Operationalizing Cybersecurity Planning Model

The ComplianceForge Operationalizing Cybersecurity Planning Model™ (OCPM) takes a practical view towards implementing cybersecurity business plans. CISOs are often not at a loss for a plan, but executing these plans often fall short due to disconnects between strategic, operational and tactical components in the planning and implementing processes. Where the rubber meets the road, Individual Contributors (ICs) need to know (1) how they fit into business planning, (2) what their priorities are and (3) what is expected from them in their duties. When looking at it from an auditability perspective, the evidence of due diligence and due care should match what the cybersecurity business plan is attempting to achieve.

The central focus of any cybersecurity business plan should be a Capability Maturity Model (CMM) target that provides quantifiable expectations for People, Processes and Technologies (PPT), since this helps prevent a “moving target” by establishing an attainable expectation for “what right looks like” in terms of PPT. Generally, cybersecurity business plans take a phased, multi-year approach to meet these CMM-based cybersecurity objectives. Those objectives, in conjunction with the business plan, demonstrate evidence of due diligence on behalf of the CISO and his/her leadership team. The objectives prioritize the organization’s service catalog through influencing procedures at the IC-level for how PPT are implemented at the tactical level. Those Standardized Operating Procedures (SOPs)not only direct the workflow of ICs, but the output from procedures provide evidence of due care.

ComplianceForge has simplified the concept of operationalizing cybersecurity planning in in the following downloadable diagram to demonstrate the unique nature of these components, as well as the dependencies that exist:

cybersecurity editable procedures template example

Browse Our Products

  • Secure Controls Framework (SCF) Policy, Standards, Controls & Metrics Template - DSP / SCF

    Digital Security Program (DSP)

    Secure Controls Framework (SCF)

    Secure Controls Framework (SCF) "Premium Content" - Editable Policies, Control Objectives, Standards, Guidelines, Controls & Metrics. Product Walkthrough Video When you click the image or the link below, it will direct you to a different page on...

    $10,400.00 - $15,200.00
    Choose Options
  • ComplianceForge - NIST 800-171 & CMMC NIST 800-171 Compliance Program (NCP): CMMC Level 2

    NIST 800-171 Compliance Program (NCP)

    ComplianceForge - NIST 800-171 & CMMC

    NIST 800-171 Rev 2 & Rev 3 / CMMC 2.0 Compliance Made Easier! The NCP is editable & affordable cybersecurity documentation to address your NIST 800-171 R2 / R3 and CMMC 2.0 Levels 1-2 compliance needs. When you click the image or the link...

    $5,300.00 - $10,100.00
    Choose Options

NIST SP 800‑53 R5 Control Families

This release includes a total of 1,189 controls, organized into 20 families:

  1. Access Control
  2. Awareness & Training
  3. Audit & Accountability
  4. Assessment, Authorization & Monitoring
  5. Configuration Management
  6. Contingency Planning
  7. Identification & Authentication
  8. Incident Response
  9. Maintenance
  10. Media Protection
  11. Physical & Environmental Protection
  12. Planning
  13. Program Management
  14. Personnel Security
  15. Personally Identifiable Information (PII) Processing & Transparency
  16. Risk Assessment
  17. System & Services Acquisition
  18. System & Communications Protection
  19. System & Information Integrity
  20. Supply Chain Risk Management

This count includes deprecated controls that have been removed or folded into others. Some controls are not categorized under baselines—low, moderate, high, or privacy—per NIST SP 800‑53B.

ComplianceForge provides full 1:1 mapping of all 20 families and their controls in its CDPP documentation.

!