We are proud of the documentation that we produce for our clients and we encourage you to take a look at our example cybersecurity documentation. Each product page has at least one PDF example so that you can view the quality of ComplianceForge products for yourself - if you scroll down on the product pages you will find an "examples" section (generally located about 1/4 of the way down each product page).
Let us help you be successful! For many IT / cybersecurity / privacy professionals, when they refer to a “policy” they are really meaning a “standard” and that creates a great deal of confusion when discussing cybersecurity documentation, since those are not interchangeable terms. The most common questions we get pertain to "word crimes" that revolve around the misunderstanding what a policy, standard or procedure is meant to be, based on industry-recognized definitions. There are a lot of bad practices and we demonstrate what the words actually mean, so that everyone can operate from the same baseline understanding of the terminology, since in compliance, words have meanings and terminology matters.
Cybersecurity & data protection documentation needs to usable. This means the documentation needs to be written clearly, concisely and in a business-context language that users can understand. By doing so, users will be able to find the information they are looking for and that will lead to IT security best practices being implemented throughout your company. Additionally, having good cybersecurity documentation can be “half the battle” when preparing for an audit, since it shows that effort went into the program and key requirements can be easily found. The PDF document shown below provides two, side-by-side examples from policies all the way through metrics, so you can see what the actual content looks like.
The Hierarchical Cybersecurity Governance Framework (HCGF) is the "ComplianceForge Reference Model" of cybersecurity and privacy documentation. The HCGF is a documentation model that leverages industry-recognized terminology to logically arrange these documentation components into their rightful order. This model creates an approach to architecting documentation that is concise, scalable and comprehensive. When that is all laid out properly, an organization's cybersecurity and data protection documentation should be hierarchical and linked from policies all the way through metrics. The swimlane diagram shown below (click for a larger PDF) defines the terminology and demonstrates the linkages between these various documentation components.
It all starts with influencers – these influencers set the tone and establish what is considered to be due care for cybersecurity & data protection operations. For external influencers, this includes statutory requirements (laws), regulatory requirements (government regulations) and contractual requirements (legally-binding agreements) that companies must address. For internal influencers, these are business-driven and the focus is more on management’s desire for consistent, efficient and effective operations:
The concept of a "best" cybersecurity framework is misguided, since the most appropriate framework to align with is entirely dependent upon your business model. The applicable laws, regulations and contractual obligations that your organiation must comply with will most often point you to one of these cybersecurity frameworks to kick off the discussion about "Which framework is most appropriate for our needs?":
In the context of good cybersecurity documentation, components are hierarchical and build on each other to build a strong governance structure that utilizes an integrated approach to managing requirements. Well-designed documentation is generally comprised of six (6) main parts:
The "ComplianceForge Reference Model" for writing documentation is entirely based on industry-recognized "best practices" according to terminology definitions from NIST, ISO, ISACA and AICPA. This approach is designed to encourage clear communication by clearly defining cybersecurity and privacy documentation components and how those are linked. This comprehensive view identifies the primary documentation components that are necessary to demonstrate evidence of due diligence and due care. It addresses the inter-connectivity of policies, control objectives, standards, guidelines, controls, risks, procedures & metrics. The Secure Controls Framework (SCF) fits into this model by providing the necessary cybersecurity and privacy controls an organization needs to implement to stay both secure and compliant. ComplianceForge simplified the concept of the hierarchical nature of cybersecurity and privacy documentation that visualizes the unique nature of these components, as well as the dependencies that exist.
To demonstrate that bold claim, we wrote the "START HERE: A guide to understanding cybersecurity and data protection documentation". This follows the schema shown above (the Hierarchical Cybersecurity Governance Framework (HCGF)) that demonstrates the linkages from policies all the way through metrics. The following guide is designed to demonstrate "what right looks like" for cybersecurity and privacy documentation, so that it is at the same time scalable, concise and provides comprehensive coverage. You can jump straight to the definitions on page 6 if you are curious.
Cybersecurity & data protection documentation needs to usable – it cannot just exist in isolation. This means the documentation needs to be written clearly, concisely and in a business-context language that users can understand. By doing so, users will be able to find the information they are looking for and that will lead to IT security best practices being implemented throughout your company. Additionally, having good cybersecurity documentation can be “half the battle” when preparing for an audit, since it shows that effort went into the program and key requirements can be easily found.
