Cybersecurity documentation is what ComplianceForge specializes in. We've been writing documentation since 2005, so we have significant experience in developing efficient and effective documentation solutions. We recognize a standard is a standard for a reason, so we adhere to industry-recognized definitions for the various components that make up cybersecurity documentation. Our goal is for our clients to have appropriate evidence of due diligence and due care to withstant external scrutiny from auditors, assessors or regulators.
To demonstrate why ComplianceForge documentation is work the cost, we wrote the following START HERE GUIDE to help educate clients on the concept of "what right looks like" for cybersecurity documentation, so that they can better compare apples-to-apples for how cybersecurity documentation is meant to be structured. Quality documentation can be half the battle in audit/assessment preparation, so having professionally-written documentation can pay for itself many times over.
The ComplianceForge Reference Model is entirely based on industry-recognized "best practices" for structuring cybersecurity and data protection documentation according to terminology definitions from NIST, ISO, ISACA and AICPA. This approach is designed to encourage clear communication by clearly defining cybersecurity and privacy documentation components and how those are linked. This comprehensive view identifies the primary documentation components that are necessary to demonstrate evidence of due diligence and due care. It addresses the inter-connectivity of policies, control objectives, standards, guidelines, controls, risks, procedures & metrics. ComplianceForge simplified the concept of the hierarchical nature of cybersecurity and privacy documentation that visualizes the unique nature of these components, as well as the dependencies that exist.
Our Hierarchical Cybersecurity Governance Framework (HCGF)) demonstrates the linkages from policies all the way through metrics, based on definitions from NIST, ISO, ISACA and AICPA (see page 6 of the HCGF for details):
The concept of a "best" cybersecurity framework is misguided, since the most appropriate framework to align with is entirely dependent upon your business model. The applicable laws, regulations and contractual obligations that your organiation must comply with will most often point you to one of these cybersecurity frameworks to kick off the discussion about "Which framework is most appropriate for our needs?":
Secure Controls Framework (SCF)
Secure Controls Framework (SCF) "Premium Content" - Expertise-Class Policies, Control Objectives, Standards, Guidelines, Controls & Metrics. Product Walkthrough Video When you click the image or the link below, it will direct you to a different...
ComplianceForge - NIST 800-171 & CMMC
NIST 800-171 R2 & R3 / CMMC 2.0 Compliance Made Easier! The NCP is editable & affordable cybersecurity documentation to address your NIST 800-171 R2 / R3 and CMMC 2.0 Levels 1-2 compliance needs. When you click the image or the link below, it...
ComplianceForge released NIST 800-171 R3 documentation updated to address DoD-provided Organization-...
ComplianceForge is a Licensed Content Provider (LCP) for the Secure Controls Framework (SC...
Need GSA OASIS+ J-3 C-SCRM Deliverables? The US Government's General Services Administration (GSA) h...
A common issue facing many front-line IT / cybersecurity practitioners is that they do not know wher...
