Quality, Expert-Derived Cybersecurity Documentation To Keep Organizations Secure, Compliant & Resilient - No AI Slop!
Secure Controls Framework
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Cart
Start Here
Products
Bundles
Updates
Reasons To Buy
Certification Options
No items found.
Risk Management Program (RMP)
$ 2,175.00 USD
The RMP is designed to address the strategic, operational and tactical components of risk management to provide cybersecurity risk management governance and provides this middle ground between high-level policies and the actual procedures of how risk is managed on a day-to-day basis by those individual contributors who execute risk-based controls.
Product Category:
Risk Management
SKU:
P05-RMP
Availability:
Email Delivery Within 1-2 Business Days
ComplianceForge documentation is written to follow industry-recognized secure practices, but you are still expected to tailor the documentation to suit your organization's specific security, compliance & resilience requirements. By providing your company name and your logo (your logo is optional), we tailor the documentation to include this information.
How Do I Request A Quote?
To request a quote, select the "Request a Quote" button beside the "Add To Cart" button. This will direct you to a page where you can request a custom quote.
Can I Pay By Invoice?
Yes. To pay by invoice, add the product to your cart, go through the checkout process, and fill out your billing information. Once you get to the payment method, select "Offline Payment via Invoice / Purchase Order (PO)" and then select "Place Order."
Can I Pay By Wire / ACH?
Yes. To pay by Wire / ACH, you can request an invoice by following the instructions above. Once you have the invoice, it will contain the necessary info for you to finalize payment by Wire / ACH.
No logo uploaded. Maximum file size: 5 MB. Acceptable file types: PNG, JPG, JPEG, GIF, BMP, TIFF, WEBP, SVG.
Request A Quote
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Risk Management Program (RMP)
  • Cybersecurity-focused risk management practices to implement a program-level governance function.
  • Holistic approach to risk management aligns with NIST, ISO & SCF risk management practices.
  • Leverages the Security, Compliance & Resilience Risk Management Model (SCR-RMM) from the SCF for scalability.
  • Immense time & cost savings - enables subject matter experts to fill in the details that only they know.
Go To Examples Section
Product Overview

Don't Write It From Scratch.

Nearly every framework and regulation expects you to manage cybersecurity risk in a documented, repeatable way. If an auditor or board member asked how your organization identifies, rates, treats, and tracks risk, could you show a defined process, or just a spreadsheet someone updates occasionally? Building a credible risk management program from a blank page takes specialized expertise most teams lack. The Risk Management Program (RMP) gives you a running start: an editable, program-level risk management playbook aligned to NIST, ISO, and the SCF's Risk Management Model (SCR-RMM), covering how risk is identified, assessed, treated, and reported. It gets you roughly 80 to 90 percent of the way there, then your team tailors the risk criteria and workflows to your organization.

The Cybersecurity Risk Management Program (RMP) is essentially a risk management playbook for how an organization addresses the broader concepts of risk management that are not provided by a policy or standard. It captures the details that explain how risk is actually managed, day to day, by the people who execute risk-based controls.

All companies have a need to manage risk. Most companies are compelled to manage risk and these requirements come from a broad range of sources. Regardless of your industry, there are likely requirements to manage cybersecurity risk and failing to manage risk could leave your company liable from non-compliance from these requirements:

NIST 800-171
Protecting CUI in Nonfederal Information Systems and Organizations - Section 3.11 requires risks to be periodically assessed!
Federal Trade Commission (FTC) Act
15 U.S. Code § 45 deems unfair or deceptive acts or practices in or affecting commerce to be unlawful - poor security practices are covered under this requirement and not managing cybersecurity risk is an indication of poor security practices!
Payment Card Industry Data Security Standard (PCI DSS)
Section#12.2 requires companies to perform a formal risk assessment!
Massachusetts MA 201 CMR 17.00
Section# 17.03(2)(b) requires companies to "identify & assess" reasonably-foreseeable internal and external risks!
Oregon Identity Theft Protection Act
Section 646A.622(2)(d)(B)(ii) requires companies to assess risks in information processing, transmission & storage!
Health Insurance Portability and Accountability Act (HIPAA)
Security Rule (Section 45 C.F.R. §§ 164.302 – 318) requires companies to conduct an accurate & thorough assessment of potential risks!
Gramm-Leach-Bliley Act
Safeguard Rule requires company to identify and assess risks to customer information!
Vendor Contracts
It is increasingly common for vendors, partners and subcontractors to be contractually-bound to perform recurring risk assessments. Not having a cybersecurity risk management program could lead to breach of contract or losing a bid!
Product Details

What Is The RMP?

