Cybersecurity documentation is what ComplianceForge specializes in. We've been writing documentation since 2005, so we have significant experience in developing efficient and effective documentation solutions. We recognize a standard is a standard for a reason, so we adhere to industry-recognized definitions for the various components that make up cybersecurity documentation. Our goal is for our clients to have appropriate evidence of due diligence and due care to withstant external scrutiny from auditors, assessors or regulators.
To demonstrate why ComplianceForge documentation is work the cost, we wrote the following START HERE GUIDE to help educate clients on the concept of "what right looks like" for cybersecurity documentation, so that they can better compare apples-to-apples for how cybersecurity documentation is meant to be structured. Quality documentation can be half the battle in audit/assessment preparation, so having professionally-written documentation can pay for itself many times over.
The ComplianceForge Reference Model is entirely based on industry-recognized "best practices" for structuring cybersecurity and data protection documentation according to terminology definitions from NIST, ISO, ISACA and AICPA. This approach is designed to encourage clear communication by clearly defining cybersecurity and privacy documentation components and how those are linked. This comprehensive view identifies the primary documentation components that are necessary to demonstrate evidence of due diligence and due care. It addresses the inter-connectivity of policies, control objectives, standards, guidelines, controls, risks, procedures & metrics. ComplianceForge simplified the concept of the hierarchical nature of cybersecurity and privacy documentation that visualizes the unique nature of these components, as well as the dependencies that exist.
Our Hierarchical Cybersecurity Governance Framework (HCGF)) demonstrates the linkages from policies all the way through metrics, based on definitions from NIST, ISO, ISACA and AICPA (see page 6 of the HCGF for details):
The concept of a "best" cybersecurity framework is misguided, since the most appropriate framework to align with is entirely dependent upon your business model. The applicable laws, regulations and contractual obligations that your organiation must comply with will most often point you to one of these cybersecurity frameworks to kick off the discussion about "Which framework is most appropriate for our needs?":
Secure Controls Framework (SCF)
Secure Controls Framework (SCF) "Premium Content" - Expertise-Class Policies, Control Objectives, Standards, Guidelines, Controls & Metrics. Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about...
ComplianceForge - NIST 800-171 & CMMC
NIST 800-171 R2 & R3 / CMMC 2.0 Editable & Affordable Cybersecurity Documentation This short product walkthrough video is designed to give a brief overview about what the NCP is to help answer common questions we receive. Includes...
Determining the scope of controls (e.g., assessment boundary) is different than determining control...
As a Chief Information Security Officer (CISO) or cybersecurity director, it is likely that you been...
The release of the Cybersecurity & Data Protection Assessment Standards (CDPAS) is important to the...
There is a "materiality ecosystem" that exists within modern cybersecurity risk management discussio...