It is imperative that cybersecurity and privacy documentation be scalable and flexible, so it can adjust to changes in technology, evolving risk and changes within an organization. The modern approach to cybersecurity and privacy documentation is being modular, where it is best to link to or reference other documentation, rather than replicated content throughout multiple policy or standard documents. Not only is "traditional model of cybersecurity documentation" inefficient, but it can also be confusing and lead to errors. Additionally, when it comes to audits/assessments, it is true that "time is money" where inefficient, cumbersome documentation has a very real financial cost associated with the amount of time it takes an auditor/assessor to parse through the documentation. Concise, efficient documentation can pay for itself in the cost-savings from a single audit/assessment. Additionally, having good cybersecurity documentation can be “half the battle” when preparing for an audit, since it shows that effort went into the program and key requirements can be easily found.
A good example of documentation that is scalable, modular and hierarchical is in the diagram below:
External Frameworks
Industry frameworks are often referred to as a standard. In reality, most frameworks are merely a repository of specific controls that are organized by control families (e.g., NIST CSF, ISO 27002, NIST SP 800-171, NIST SP 800-53, etc.). For example, while NIST SP 800-53 R5 is called a "standard" it is made up of 1,189 controls that are organized into 20 control families (e.g., Access Control (AC), Program Management (PM), etc.). These controls are what make up NIST SP 800-53 as a "framework" that an organization can use as a guide to develop its internal policies and standards that allow it to align with those expected practices.
Internal Cybersecurity & Privacy Documentation
An organization is expected to identify cybersecurity and privacy principles (e.g., industry framework) that it wants to align its cybersecurity and privacy program with, so that its practices follow reasonably-expected controls. For example, to help make an organization's alignment with its NIST SP 800-53 R5 more straightforward and efficient:
ComplianceForge sells a wide range of documentation from core policies and standards, to function-specific "program level" documentation to procedures. We encourage you to read through the product pages to learn more.
If you have any product-related questions, please let us know. We are happy to help answer your questions!
Secure Controls Framework (SCF)
Secure Controls Framework (SCF) "Premium Content" - Expertise-Class Policies, Control Objectives, Standards, Guidelines, Controls & Metrics. Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about...
ComplianceForge NIST Cybersecurity Framework Compliance Documentation Templates
NIST Cybersecurity Framework 2.0 (NIST CSF 2.0) Policy Template - Editable Policies & Standards Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about what the CDPP is to help answer common...
ComplianceForge ISO 27001 & 27002 Compliance Documentation Templates
ISO 27001 & 27002 Policy Template UPDATED FOR ISO 27001:2022 & 27002:2022 Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about what the CDPP is to help answer common...
ComplianceForge
NIST SP 800-161 Rev 1 - Cybersecurity Supply Chain Risk Management Strategy & Implementation Plan (C-SCRM SIP) Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about what the C-SCRM is...
ComplianceForge NIST 800-53 Compliance Documentation Templates
NIST 800-53 Rev5 Policy Template LOW & MODERATE BASELINE Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about what the CDPP is to help answer common questions we receive...
ComplianceForge NIST 800-53 Compliance Documentation Templates
NIST SP 800-53 Rev5 Policy Template LOW, MODERATE & HIGH BASELINE Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about what the CDPP is to help answer common questions we receive...
ComplianceForge
Vulnerability & Patch Management Program Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about what the VPMP is to help answer common questions we receive. What Is The Vulnerability...
ComplianceForge
Cybersecurity Risk Management Program (RMP) Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about what the RMP is to help answer common questions we receive. What Is The Risk Management...
ComplianceForge
Cybersecurity Risk Assessment Template Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about what the CRA is to help answer common questions we receive. What Is The Cybersecurity Risk...
ComplianceForge
Integrated Incident Response Program Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about what the IIRP is to help answer common questions we receive. What Is The Integrated Incident...
ComplianceForge
Cybersecurity Standardized Operating Procedures (CSOP) NIST 800-53 R5 HIGH & FedRAMP LOW/MODERATE/HIGH Version Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about what the CSOP is to...
ComplianceForge - NIST 800-171 & CMMC
NIST 800-171 R2 & R3 / CMMC 2.0 Editable & Affordable Cybersecurity Documentation This short product walkthrough video is designed to give a brief overview about what the NCP is to help answer common questions we receive. Includes...
The NIST Cybersecurity Framework (NIST CSF) is commonly used “cybersecurity best practice” for organ...
Cybersecurity Supply Chain Risk Management (C-SCRM) is the process of identifying, assessing and mit...
Determining the scope of controls (e.g., assessment boundary) is different than determining control...
NIST 800-171 focuses on protecting Controlled Unclassified Information (CUI) anywhere it is stored,...
