Key Takeaways - Documentation Examples
- Every ComplianceForge product has downloadable Word and Excel examples so you can evaluate quality before purchasing.
- Examples demonstrate the actual structure, language, and level of detail you receive.
- Documentation is delivered in editable formats (Word, Excel, PowerPoint) customized with your logo and company name.
- Each product page also includes cost savings estimates comparing our pricing to consultant or DIY costs.
Editable Policies & Standards Templates
Policies & Standards
The foundation of any cybersecurity program. Policies define management intent while standards specify the technical and operational requirements your organization must follow. Choose the framework alignment that matches your compliance obligations.
Policies & Standards - Security, Compliance & Resilience Program (SCRP)
This version of the SCRP is a hybrid, "best in class" approach to cybersecurity documentation that covers dozens of statutory, regulatory and contractual frameworks to create a comprehensive set of cybersecurity policies & standards. The SCRP has a 1-1 mapping relationship with the Secure Controls Framework (SCF) so it maps to over 200 leading practices!
Word Example
Excel Example
Policies & Standards - NIST CSF 2.0
This version of the Cybersecurity & Data Protection Program (CDPP) is based on the NIST Cybersecurity Framework 2.0 (NIST CSF 2.0) framework. It contains the necessary NIST CSF policies and standards that help achieve compliance with NIST CSF. You get fully-editable Microsoft Word and Excel documents that you can customize for your specific needs.
Word Example
Excel Example
Policies & Standards - ISO 27001 / 27002
This version of the Cybersecurity & Data Protection Program (CDPP) is based on the ISO 27001 / 27002 framework. It contains the necessary ISO 27001 / 27002 policies and standards that help achieve compliance. You get fully-editable Microsoft Word and Excel documents that you can customize for your specific needs.
Word Example
Excel Example
Policies & Standards - NIST 800-53 R5 (moderate)
This version of the Cybersecurity & Data Protection Program (CDPP) is based on the NIST 800-53 rev5 framework. It contains cybersecurity policies and standards that align with NIST 800-53 (including NIST 800-171 & CMMC requirements). You get fully-editable Microsoft Word and Excel documents that you can customize for your specific needs.
Word Example
Excel Example
Policies & Standards - NIST 800-53 R5 (high)
This version of the Cybersecurity & Data Protection Program (CDPP) is based on the NIST SP 800-53 rev5 framework. It contains cybersecurity policies and standards that align with NIST SP 800-53 (including NIST SP 800-171 requirements). You get fully-editable Microsoft Word and Excel documents that you can customize for your specific needs.
Word Example
Excel Example
Policies & Standards - CORE Fundamentals
This version of the Cybersecurity & Data Protection Program (CDPP) is based on the SCF CORE Fundamentals from the Secure Controls Framework (SCF). It contains the necessary policies and standards that help achieve compliance with the SCF. You get fully-editable Microsoft Word and Excel documents that you can customize for your specific needs.
Word Example
Excel Example
Editable Procedures Templates
Cybersecurity Procedures
Procedures operationalize your policies and standards into actionable, step-by-step instructions your teams use daily. They are the most dynamic component of your documentation and should be treated as living documents.
Procedures - Security, Compliance & Resilience Program (SCRP)
This version of the SCRP is a hybrid, "best in class" approach to cybersecurity documentation that covers dozens of statutory, regulatory and contractual frameworks to create a comprehensive set of cybersecurity procedures. The SCRP has a 1-1 mapping relationship with the Secure Controls Framework (SCF) so it maps to over 200 leading practices!
Procedures - NIST CSF 2.0
This version of the Cybersecurity Standardized Operating Procedures (CSOP) is based on the NIST Cybersecurity Framework 2.0 (NIST CSF 2.0) framework. It contains the necessary NIST CSF procedures that help achieve compliance with NIST CSF. You get fully-editable Microsoft Word documents that you can customize for your specific needs.
Procedures - ISO 27001 / 27002
This version of the Cybersecurity Standardized Operating Procedures (CSOP) is based on the ISO 27001 / 27002 framework. It contains the necessary ISO 27001 / 27002 procedures that help achieve compliance with ISO 27001 / 27002. You get fully-editable Microsoft Word documents that you can customize for your specific needs.