Risk, threat and vulnerability management practices are meant to achieve a minimum level of protection - this equates to a reduction in the total risk due to the protections offered by implemented controls. These ecosystem components have unique meanings that need to be understood to reasonably protect people, processes, technology and data. Understanding the context of how these components integrate can lead to more meaningful and practical risk management practices.

The latest version of the RMP is aligned with the Secure Controls Framework (SCF) Risk Management Model (SCR-RMM) that provides a very flexible approach to risk management. This ties in with the Cybersecurity Risk Assessment (CRA) template product that is also aligned with the SCR-RMM, so it compliments the RMP by having a repeatable, professional template for performing controls-based risk assessments.

Our products are one-time purchases with no software to install - you are buying Microsoft Office-based documentation templates that you can edit for your specific needs. If you can use Microsoft Office or OpenOffice, you can use this product! The RMP is an editable Microsoft Word document that providers program-level guidance to directly supports your organization's policies and standards for managing cybersecurity risk. Unfortunately, most companies lack a coherent approach to managing risks across the enterprise:

  • When you look at getting audit ready, your policies and standards only cover the "why?" and "what?" questions of an audit. This product addresses the “how?” questions for how your company manages risk.
  • The RMP provides clear, concise documentation that provides a "paint by numbers" approach to how risk is managed.
  • The RMP addresses fundamental needs when it comes to what is expected in cybersecurity risk management:
    • How risk is defined.
    • Who can accept risk.
    • How risk is calculated by defining potential the impact and likelihood.
    • Necessary steps to reduce risk.
    • Risk considerations for vulnerability management.
  • The RMP is based on leading frameworks, such as NIST Risk Management Framework (NIST 800-37 rev2), NIST 800-39, ISO 31010 and COSO 2013.
  • Just as Human Resources publishes an “employee handbook” to let employees know what is expected for employees from a HR perspective, the RMP does this from a cybersecurity risk management perspective.
How It's Delivered

No Software To Install

The RMP is a one-time purchase of editable Microsoft Office-based documentation templates. There is no software to install, no agent to deploy, no account to provision, and no cloud environment to configure. If the organization can open and edit Microsoft Word files, the RMP is ready to use.

Microsoft Word

Delivered as fully editable .docx files. Compatible with Word 2016 and newer, Microsoft 365, OpenOffice, LibreOffice, and Google Workspace. The paired CRA template is delivered as Microsoft Excel.

Email Delivery

Documentation is delivered via email download link within 1-2 business days of purchase, often the same business day. There is no installer, no license server, and no activation step.

One-Time Purchase

A single-entity license is included with purchase. There is no recurring subscription requirement, although an optional update subscription is available to stay current as risk management frameworks evolve.

This deployment model is intentional. Risk management documentation benefits from being in the organization's own hands, inside its own document management systems, rather than locked inside a vendor's SaaS tool. Once delivered, this product belongs to the buyer.

The Problem

What Problems Does the RMP Solve?

Lack Of In-House Security Experience

Writing security documentation is a skill that many good cybersecurity professionals simple are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. The RMP is an efficient method to obtain comprehensive risk management documentation for your organization!

Compliance Requirements

Requirements such as PCI DSS, HIPAA, MA 201 CMR 17.00 and NIST 800-171 establish a mandate to formally manage risk. The RMP addresses these compliance requirements!

Audit Failures

Similar to vulnerability management, most organizations run into trouble in audits when asked HOW risk is managed, since they cannot provide documentation beyond policies and standards. The RMP addresses the HOW for you!

Vendor Due Diligence Requirements

It is very common for clients and partners to request evidence of a risk management program during their due diligence. The RMP provides this evidence!

The Solution

How Does the RMP Solve These Problems?

The RMP addresses each risk management documentation challenge with concrete, measurable outcomes. It is designed to take an organization from a blank document to a defensible, customizable risk management program in weeks rather than months — with a controls-based assessment template included for the actual risk assessment work.

Clear Documentation

The RMP provides the comprehensive documentation to prove that your risk program exists.

Time Savings

The RMP provides actionable guidance on what steps can be taken to categorize, calculate and manage risk in a sustainable manner.

Alignment With Leading Practices

The RMP is written to support COSO, COBIT, NIST and ISO frameworks that provide you with significant flexibility.

What You Get

What Is Included?

The RMP is delivered as editable Microsoft Office documentation. Purchase includes a single-entity license, the first year of product updates, and the Cybersecurity Risk Assessment (CRA) template that pairs with the RMP to provide a controls-based risk assessment format.

