Compliance Decision Making Process (CDMP)

Solving a unique problem is the driving reason for compliance planning processes (e.g., How do I comply with NIST 800-171 R3?). ComplianceForge created the Compliance Decision Making Process (CDMP) as a free guide to help compliance staff come up with viable Courses of Action (COA) based on (1) facts, (2) assumptions and (3) contraints

Compliance Decision Making Process

5 Simple Steps To Compliance Decision Making

The CDMP is designed to be simple and efficient. It identifies sub-steps, as well as inputs and outputs associated with each step in the decision making process. The five (5) steps are:

  1. Awareness of compliance obligations
  2. Identify facts & assumptions
  3. Define a problem statement
  4. Determine constraints
  5. Identify possible Courses of Action (COA)

The PDF also includes a practical example of using the CDMP for NIST 800-171 compliance.

Compliance Decision Making Process Logic Diagram

Proactive Approach To Compliance Decision Making

Compliance with cybersecurity and date protection laws, regulations and contractual obligations requires a proactive approach to be efficient and effective. Proactive compliance can be thought of as having four (4) distinct components, which comes from the broader Military Decision Making Process (MDMP) used by the US military. The common military planning acronym associated with this is DIRT: 

  1. Decisions;
  2. Intent;
  3. Risk; and
  4. Triggers.

Getting to the point of making a sound decision is built off of multiple supporting processes. In this document, we co-op concepts from DIRT & MDMP with a cybersecurity compliance-focused Compliance Decision Making Process (CDMP). This document helps define a viable process to tackle compliance-related decision making to minimize risk and cost that your organization is exposed to with cybersecurity & data protection compliance efforts. 

Compliance Decisions

There are many compliance-related decisions that organizations face. Decisions are often “forks in the road” where there is a binary option to take one path or the other, but not both. This is where the decisions are expected to be based on compliance intent and risk analysis. Examples of decisions that impact compliance operations include:

Compliance Intent

The compliance intent captures your organization’s executive leadership’s intent for compliance operations. Decisions should be formed, based on compliance intent. Compliance intent:

Understanding of Risk

A clear understanding of compliance intent directly influences risk analysis. Understanding the nuances of compliance-related risk can lead to better decision making and that can lead to proper technology alignment, less unexpected change, etc. Examples of understanding risk include:

Compliance Triggers

Compliance operations are rarely static. Identifying triggers in the compliance landscape can refine risk management analysis and lead to proper decision making that stays inline with compliance intent. Examples of compliance triggers include:

Understanding of Risk: Compliance Decsion Making

The CDMP clearly shows you how to make compliance-related decision making efficient and straightforward to develop viable COAs. However, there is an absolute need for risk management practices to exist and be understood by the stakeholders involved in compliance decision making. The CDMP includes a section on baselining risk management terminology and understanding the concept of negligence.

Risk Tolerance vs Risk Threshold vs Risk Appetite

The alternative to risk management is crisis management. The information on this page exists to provide practical risk management guidance for cybersecurity and data privacy practitioners, specifically focused on how to align risk appetite, risk tolerance and risk thresholds with an organization's strategic, operational and tactical business planning activities. What is presented is a holistic approach that has practical applications. There are a lot of terms in cybersecurity and three (3) of the top misused terms are:

  1. Risk Tolerance
  2. Risk Threshold
  3. Risk Appetite

The concepts of risk appetite, risk tolerance and risk thresholds are not independent terms that are meant to stand by themselves, since they share a dependency that needs to be understood to create a coherent risk management strategy. Likewise, those terms are also directly linked to strategic, operational and tactical decision making. 

Risk tolerance vs risk threshold

Organizations invest in cybersecurity and data privacy as a necessity. This necessity is driven in large part by statutory, regulatory and contractual requirements. It is also driven by the desire to protect the organization's brand from acts that would harm its public image. Regardless of the reason, the base expectation is that those charged with developing, implementing and governing the cybersecurity and data privacy functions are doing so in a reasonable manner that would withstand scrutiny that could take the form as an external auditor, regulator or prosecuting attorney. 


Browse Our Products

  • Digital Security Program (DSP)

    Digital Security Program (DSP) - SCF Policy Template

    Secure Controls Framework (SCF)

    Secure Controls Framework (SCF) "Premium Content" - Expertise-Class Policies, Control Objectives, Standards, Guidelines, Controls & Metrics. Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about...

    Choose Options
  • NIST 800-171 Compliance Program (NCP). This is a bundle of products that are specific to NIST 800-171 and CMMC 2.0 compliance - policies, standards, procedures, SSP & POA&M templates. Editable CMMC 2.0 Level 2 (old Level 3) policies, standards, procedures, SSP & POA&M templates. CMMC policies & standards. NIST 800-171 policies & standards.

    NIST 800-171 Compliance Program (NCP): CMMC Level 2

    ComplianceForge - NIST 800-171 & CMMC

    NIST 800-171 & CMMC Editable & Affordable Cybersecurity Documentation This short product walkthrough video is designed to give a brief overview about what the NCP is to help answer common questions we receive. Includes NIST 800-171 Rev...

    Choose Options

Learn More About Cybersecurity & Data Privacy