The ComplianceForge Reference Model is commonly referred to as the Hierarchical Cybersecurity Governance Framework™ (HCGF). This reference model is designed to encourage clear communication by clearly defining cybersecurity and privacy documentation components and how those are linked. This comprehensive view identifies the primary documentation components that are necessary to demonstrate evidence of due diligence and due care. The HCGF addresses the inter-connectivity of policies, control objectives, standards, guidelines, controls, risks, procedures & metrics.
The Secure Controls Framework (SCF) fits into this model by providing the necessary cybersecurity and privacy controls an organization needs to implement to stay both secure and compliant. ComplianceForge has simplified the concept of the hierarchical nature of cybersecurity and privacy documentation in the following diagram to demonstrate the unique nature of these components, as well as the dependencies that exist:
This table helps provide some context into the differences between policies, standards and procedures. For more information, we have an entire page dedicated to these cybersecurity definitions.
| Considerations | Policy | Standard | Procedure |
| Definition | High-level statement of management intent that is designed to influence decisions and guide the organization to achieve a desired outcome. | Mandatory requirements regarding processes, actions and configurations that provide granular criteria. | Documented set of steps necessary to perform a specific task or process in conformance with an applicable standard |
| Intent | Policies exist to mitigate risks to the organization, including statutory, regulatory and contractual obligations. | Standards ensure systems, applications and processes are designed and operated to include appropriate cybersecurity and privacy protections. | Procedures are defined as part of processes. |
| Issued By | Executive Leadership (e.g., CEO or Board of Directors) | Cybersecurity Department (e.g., CISO or GRC Director) | Team or Department Subject Matter Experts (SMEs) |
| Scope | Organization-Wide | Organization-Wide (unless specified) | Technology and/or Process-Specific |
| Stability | Static (rarely changes) | Static (changes due to new requirements such as a new laws, regulation or recommended practice) | Dynamic (changes due to new technologies, processes and/or personnel) |
| Review Cycle | Annually (or as needed) | Annually (or as new requirements are introduced) | When technologies, processes and/or personnel change |
Secure Controls Framework (SCF)
Secure Controls Framework (SCF) "Premium Content" - Editable Policies, Control Objectives, Standards, Guidelines, Controls & Metrics. Product Walkthrough Video When you click the image or the link below, it will direct you to a different page on...
ComplianceForge - NIST 800-171 & CMMC
NIST 800-171 Rev 2 & Rev 3 / CMMC 2.0 Compliance Made Easier! The NCP is editable & affordable cybersecurity documentation to address your NIST 800-171 R2 / R3 and CMMC 2.0 Levels 1-2 compliance needs. When you click the image or the link...