The Cybersecurity Risk Management Program (RMP) includes the following content to establish a comprehensive basis for defining and documenting how your company manages cybersecurity risk:

Risk Taxonomy
  • What Is Risk?
  • Risk Management Activities
  • Risk Management Benefits
  • Who Has The Authority To Manage Risk
  • Risk Management Decisions
How Risk Is Categorized
  • Low Risk
  • Medium Risk
  • High Risk
  • Severe Risk
  • Extreme Risk
Risk Management Fundamentals
  • Risk Management Principles
  • Risk Management Maturity Levels
  • Defining The Risk Appetite
  • Situation Awareness
  • Analyzing Risks
  • Evaluating & Prioritizing Risks
  • Risk Treatment
  • Monitoring Risk
  • Documenting Risk & Reporting Findings
Cybersecurity Risk Management Methodology
  • COSO – Strategic (Enterprise-Level Approach to Risk Management)
  • ISO – Operational (Initiative / Program-Level Approach to Risk Management)
  • NIST – Tactical (Asset / Project-Level Approach to Risk Management)
Appendices
  • Sources of Risk
  • Risk Roles & Responsibilities
  • Risk Assessment Techniques

CRA Template Pairs Directly With The RMP

The Cybersecurity Risk Assessment (CRA) template is the operational counterpart to the RMP. The RMP defines how risk is managed at the program level; the CRA gives the repeatable format for performing the actual controls-based risk assessments. Both are aligned with the SCF Risk Management Model (SCR-RMM), so the RMP and CRA work together as one integrated risk management capability.

Your ROI

Cost Savings Estimate

When you look at the costs associated with either (1) hiring an external consultant to write cybersecurity documentation for you or (2) tasking your internal staff to write it, the cost comparisons paint a clear picture that buying from ComplianceForge is the logical option. Compared to hiring a consultant, you can save months of wait time and tens of thousands of dollars. Whereas, compared to writing your own documentation, you can potentially save hundreds of work hours and the associated cost of lost productivity. Purchasing the RMP from ComplianceForge offers these fundamental advantages when compared to the other options for obtaining quality cybersecurity documentation:

Internal Staff Cost

For your internal staff to generate comparable documentation, it would take them an estimated 200 internal staff work hours, which equates to a cost of approximately $17,500 in staff-related expenses. This is about 3 to 6 months of development time where your staff would be diverted from other work.

The RMP is approximately 11% of the cost for your internal staff to generate equivalent documentation.

External Consultant Cost

If you hire a consultant to generate this documentation, it would take them an estimated 140 consultant work hours, which equates to a cost of approximately $43,000. This is about 2 to 3 months of development time for a contractor to provide you with the deliverable.

The RMP is approximately 5% of the cost for an external consultant to generate equivalent documentation.

See It First

Product Examples

Regardless if your cybersecurity program aligns with NIST, ISO, COBIT, ENISA or another framework, the RMP is designed to address the strategic, operational and tactical components of risk management to provide cybersecurity risk management governance. Policies & standards are absolutely necessary to an organization, but they fail to describe HOW risk is actually managed. The RMP provides this middle ground between high-level policies and the actual procedures of how risk is managed on a day-to-day basis by those individual contributors who execute risk-based controls.

The PDF example below shows representative content from the RMP so the quality and structure of the documentation can be evaluated before purchase.

Policies & Standards

Below is a PDF example containing a sample of the policies & standards you would receive upon purchasing the RMP.

Your Effort

How Much Customization Remains?

Given the difficult nature of writing templated risk management documentation, ComplianceForge aims for approximately an 80% solution because it is impossible to write a 100% cookie-cutter document that can be equally applied across every organization. Risk management depends on the specific organization's risk appetite, risk tolerance, and governance structure, so the remaining work is fine-tuning the RMP with the specific information that only the organization knows.

In practice, customization is filling in the blanks and following the guidance provided to identify the who, what, when, where, why, and how for the specific risk environment. Typical customization tasks include adding the company name and logo, naming the risk approvers and risk owners, tailoring impact and likelihood scales, defining the risk register format, and removing sections that do not apply to the organization.

Need A Hand?

Professional Services

ComplianceForge offers optional professional services to customize purchased documentation. Professional services are not required to customize ComplianceForge documentation. However, some clients want our subject matter expertise to help customize their documentation to meet their specific business needs. If you have any questions about our professional services, please contact us at:

Contact Us

We offer the following professional service bundles:

5-Hour Bundle

This includes five (5) hours of professional services, which may be beneficial for companies that need some guidance on getting started with how to tailor their documentation.

