- Editable cybersecurity & privacy procedures. 1-1 mapping to SCRP standards & SCF controls.
- Comes in both Microsoft Word & Excel formats. GRC importable that supports CSV content imports.
- Based on the Secure Controls Framework (SCF). Maps to over 200 laws, regulations & frameworks.
- Provides quarterly updates to keep you current on evolving cybersecurity & privacy requirments.
Don't Write It From Scratch.
Your policies say what your security program requires. But when an auditor asks how a control is actually performed, who owns it, and how often it happens, can you show it? Without documented procedures, even a strong policy set leaves a gap that assessors flag. The Cybersecurity Standardized Operating Procedures (CSOP) gives you a running start: editable, step-by-step procedures mapped 1-to-1 to your SCRP standards and the Secure Controls Framework (SCF) controls. The templates get you roughly 80 to 90 percent of the way there, then you tailor each procedure to how your teams actually operate.
One of the most important things to keep in mind with procedures is that the "ownership" is different than that of policies and standards:
- Policies, standards and controls are designed to be centrally-managed at the corporate level (e.g., governance, risk & compliance team, CISO, etc.).
- Controls are assigned to stakeholders, based on applicable statutory, regulatory and contractual obligations.
- Procedures are by their very nature de-centralized, where control implementation at the team-level is defined to explain how the control is addressed (e.g., network team, desktop support, HR, procurement, etc.).
Given this approach to how documentation is structured, based on "ownership" of the documentation components:
- Policies, standards and controls are expected to be published for anyone within the organization to have access to, since it applies organization-wide. This may be centrally-managed by a GRC/IRM platform or published as a PDF on a file share, since they are relatively static with infrequent changes.
- Procedures are "living documents" that require frequent updates based on changes to technologies and staffing. Procedures are often documented in "team share" repositories, such as a wiki, SharePoint page, workflow management tool, etc.
The central focus of any procedures should be a Capability Maturity Model (CMM) target that provides quantifiable expectations for People, Processes and Technologies (PPT), since this helps prevent a “moving target” by establishing an attainable expectation for “what right looks like” in terms of PPT. Generally, cybersecurity business plans take a phased, multi-year approach to meet these CMM-based cybersecurity objectives. Those objectives, in conjunction with the business plan, demonstrate evidence of due diligence on behalf of the CISO and his/her leadership team. The objectives prioritize the organization’s service catalog through influencing procedures at the IC-level for how PPT are implemented at the tactical level. SOPs not only direct the workflow of staff personnel, but the output from those procedures provides evidence of due care.
What Is The SCRP CSOP?
The Security, Compliance & Resilience Program (SCRP) version of the CSOP contains a catalog of over 1,400 procedure statements! The structure of the SCRP maps to over 200 statutory, regulatory and contractual frameworks, so it is the most comprehensive set of procedures that we offer. If you need to address multiple compliance requirements, the SCRP version of the CSOP is the best choice. If you have any questions, just give us a call since we are more than happy to help answer your questions to ensure you pick the right solution for your needs.
The CSOP contains editable procedure statements in an editable Microsoft Word format:
- The CSOP addresses the “how?” questions in an audit, since procedures provide the means for how your organization's policies and standards are actually implemented.
- The CSOP provides the underlying cybersecurity procedures that must be documented, as may be stipulated by statutory, regulatory and contractual requirements.
- The procedure statements in the CSOP can be cut & pasted into other tools (e.g., wiki page) or left in a single document. There is no wrong answer for how procedures are maintained, since every organization is unique in the tools used and the location of users.
The CSOP provides the underlying cybersecurity procedures that must be documented as stipulated by statutory, regulatory, and contractual requirements. Procedure statements can be cut and pasted into other tools such as a wiki page or left in a single document. There is no wrong answer for how procedures are maintained, since every organization is unique in the tools used and the location of users.
No Software To Install
This product is a one-time purchase of editable Microsoft Office-based documentation templates. There is no software to install, no agent to deploy, no account to provision, and no cloud environment to configure. If the organization can open and edit Microsoft Word and Excel files, the CSOP is ready to use.
Microsoft Word & Excel
Delivered as a fully editable .docx file with companion .xlsx mapping. Compatible with Word 2016 and newer, Microsoft 365, OpenOffice, LibreOffice, and Google Docs.
Email Delivery
Documentation is delivered via email download link within 1-2 business days of purchase. There is no installer, no license server, and no activation step.
One-Time Purchase
A single-entity license is included with purchase. There is no recurring subscription requirement, although an optional update subscription is available to stay current as frameworks evolve.
