ComplianceForge Reference Model

The ComplianceForge Reference Model is commonly referred to as the Hierarchical Cybersecurity Governance Framework™ (HCGF). This reference model is designed to encourage clear communication by clearly defining cybersecurity and privacy documentation components and how those are linked. This comprehensive view identifies the primary documentation components that are necessary to demonstrate evidence of due diligence and due care. The HCGF addresses the inter-connectivity of policies, control objectives, standards, guidelines, controls, risks, procedures & metrics.

Hierarchical Cybersecurity Governance Framework (HCGF)

The Secure Controls Framework (SCF) fits into this model by providing the necessary cybersecurity and privacy controls an organization needs to implement to stay both secure and compliant. ComplianceForge has simplified the concept of the hierarchical nature of cybersecurity and privacy documentation in the following diagram to demonstrate the unique nature of these components, as well as the dependencies that exist:

complianceforge reference model - hierarchical cybersecurity governance framework

Policy vs Standard vs Procedure

This table helps provide some context into the differences between policies, standards and procedures. For more information, we have an entire page dedicated to these cybersecurity definitions.

Considerations Policy Standard Procedure
Definition High-level statement of management intent that is designed to influence decisions and guide the organization to achieve a desired outcome. Mandatory requirements regarding processes, actions and configurations that provide granular criteria. Documented set of steps necessary to perform a specific task or process in conformance with an applicable standard
Intent Policies exist to mitigate risks to the organization, including statutory, regulatory and contractual obligations. Standards ensure systems, applications and processes are designed and operated to include appropriate cybersecurity and privacy protections. Procedures are defined as part of processes.
Issued By Executive Leadership (e.g., CEO or Board of Directors) Cybersecurity Department (e.g., CISO or GRC Director) Team or Department Subject Matter Experts (SMEs)
Scope Organization-Wide Organization-Wide (unless specified) Technology and/or Process-Specific
Stability Static (rarely changes) Static (changes due to new requirements such as a new laws, regulation or recommended practice) Dynamic (changes due to new technologies, processes and/or personnel)
Review Cycle Annually (or as needed) Annually (or as new requirements are introduced) When technologies, processes and/or personnel change

Browse Our Products

  • Secure Controls Framework (SCF) Policy, Standards, Controls & Metrics Template - DSP / SCF

    Digital Security Program (DSP)

    Secure Controls Framework (SCF)

    Secure Controls Framework (SCF) "Premium Content" - Editable Policies, Control Objectives, Standards, Guidelines, Controls & Metrics. Product Walkthrough Video When you click the image or the link below, it will direct you to a different page on...

    $10,400.00 - $15,200.00
    Choose Options
  • ComplianceForge - NIST 800-171 & CMMC NIST 800-171 Compliance Program (NCP): CMMC Level 2

    NIST 800-171 Compliance Program (NCP)

    ComplianceForge - NIST 800-171 & CMMC

    NIST 800-171 Rev 2 & Rev 3 / CMMC 2.0 Compliance Made Easier! The NCP is editable & affordable cybersecurity documentation to address your NIST 800-171 R2 / R3 and CMMC 2.0 Levels 1-2 compliance needs. When you click the image or the link...

    $5,300.00 - $10,100.00
    Choose Options