We are proud of the documentation that we produce for our clients and we encourage you to take a look at our example cybersecurity documentation. Each product page has at least one PDF example so that you can view the quality of ComplianceForge products for yourself - if you scroll down on the product pages you will find an "examples" section (generally located about 1/4 of the way down each product page).
Let us help you be successful! For many IT / cybersecurity / privacy professionals, when they refer to a “policy” they are really meaning a “standard” and that creates a great deal of confusion when discussing cybersecurity documentation, since those are not interchangeable terms. The most common questions we get pertain to "word crimes" that revolve around the misunderstanding what a policy, standard or procedure is meant to be, based on industry-recognized definitions. There are a lot of bad practices and we demonstrate what the words actually mean, so that everyone can operate from the same baseline understanding of the terminology, since in compliance, words have meanings and terminology matters.
Cybersecurity & data protection documentation needs to usable. This means the documentation needs to be written clearly, concisely and in a business-context language that users can understand. By doing so, users will be able to find the information they are looking for and that will lead to IT security best practices being implemented throughout your company. Additionally, having good cybersecurity documentation can be “half the battle” when preparing for an audit, since it shows that effort went into the program and key requirements can be easily found. The PDF document shown below provides two, side-by-side examples from policies all the way through metrics, so you can see what the actual content looks like.
The Hierarchical Cybersecurity Governance Framework (HCGF) is the "ComplianceForge Reference Model" of cybersecurity and privacy documentation. The HCGF is a documentation model that leverages industry-recognized terminology to logically arrange these documentation components into their rightful order. This model creates an approach to architecting documentation that is concise, scalable and comprehensive. When that is all laid out properly, an organization's cybersecurity and data protection documentation should be hierarchical and linked from policies all the way through metrics. The swimlane diagram shown below (click for a larger PDF) defines the terminology and demonstrates the linkages between these various documentation components.
It all starts with influencers – these influencers set the tone and establish what is considered to be due care for cybersecurity & data protection operations. For external influencers, this includes statutory requirements (laws), regulatory requirements (government regulations) and contractual requirements (legally-binding agreements) that companies must address. For internal influencers, these are business-driven and the focus is more on management’s desire for consistent, efficient and effective operations:
The concept of a "best" cybersecurity framework is misguided, since the most appropriate framework to align with is entirely dependent upon your business model. The applicable laws, regulations and contractual obligations that your organiation must comply with will most often point you to one of these cybersecurity frameworks to kick off the discussion about "Which framework is most appropriate for our needs?":
In the context of good cybersecurity documentation, components are hierarchical and build on each other to build a strong governance structure that utilizes an integrated approach to managing requirements. Well-designed documentation is generally comprised of six (6) main parts:
The "ComplianceForge Reference Model" for writing documentation is entirely based on industry-recognized "best practices" according to terminology definitions from NIST, ISO, ISACA and AICPA. This approach is designed to encourage clear communication by clearly defining cybersecurity and privacy documentation components and how those are linked. This comprehensive view identifies the primary documentation components that are necessary to demonstrate evidence of due diligence and due care. It addresses the inter-connectivity of policies, control objectives, standards, guidelines, controls, risks, procedures & metrics. The Secure Controls Framework (SCF) fits into this model by providing the necessary cybersecurity and privacy controls an organization needs to implement to stay both secure and compliant. ComplianceForge simplified the concept of the hierarchical nature of cybersecurity and privacy documentation that visualizes the unique nature of these components, as well as the dependencies that exist.
To demonstrate that bold claim, we wrote the "START HERE: A guide to understanding cybersecurity and data protection documentation". This follows the schema shown above (the Hierarchical Cybersecurity Governance Framework (HCGF)) that demonstrates the linkages from policies all the way through metrics. The following guide is designed to demonstrate "what right looks like" for cybersecurity and privacy documentation, so that it is at the same time scalable, concise and provides comprehensive coverage. You can jump straight to the definitions on page 6 if you are curious.
Cybersecurity & data protection documentation needs to usable – it cannot just exist in isolation. This means the documentation needs to be written clearly, concisely and in a business-context language that users can understand. By doing so, users will be able to find the information they are looking for and that will lead to IT security best practices being implemented throughout your company. Additionally, having good cybersecurity documentation can be “half the battle” when preparing for an audit, since it shows that effort went into the program and key requirements can be easily found.
It is imperative that cybersecurity and privacy documentation be scalable and flexible, so it can adjust to changes in technology, evolving risk and changes within an organization. The modern approach to cybersecurity and privacy documentation is being modular, where it is best to link to or reference other documentation, rather than replicated content throughout multiple policy or standard documents. Not only is "traditional model of cybersecurity documentation" inefficient, but it can also be confusing and lead to errors. Additionally, when it comes to audits/assessments, it is true that "time is money" where inefficient, cumbersome documentation has a very real financial cost associated with the amount of time it takes an auditor/assessor to parse through the documentation. Concise, efficient documentation can pay for itself in the cost-savings from a single audit/assessment. Additionally, having good cybersecurity documentation can be “half the battle” when preparing for an audit, since it shows that effort went into the program and key requirements can be easily found.
A good example of documentation that is scalable, modular and hierarchical is in the diagram below:
External Frameworks
Industry frameworks are often referred to as a standard. In reality, most frameworks are merely a repository of specific controls that are organized by control families (e.g., NIST CSF, ISO 27002, NIST SP 800-171, NIST SP 800-53, etc.). For example, while NIST SP 800-53 R5 is called a "standard" it is made up of 1,189 controls that are organized into 20 control families (e.g., Access Control (AC), Program Management (PM), etc.). These controls are what make up NIST SP 800-53 as a "framework" that an organization can use as a guide to develop its internal policies and standards that allow it to align with those expected practices.
Internal Cybersecurity & Privacy Documentation
An organization is expected to identify cybersecurity and privacy principles (e.g., industry framework) that it wants to align its cybersecurity and privacy program with, so that its practices follow reasonably-expected controls. For example, to help make an organization's alignment with its NIST SP 800-53 R5 more straightforward and efficient:
ComplianceForge sells a wide range of documentation from core policies and standards, to function-specific "program level" documentation to procedures. We encourage you to read through the product pages to learn more.
If you have any product-related questions, please let us know. We are happy to help answer your questions!
ComplianceForge
NIST 800-171 System Security Plan (SSP) Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about what the SSP is to help answer common questions we receive. What Is The NIST 800-171 System...
ComplianceForge
Note: This version is specific to Self-Assessment Questionnaire (SAQ) A for PCI DSS v4.0. If you are not sure what SAQ level you need, please review the official PCI Standards Council site. PCI DSS v4.0 - Cybersecurity Policies &...
ComplianceForge - NIST 800-171 & CMMC
CMMC 2.0 Level 1 - CMMC 2.0 L1 & FAR 52.204-21 Policies, Standards & Procedures - CMMC Level 1 (20% discount) This bundle is as streamlined as we've been able to make it for those needing to demonstrate compliance with...
The NIST Cybersecurity Framework (NIST CSF) is commonly used “cybersecurity best practice” for organ...
Cybersecurity Supply Chain Risk Management (C-SCRM) is the process of identifying, assessing and mit...
Determining the scope of controls (e.g., assessment boundary) is different than determining control...
NIST 800-171 focuses on protecting Controlled Unclassified Information (CUI) anywhere it is stored,...