This deployment model is intentional. Procedures benefit from being in the organization's own hands, inside its own wiki, SharePoint, or document management systems, rather than locked inside a vendor's SaaS tool. Procedures are living documents that need to live where the teams that execute them work.
What Problems Does the SCRP CSOP Solve?
The SCRP CSOP addresses the most common problems organizations face when trying to operationalize policies and standards into day-to-day procedures.
Lack Of In-House Procedure-Writing Experience
Writing cybersecurity procedures is a skill that most cybersecurity professionals simply are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive procedure documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. The CSOP is an efficient method to obtain comprehensive IT security procedures for your organization!
Compliance Requirements
Nearly every organization, regardless of industry, is required to have formally-documented security procedures. Requirements range from PCI DSS to HIPAA to NIST 800-171. The CSOP is designed with compliance in mind, since it focuses on leading security frameworks to address reasonably-expected security requirements.
Audit Failures
Security documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. The CSOP's procedures provide mapping to leading security frameworks to show you exactly what is required to both stay secure and compliant.
Vendor & Client Requirements
It is very common for clients and partners to request evidence of a security program and this includes policies, standards and procedures.
Our customers choose the Cybersecurity Standardized Operating Procedures (CSOP) because they:
- Have a need for comprehensive cybersecurity procedures to address their compliance needs.
- Need to be able to edit the document to their specific technology, staffing and other considerations.
- Have documentation that is directly linked to leading frameworks (e.g., NIST 800-53, NIST 800-171, ISO 27002, HIPAA and others).
- Need an affordable and timely solution to address not having procedures.
How Does the SCRP CSOP Solve These Problems?
Until now, developing a template to provide worthwhile cybersecurity procedures is somewhat of a "missing link" within the cybersecurity documentation industry. The good news is that ComplianceForge solved this issue with the Cybersecurity Standardized Operating Procedures (CSOP) product. We are the only provider to have an affordable and comprehensive procedures template! Our CSOP can save a business several hundred hours of work in developing control activities / procedure statements, so the CSOP is worth checking out!
Clear Documentation
The CSOP provides a comprehensive template for your procedures to help prove that your security program exists. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!
Time Savings
The CSOP can provide your organization with a templated solution that requires minimal resources to fine tune for your organization's specific procedural needs.
Alignment With Leading Practices
The CSOP is written to support over two hundred leading frameworks, with the Excel companion providing the mapping documentation auditors need.
Standardized Process Criteria
Every procedure identifies process owner, process operator, occurrence cadence, scope of impact, location of additional documentation, performance target, and technology in use. Standardized fields make it straightforward to tailor procedures for the specific environment.
What Is Included?
The SCRP CSOP is delivered as an editable Microsoft Word document with companion Excel mapping. Purchase includes a single-entity license and the first year of product updates.
Microsoft Word Procedures
Cover page and document control template. Over 1,400 procedure statements organized by SCF domain. Each procedure includes standardized fields for process owner, operator, occurrence, scope, location, performance target, and technology in use.
Excel Crosswalk Mapping
Excel companion mapping document. Each procedure mapped to NIST 800-53, NIST 800-171, NIST CSF, ISO 27002, ISO 27018, PCI DSS, HIPAA, SOX, GLBA, FedRAMP, CIS CSC, COBIT 5, SOC 2, GDPR, NERC CIP, 23 NYCRR 500, OR 646A, MA 201 CMR 17.00, and more.
NIST NICE Workforce Alignment
Every procedure is assigned NIST NICE Cybersecurity Workforce Framework work roles so the procedures direct the work of employees and contractors and minimize assumptions about who is responsible for what.
Support & Updates
First year of quarterly product updates included. Email delivery within 1-2 business days of purchase. Single-entity license for one legal entity. Optional company logo embedded in delivered files.
Pairs With The Matching CDPP
The SCRP CSOP provides procedures (the how). The companion SCRP (Cybersecurity & Data Protection Program) provides the policies and standards (the why and what) that these procedures operationalize. Most organizations purchase both as a bundle.
Cost Savings Estimate
When you look at the costs associated with either (1) hiring an external consultant to write cybersecurity documentation for you or (2) tasking your internal staff to write it, the cost comparisons paint a clear picture that buying from ComplianceForge is the logical option. Compared to hiring a consultant, you can save months of wait time and tens of thousands of dollars. Whereas, compared to writing your own documentation, you can potentially save hundreds of work hours and the associated cost of lost productivity. Purchasing the SCRP version of the CSOP from ComplianceForge offers these fundamental advantages when compared to the other options for obtaining quality cybersecurity documentation:
Internal Staff Cost
For your internal staff to generate comparable documentation, it would take them an estimated 1,000 internal staff work hours, which equates to a cost of approximately $93,500 in staff-related expenses. This is about 9 to 18 months of development time where your staff would be diverted from other work.