Procedures - NIST 800-53 R5 (moderate)
This version of the Cybersecurity Standardized Operating Procedures (CSOP) is based on the NIST 800-53 Rev 5 framework. It contains cybersecurity procedures that align with NIST 800-53 (including NIST 800-171 & CMMC requirements). You get fully-editable Microsoft Word documents that you can customize for your specific needs.
Procedures - NIST 800-53 R5 (high)
This version of the Cybersecurity Standardized Operating Procedures (CSOP) is based on the NIST 800-53 Rev 5 framework. It contains cybersecurity procedures that align with NIST 800-53 (including NIST 800-171 & CMMC requirements). You get fully-editable Microsoft Word documents that you can customize for your specific needs.
Procedures - CORE Fundamentals
This version of the Cybersecurity Standardized Operating Procedures (CSOP) is based on the SCF CORE Fundamentals from the Secure Controls Framework (SCF). It contains the necessary procedures that help achieve compliance with the SCF. You get fully-editable Microsoft Word and Excel documents that you can customize for your specific needs.
Cybersecurity Supply Chain Risk Management
Supply Chain Risk Management
Managing cybersecurity risk across your supply chain is increasingly required by regulation and contract. These products address NIST SP 800-161 Rev 1 requirements and federal supply chain security mandates.
Supply Chain Risk Management (SCRM) Plan Template
The SCRM Plan template is an editable Microsoft Word document that is intended to operationalize a C-SCRM Plan that can enforce security across your supply chain (e.g., service providers, vendors, contractors, etc.). This product includes a wealth of information to customize a SCRM/C-SCRM Plan that is specific to your organization.
C-SCRM Strategy & Implementation Plan (C-SCRM SIP)
The C-SCRM SIP is an editable Microsoft Word document that is intended to operationalize a C-SCRM Program that can enforce security across your supply chain (e.g., service providers, vendors, contractors, etc.). This is fully-editable documentation (e.g., Word, Excel, PowerPoint, etc.) that can enable your organization to "hit the ground running" with C-SCRM operations that are aligned with NIST SP 800-161 Rev 1.
NIST 800-171 Compliance
NIST 800-171 & CMMC
Defense contractors handling Controlled Unclassified Information (CUI) must demonstrate NIST 800-171 compliance. These products provide the documentation foundation for CMMC Level 2 assessments.
NIST 800-171 Compliance Program (NCP)
The NCP is designed to fit the needs of small to medium businesses in need of a “square peg for a square hole” to singularly address NIST 800-171 and CMMC compliance requirements. The NCP is "battle tested" - our clients have successfully passed DIBCAC assessments with this documentation, including a CMMC Third-Party Assessment Organization (C3PAO).
NIST 800-171 System Security Plan (SSP) Template
The SSP is meant to be a "living document" that captures pertinent information on the controls implementation for NIST 800-171. Specifically, the SSP template covers all Controlled Unclassified Information (CUI) and Non-Federal Organization (NFO) controls that are listed in Appendices D and E of NIST 800-171. The SSP can serve as a key element in your organization's cybersecurity program.
Risk Management
Cybersecurity Risk Management
Formal risk management is the foundation of informed decision-making in cybersecurity. These products provide the documentation for identifying, assessing, treating, and monitoring risk across your organization and third-party relationships.
Physical Security Plan (PSP)
The Physical Security Plan (PSP) was created with the intent to minimize risk to an organization’s systems and data by addressing applicable physical security and environmental concerns and establishing processes that will help ensure physical security and environmental risks are minimized or avoided.
Risk Management Program (RMP)
The RMP is designed to address the strategic, operational and tactical components of risk management to provide cybersecurity risk management governance and provides this middle ground between high-level policies and the actual procedures of how risk is managed on a day-to-day basis by those individual contributors who execute risk-based controls.
Third-Party Risk Management (TPRM) Program
The TPRM Program includes TPRM policy, a phased approach to managing Third-Party Service Providers (TPSP) across the entire vendor lifecycle, and a TPRM questionnaire that you can use to assess TPSP. In other words, ComplianceForge’s TPRM Program offers the entire pie for TPRM, unlike other companies who offer only a single piece of the pie.
