar of jelly and use a butter knife to spread approximately two (2) tablespoons of jelly on the other slice of bread.
  • Put the bread slices together with the peanut butter and jelly sides facing each other.
  • Take one (1) bite-sized portion, then chew and swallow.
  • Repeat Step 5 until the sandwich is gone.
Yum!
Companion Product

Companion Product

The NIST CSF CSOP answers the how question for cybersecurity operations through documented procedures. The companion NIST CSF 2.0 CDPP answers the why and what questions through policies, control objectives, and standards that these procedures operationalize.

Buying both as a bundle is the most common configuration for organizations aligning with NIST CSF 2.0. The NIST CSF 2.0 CDPP and the NIST CSF CSOP are intentionally mapped to each other: every standard in the CDPP has a corresponding procedure statement in the CSOP. This relationship is what makes the documentation set audit-ready because it provides direct evidence that policies and standards have been translated into operational practice.

NIST NICE Framework

Alignment With The NIST NICE Framework

One very special aspect of the CDPP and SCRP versions of the CSOP is that it leverages the NIST NICE Cybersecurity Workforce Framework. NIST released the NICE framework in 2017 with purpose of streamlining cybersecurity roles and responsibilities. We adopted this in the CSOP framework since work roles have a direct impact procedures. By assigning work roles, the CSOP helps direct the work of employees and contractors to minimize assumptions about who is responsible for certain cybersecurity and privacy tasks.

The CSOP uses the work roles identified in the NIST NICE Cybersecurity Workforce Framework to help make assigning the tasks associated with procedures/control activities more efficient and manageable. Keep in mind these are merely recommendations and are fully editable for every organization – this is just a helpful point in the right direction!

The CSOP can serve as a foundational element in your organization's cybersecurity program. It can stand alone or be paired with other specialized products we offer.

At the heart of it, the CSOP provides an organization with clear cybersecurity procedures that can scale to meet the needs and complexity of any team. The procedures are mapped to leading frameworks, so it is straightforward to have procedures that directly link to requirements from NIST 800-171, ISO 27002, NIST 800-53 and many other common cybersecurity and privacy-related statutory, regulatory and contractual frameworks!

The value of the CSOP comes from having well-constructed procedure statements that can help you become audit ready in a fraction of the time and cost to do it yourself or hire a consultant to come on-site and write it for you. The entire concept of this cybersecurity procedures template is focused on two things:

  • Providing written procedures to walk your team members through the steps they need to meet a requirement to keep your organization secure; and
  • Help your company be audit ready with the appropriate level of due diligence evidence that allows you to demonstrate your organization meets its obligations.
Testimonials

What Are Some Of Our Testimonials?

❛❛
Excellent Starting Point
ComplianceForge's SCF-based policy documentation offers consolidated coverage of security and privacy controls requirements in a single, cohesive package. Because it's built on the Secure Controls Framework, a metaframework that tracks security and privacy standards globally and releases quarterly updates, it gives organizations confidence that their documentation stays current as requirements evolve. For any organization standing up a security and privacy program from scratch, it's provides an excellent starting point.
Would You Like To Share Your Experiences?
If you are satisfied with your product and would like to leave a review, please fill out our testimonial form and share your experiences with our documentation! We enjoy hearing from satisfied customers, and we are always open to constructive feedback so that we can continue improving our products.
Fill Out Testimonial