The SCRP version of the CSOP is approximately 6% of the cost for your internal staff to generate equivalent documentation.
External Consultant Cost
If you hire a consultant to generate this documentation, it would take them an estimated 800 consultant work hours, which equates to a cost of approximately $253,500. This is about 6 to 12 months of development time for a contractor to provide you with the deliverable.
The SCRP version of the CSOP is approximately 2% of the cost for an external consultant to generate equivalent documentation.
Product Examples
The Cybersecurity Standardized Operating Procedures (CSOP) comes in two main versions (1) Security, Compliance & Resilience Program (SCRP) and (2) Cybersecurity & Data Protection Program (CDPP). These versions contain different levels of coverage, so you want to buy the correct CSOP for your needs. The CSOP is essentially a templatized catalog of procedures that you can edit for your needs. At ComplianceForge, we are sometimes asked by customers about whether we have example cybersecurity procedures, and you can view the examples below!
Below is a PDF example of what you would expect from our Microsoft Word documentation, so you can see the quality and structure of the SCRP CSOP.
Below is a PDF example containing a sample of what you would receive upon purchasing the CSOP.
The PDF document shown below provides two, side-by-side examples from policies, control objectives, all the way through metrics, so you can have a glimpse of the quality you will receive.
How Much Customization Remains?
Given the difficult nature of writing templated procedures, ComplianceForge aims for approximately an 80% solution for the CSOP since procedure templates can be more comprehensive than policy templates. ComplianceForge did the heavy lifting, and all that remains is to fine-tune procedures with the specific information that only the organization knows to make them applicable to its environment.
In practice, customization is filling in the blanks for each procedure's standardized fields: process owner (e.g., CISO or Cybersecurity Director), process operator (e.g., SOC Analyst or Network Admin), occurrence cadence (annual, quarterly, monthly, continuous), scope of impact, location of additional documentation, performance target / SLA, and technology in use. ComplianceForge has done the heavy lifting on the procedure narrative.
Professional Services
ComplianceForge offers optional professional services to customize purchased documentation. Professional services are not required to customize ComplianceForge documentation. However, some clients want our subject matter expertise to help customize their documentation to meet their specific business needs. If you have any questions about our professional services, please contact us at:
We offer the following professional service bundles:
5-Hour Bundle
This includes five (5) hours of professional services, which may be beneficial for companies that need some guidance on getting started with how to tailor their documentation.
10-Hour Bundle
This includes ten (10) hours of professional services, which may be beneficial for companies that need additional guidance on tailoring their documentation to meet their compliance requirements.
20-Hour Bundle
This includes twenty (20) hours of professional services, which may be beneficial for companies that need robust services, beyond just 10 hours, to assist in tailoring their documentation to meet their compliance requirements.
Purchased professional service hours expire 120 days (4 months) from the time of purchase if unused. Hours are intended to supplement, not replace, your own customization work, since only your organization knows the exact details to tailor your documentation. For questions regarding scoping a professional services engagement or configuring a custom package, contact ComplianceForge directly through the Contact Us page.
Why Procedures Matter
Procedures operationalize policies and standards. This is a key concept to being both secure and compliant. Organizations are often not at a loss for a set of policies, but executing those requirements falls short without documented procedures. Standardized Operating Procedures are where the rubber meets the road for individual contributors who need to know how they fit into day-to-day operations, what their priorities are, and what is expected from them.
One of the most important things to keep in mind with procedures is that the "ownership" is different than that of policies and standards:
- Policies, standards and controls are designed to be centrally-managed at the corporate level (e.g., governance, risk & compliance team, CISO, etc.).
- Controls are assigned to stakeholders, based on applicable statutory, regulatory and contractual obligations.
- Procedures are by their very nature de-centralized, where control implementation at the team-level is defined to explain how the control is addressed (e.g., network team, desktop support, HR, procurement, etc.).
One of the most important concepts in procedure documentation is ownership. Policies, standards, and controls are designed to be centrally managed at the corporate level (GRC team, CISO). Procedures, by their very nature, are de-centralized; control implementation at the team level is defined to explain how the control is addressed (network team, desktop support, HR, procurement). Procedures are living documents that require frequent updates based on changes to technologies and staffing, and they are often documented in team-share repositories such as wikis, SharePoint pages, and workflow management tools.