10-Hour Bundle

This includes ten (10) hours of professional services, which may be beneficial for companies that need additional guidance on tailoring their documentation to meet their compliance requirements.

20-Hour Bundle

This includes twenty (20) hours of professional services, which may be beneficial for companies that need robust services, beyond just 10 hours, to assist in tailoring their documentation to meet their compliance requirements.

Important Details About Professional Services

Purchased professional service hours expire 120 days (4 months) from the time of purchase if unused. Hours are intended to supplement, not replace, your own customization work, since only your organization knows the exact details to tailor your documentation. For questions regarding scoping a professional services engagement or configuring a custom package, contact ComplianceForge directly through the Contact Us page.

View Options
Risk Drivers

Why Risk Management Documentation Matters

Formal cybersecurity risk management documentation has become a baseline expectation across regulatory, contractual, and customer due-diligence contexts. NIST 800-171 Section 3.11 requires risks to be periodically assessed. PCI DSS Section 12.2 requires companies to perform a formal risk assessment. HIPAA Security Rule requires accurate and thorough assessment of potential risks. MA 201 CMR 17.00, Oregon ITPA, GLBA Safeguards Rule, and the FTC Act Section 5 all carry related risk-assessment obligations. The SEC cybersecurity disclosure rule for public companies requires materiality assessment of cybersecurity risks.

Vendor contracts increasingly require recurring risk assessments. Not having a cybersecurity risk management program can lead to breach of contract, lost bids, and elevated insurance premiums. The RMP provides a complete, defensible risk management baseline that can be customized to the organization's risk appetite and governance structure in weeks rather than months.

The RMP serves as a foundational element in your organization's cybersecurity risk program. It can stand alone or be paired with other specialized products we offer.

Even with larger organizations that have Enterprise Risk Management (ERM) departments, the RMP can tie into the broader risk management framework for any organization. What ComplianceForge.com did was simply reduce the complexity by creating a usable risk management framework that any company can implement to manage risks:

  • How risk is categorized
  • Risk management fundamentals
  • Risk maturity levels
  • Defining risk appetite & risk tolerance thresholds
  • Evaluating & prioritizing risks
  • Risk treatment
  • Documenting risk & reporting findings
  • Defining potential impact
  • Defining potential likelihood
  • Defining criticality levels for assets / systems / data
  • Sources of risk
Operational Risk Assessment Capability

CRA Template Pairs With The RMP

The Cybersecurity Risk Assessment (CRA) template is the operational counterpart to the RMP. The RMP defines how risk is managed at the program level; the CRA gives the repeatable, professional format for performing the actual controls-based risk assessments. Both products are aligned with the Secure Controls Framework (SCF) Risk Management Model (SCR-RMM), so they integrate as one capability rather than two disconnected templates.

The CRA template is also available as a standalone product for organizations that already have a risk management program in place and only need a professional risk assessment format. Together, the RMP and the CRA address both the how (program-level risk governance) and the what (the assessment artifact itself) of cybersecurity risk management.

Aligned With Leading Frameworks

Based on NIST 800-37 Rev2, COSO 2013, COBIT 5 & ISO 31010 Best Practices!

The RMP is an editable Microsoft Word document that contains the requirements needed to establish a risk management program. Quite simply, the Cybersecurity Risk Management Program (RMP) provides your company with evidence that a documented risk management program exists to address operational risks associated with information and technology. From a Capability Maturity Model (CMM) perspective, if a risk program is not documented, incomplete or ad-hoc, it could be a liability for a company, since it indicates negligence with a statutory, regulatory or contractual requirement to manage risk. The RMP addresses the due care component of getting an organization to a mature level for managing risk.

Determine the Potential Likelihood of Threat Occurrence
Organizations must take into account the probability of potential risks, since that identifies the legitimate threat landscape. The results of this assessment, combined with the initial list of threats, will influence the determination of which threats require protection against because those are “reasonably anticipated” based on your unique situation.
Determine the Potential Impact of Threat Occurrence
Organizations must consider the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of their data and information systems. Not all systems are equal – some systems could go down and no one would be impacted, but some systems could bring your business operations to an immediate halt.
The RMP helps assess the magnitude of the potential impact resulting from a threat triggering or exploiting a specific vulnerability. This can be qualitative, quantitative or a combination of the two methods to measure the impact on your organization.
Determine the Level of Risk
From likelihood and potential impact, organizations can assign risk levels for all threat and vulnerability combinations identified during the risk analysis. The RMP allows you to assign a level of risk by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence.
The Cybersecurity Risk Management Program (RMP) provides best-practices guidance on risk management at the strategic, operational and tactical levels! This is important, since this hybrid or "best of breed" approach to risk management takes advantage of the strengths of each best practice model (e.g., COSO, COBIT, ISO & NIST). This allows you to have a considerable amount of flexibility to conduct risk management operations.
Due Care Considerations