Cybersecurity Risk Assessment (CRA) Template
The CRA provides you a format to produce high-quality risk assessment reports, based on the Risk Management Program's (RMP) structure of managing risk. The CRA provides a high-quality template to actually perform the risk assessments that are called for by policies, standards and procedures. This allows your organization to have a risk assessment template that is repeatable and looks professional.
Data Protection (Privacy) & Secure Engineering
Data Privacy & Secure Engineering
Global privacy regulations require documented programs addressing data protection, consent management, DSARs, and privacy-by-design. These products provide the documentation to demonstrate compliance with GDPR, CCPA/CPRA, and other regulations.
Data Privacy Program (DPP)
The Data Privacy Program (DPP) is an editable "privacy program template" that exists to ensure data protection-related controls are adequately identified and implemented across your systems, applications, services, processes and other initiatives, including third-party service providers. The DPP prescribes a comprehensive framework for the collection, creation, use, dissemination, maintenance, retention, and/or disclosure of Personal Data / sensitive Personal Data (PD / sPD).
Secure Engineering & Data Privacy (SEDP) Program
The SEDP Program is designed to support your company’s existing policies and standards. It serves as expert-level guidance that is meant to run a specific capability or function within an organization's cybersecurity department to help communicate user needs and system characteristics to developers, integrators, sponsors, funding decision makers and other stakeholders.
Information Assurance Program (IAP)
The IAP is focused on pre-production testing and based on established processes used by the US Government (e.g., FISMA, DIACAP, DIARMF) to validate the existence and functionality of controls, prior to a system, application or service going into production. It is not only the right thing to do from a security and privacy perspective, but it is serious job security.
Vulnerability & Patch Management
Vulnerability & Patch Management
Timely vulnerability management and patching are critical to reducing your attack surface. These products standardize your processes and provide the documentation auditors expect to see.
Vulnerability & Patch Management Program (VPMP)
The VPMP addresses program-level guidance on HOW to actually manage patching and vulnerability management, including vulnerability scanning and penetration testing. It provides this middle ground between high-level policies and the actual procedures of how systems are patched, systems scanned, etc. on a day-to-day basis by those individual contributors who execute vulnerability management tasks.
Secure Baseline Configurations (SBC)
The Secure Baseline Configurations (SBC) is a documentation solution to efficiently document what constitutes a "hardened" system in your organization by providing comprehensive hardened baseline configuration documentation to prove that your security is more than just a set of policies and standards. This is applicable to operating systems, applications and services.
Incident Response
Integrated Incident Response
Every organization needs a documented incident response capability. These products provide the plans, playbooks, communication templates, and continuity documentation that enable effective response and recovery.
Integrated Incident Response Program (IIRP)
The IIRP addresses program-level guidance on HOW to actually manage incident response operations, including forensics and reporting. It provides this middle ground between high-level policies and the actual procedures of how Incident Response Plans (IRPs) are executed by those individual contributors task with incident response duties.
Continuity of Operations Plan (COOP)
The COOP addresses program-level guidance on HOW to actually plan for and respond to both business continuity and disaster recovery (BC/DR) operations. It provides this middle ground between high-level policies and the actual procedures of how BC/DR is executed by those individual contributors task with BC/DR duties.
PCI DSS Compliance
PCI DSS v4 Compliance
Organizations that process, store, or transmit cardholder data must comply with PCI DSS. These products provide policies and standards tailored to each Self-Assessment Questionnaire type.
Policies & Standards - PCI DSS v4 SAQ A
The Cybersecurity & Data Protection Program (CDPP) version for PCI DSS v4.0 contains necessary cybersecurity policies & standards in an editable Microsoft Word format.In addition to the PCI DSS Cybersecurity Policies & Standards, you get additional documentation that will help you implement it and ensure you stay compliant. It is well documented that the lack of standards and lack of employee awareness are the leading causes of security breaches, malware infections (e.g. viruses & spyware), and identity theft.