Your customization will be to help "fill in the blanks" with specific process owners, process operators, where additional documentation can be found, applicable service obligations (e.g., SLAs), and what technology/tools your team has available. We've done the heavy lifting and you just need to fill in the blanks.
- This is name of the individual or team accountable for the procedure being performed.
- Example: Chief Information Security Officer (CISO) / Cybersecurity Director.
- This is the name of the individual or team responsible to perform the actual task.
- Example: SOC Analyst / Risk Analyst / Network Admin.
- This is the annual, semi-annual, quarterly, monthly, bi-weekly, weekly, daily, continuous or as needed cadence for how often the procedure needs to be performed.
- Example: Quarterly vulnerability scans / Monthly software patches / Annual risk assessments.
- Purely internal processes;
- Purely external processes (e.g., outsourced vendor processes); or
- Scope covers both internal processes and external ones.
- System;
- Application;
- Process;
- Team;
- Department;
- User;
- Client;
- Vendor;
- Geographic region; or
- The entire company;
- This is the scope of the procedure:
- It also that affects the potential impact from the process, which can be one or more of the following items.
- This is where additional documentation is stored or can be found. You might want to reference a Wiki, SharePoint site, or other documentation repository.
- This addresses targeted timelines for the process to be completed (e.g., Service Level Agreements).
- Not all processes have SLAs or targeted timelines
- Splunk for a Security Incident Event Manager (SIEM) solution to collect logs;
- McAfee ePO for centralized antimalware management; or
- Tripwire Enterprise for File Integrity Monitoring (FIM).
- This addresses the applications/systems/services that are available to perform the procedure.
To help illustrate the importance of well-written procedures, here is an illustration to show the difference between poorly-written procedures and well-written ones.
- Put peanut butter on bread.
- Put jelly on bread.
- Eat.
- Place two (2) slices of bread on a plate.
- Open the jar of peanut butter and use a butter knife to spread approximately two (2) tablespoons of peanut butter on one (1) slice of bread.
- Open the jar of jelly and use a butter knife to spread approximately two (2) tablespoons of jelly on the other slice of bread.
- Put the bread slices together with the peanut butter and jelly sides facing each other.
- Take one (1) bite-sized portion, then chew and swallow.
- Repeat Step 5 until the sandwich is gone.
Companion Product
The SCRP CSOP answers the how question for cybersecurity operations through documented procedures. The companion SCRP (Cybersecurity & Data Protection Program) answers the why and what questions through policies, control objectives, and standards that these procedures operationalize.
Buying both as a bundle is the most common configuration for organizations that want a complete documentation set. The SCRP and the SCRP CSOP are intentionally mapped 1-to-1: every standard in the SCRP has a corresponding procedure statement in the CSOP. This relationship is what makes the documentation set audit-ready, because it provides direct evidence that policies and standards have been translated into operational practice.
Alignment With The NIST NICE Framework
One very special aspect of the CDPP and SCRP versions of the CSOP is that it leverages the NIST NICE Cybersecurity Workforce Framework. NIST released the NICE framework in 2017 with purpose of streamlining cybersecurity roles and responsibilities. We adopted this in the CSOP framework since work roles have a direct impact procedures. By assigning work roles, the CSOP helps direct the work of employees and contractors to minimize assumptions about who is responsible for certain cybersecurity and privacy tasks.
The CSOP uses the work roles identified in the NIST NICE Cybersecurity Workforce Framework to help make assigning the tasks associated with procedures/control activities more efficient and manageable. Keep in mind these are merely recommendations and are fully editable for every organization – this is just a helpful point in the right direction!
The CSOP can serve as a foundational element in your organization's cybersecurity program. It can stand alone or be paired with other specialized products we offer.
At the heart of it, the CSOP provides an organization with clear cybersecurity procedures that can scale to meet the needs and complexity of any team. The procedures are mapped to leading frameworks, so it is straightforward to have procedures that directly link to requirements from NIST 800-171, ISO 27002, NIST 800-53 and many other common cybersecurity and privacy-related statutory, regulatory and contractual frameworks!
The value of the CSOP comes from having well-constructed procedure statements that can help you become audit ready in a fraction of the time and cost to do it yourself or hire a consultant to come on-site and write it for you. The entire concept of this cybersecurity procedures template is focused on two things:
- Providing written procedures to walk your team members through the steps they need to meet a requirement to keep your organization secure; and
- Help your company be audit ready with the appropriate level of due diligence evidence that allows you to demonstrate your organization meets its obligations.