Reasonable Expectations For Managing Risk

Are you prepared to answer the "why" or "how" questions for your risk assessments? It is a pretty scary question for many people, since their risk assessments are not based on anything beyond “gut feelings” and are overly subjective. When an auditor comes knocking, it is critically important to be able to point to program documentation that justifies your decisions. The Cybersecurity Risk Assessment Framework is intended to be the foundational documentation that you implement to define and manage risk at your company.

The Cybersecurity Risk Management Program clearly lays out and defines cybersecurity risk for your organization - how you plan to address risk management at the strategic, operational, and tactical levels! This is based on industry-recognized best practices for risk management from COSO, ISO and NIST, so the framework is based on what reasonable expectations are for managing cybersecurity risk. For simple risk assessments, the 6x6 risk matrix can be used to quickly identify the appropriate level of risk the scenario represents. With that knowledge, it is easy to then escalate the risk to the appropriate level of management for resolution (e.g., accept, transfer, mitigate or avoid the risk).

Make Assessing Risk More Efficient

Understanding Layers of Risk

Dependencies are of critical importance when assessing risk, since risk can have a cascading effect. Ideally, a risk assessment at a tactical level (e.g., assessment of a specific application or host) should leverage existing risk assessments that address “upstream” risks. For example, a well-designed and securely-coded application could be compromised if the host system it is running on is insecure. Similarly, the application could be made unavailable if the datacenter lacks measures to ensure uptime against natural or man-made threats.

As part of overall risk management, your company should perform several formal risk assessments, which are meant to be used as references for more detailed project-specific risk assessments. At a minimum, risk assessments should exist for commonly-leveraged aspects of your company's IT environment:

  • Datacenters (including infrastructure risks)
  • Secure configurations for hosts and major applications (e.g., databases, email, Intranet)

By being able to leverage those existing risk assessments, it will allow for more efficient assessments of applications. The RMP helps build this foundation for efficient risk management by framing risk according to the following concepts:

Application-Specific Risk
Risks associated with applications include, but are not limited to:
  • Insecure code (developers did not follow secure coding practices)
  • Default/weak credentials
  • Weak encryption
  • Passwords/sensitive data stored in clear text
  • Permissions management
  • Missing software patches
  • Logging/monitoring not being performed
Host-Specific Risk
Risks associated with hosts include, but are not limited to:
  • Lack of system hardening
  • Default/weak credentials
  • Lack of encryption at rest
  • Role-Based Access Control (RBAC)
  • Missing software patches
  • Logging/monitoring not being performed
  • Backups not being performed
Infrastructure-Specific Risk
Risks associated with infrastructure include, but are not limited to:
  • Improper equipment (e.g., consumer-grade networking hardware vs business/enterprise-grade)
  • Lack of system hardening
  • Default/weak credentials
  • Lack of encryption in transit
  • Role-Based Access Control (RBAC)
  • Missing software patches
  • Logging/monitoring not being performed
Facility-Specific Risk
Risks associated with facilities include, but are not limited to:
  • Physical access controls
  • Environmental controls
  • Redundant utilities
  • Trained response personnel (disaster recovery plan)
Risk Associated With Other Dependencies
Risks associated with other dependencies include, but are not limited to:
  • Software escrow agreements
  • Developer/vendor management
  • Trans-border data transfers (international law ramifications)
  • Business limitations (e.g., timelines, funding, regulations, politics, etc.)
Testimonials

What Are Some Of Our Testimonials?

❛❛
Excellent Starting Point
ComplianceForge's SCF-based policy documentation offers consolidated coverage of security and privacy controls requirements in a single, cohesive package. Because it's built on the Secure Controls Framework, a metaframework that tracks security and privacy standards globally and releases quarterly updates, it gives organizations confidence that their documentation stays current as requirements evolve. For any organization standing up a security and privacy program from scratch, it's provides an excellent starting point.
Would You Like To Share Your Experiences?
If you are satisfied with your product and would like to leave a review, please fill out our testimonial form and share your experiences with our documentation! We enjoy hearing from satisfied customers, and we are always open to constructive feedback so that we can continue improving our products.
Fill Out Testimonial