Policies & Standards - PCI DSS v4 SAQ A-EP
The Cybersecurity & Data Protection Program (CDPP) version for PCI DSS v4.0 contains necessary cybersecurity policies & standards in an editable Microsoft Word format.In addition to the PCI DSS Cybersecurity Policies & Standards, you get additional documentation that will help you implement it and ensure you stay compliant. It is well documented that the lack of standards and lack of employee awareness are the leading causes of security breaches, malware infections (e.g. viruses & spyware), and identity theft.
Policies & Standards - PCI DSS v4 SAQ B
The Cybersecurity & Data Protection Program (CDPP) version for PCI DSS v4.0 contains necessary cybersecurity policies & standards in an editable Microsoft Word format.In addition to the PCI DSS Cybersecurity Policies & Standards, you get additional documentation that will help you implement it and ensure you stay compliant. It is well documented that the lack of standards and lack of employee awareness are the leading causes of security breaches, malware infections (e.g. viruses & spyware), and identity theft.
Policies & Standards - PCI DSS v4 SAQ C
The Cybersecurity & Data Protection Program (CDPP) version for PCI DSS v4.0 contains necessary cybersecurity policies & standards in an editable Microsoft Word format.In addition to the PCI DSS Cybersecurity Policies & Standards, you get additional documentation that will help you implement it and ensure you stay compliant. It is well documented that the lack of standards and lack of employee awareness are the leading causes of security breaches, malware infections (e.g. viruses & spyware), and identity theft.
Policies & Standards - PCI DSS v4 SAQ C-VT
The Cybersecurity & Data Protection Program (CDPP) version for PCI DSS v4.0 contains necessary cybersecurity policies & standards in an editable Microsoft Word format.In addition to the PCI DSS Cybersecurity Policies & Standards, you get additional documentation that will help you implement it and ensure you stay compliant. It is well documented that the lack of standards and lack of employee awareness are the leading causes of security breaches, malware infections (e.g. viruses & spyware), and identity theft.
Policies & Standards - PCI DSS v4 SAQ D (Merchant)
The Cybersecurity & Data Protection Program (CDPP) version for PCI DSS v4.0 contains necessary cybersecurity policies & standards in an editable Microsoft Word format.In addition to the PCI DSS Cybersecurity Policies & Standards, you get additional documentation that will help you implement it and ensure you stay compliant. It is well documented that the lack of standards and lack of employee awareness are the leading causes of security breaches, malware infections (e.g. viruses & spyware), and identity theft.
Policies & Standards - PCI DSS v4 SAQ D (Service Provider)
The Cybersecurity & Data Protection Program (CDPP) version for PCI DSS v4.0 contains necessary cybersecurity policies & standards in an editable Microsoft Word format.In addition to the PCI DSS Cybersecurity Policies & Standards, you get additional documentation that will help you implement it and ensure you stay compliant. It is well documented that the lack of standards and lack of employee awareness are the leading causes of security breaches, malware infections (e.g. viruses & spyware), and identity theft.
Policies & Standards - PCI DSS v4 SAQ B-IP
The Cybersecurity & Data Protection Program (CDPP) version for PCI DSS v4.0 contains necessary cybersecurity policies & standards in an editable Microsoft Word format.In addition to the PCI DSS Cybersecurity Policies & Standards, you get additional documentation that will help you implement it and ensure you stay compliant. It is well documented that the lack of standards and lack of employee awareness are the leading causes of security breaches, malware infections (e.g. viruses & spyware), and identity theft.
Program Governance
Program Governance Documentation
In addition to the other documentation, it is necessary to achieve governance over your cybersecurity program. These products go beyond just compliance and will help achieve governance in your organization's cybersecurity program.
Cybersecurity Business Plan (CBP)
The Cybersecurity Business Plan (CBP), which some may refer to as a CISO Business Plan, is a business plan template that is specifically tailored for a cybersecurity department that is designed to support an organization's broader technology and business strategies. The CBP is entirely focused at the CISO-level, since it is a department-level planning document.
SCF RASCI Matrix
ComplianceForge's RASCI matrix provides a practical, role-based accountability model for assigning ownership across all 1,400+ SCF cybersecurity, data privacy, compliance and resilience controls. Built on the NIST NICE Cybersecurity Workforce Framework and expanded with additional roles commonly found in Fortune 1000 organizations, this RASCI is designed to help organizations eliminate ambiguity over “who owns what” in a cybersecurity program.