- Cybersecurity documentation follows a hierarchical structure: Policies → Control Objectives → Standards → Controls → Procedures → Guidelines.
- Policies establish management intent (the "what"), standards provide quantifiable requirements (the "how much"), and procedures describe step-by-step processes (the "how").
- Documentation provides evidence of due diligence (you identified the right controls) and due care (you are executing them properly).
- Quality documentation can be half the battle in audit preparation - professionally written content pays for itself many times over.
- ComplianceForge follows industry-recognized definitions from NIST, ISO, ISACA, and AICPA for structuring documentation.
Hierarchical Cybersecurity Documentation Structure
The ComplianceForge Reference Model is entirely based on industry-recognized "best practices" for structuring cybersecurity and data protection documentation according to terminology definitions from NIST, ISO, ISACA and AICPA. This approach is designed to encourage clear communication by clearly defining cybersecurity and privacy documentation components and how those are linked. This comprehensive view identifies the primary documentation components that are necessary to demonstrate evidence of due diligence and due care. It addresses the inter-connectivity of policies, control objectives, standards, guidelines, controls, risks, procedures & metrics. ComplianceForge simplified the concept of the hierarchical nature of cybersecurity and privacy documentation that visualizes the unique nature of these components, as well as the dependencies that exist.
Our Hierarchical Cybersecurity Governance Framework (HCGF)) demonstrates the linkages from policies all the way through metrics, based on definitions from NIST, ISO, ISACA and AICPA (see page 6 of the HCGF for details):
Influencers (Laws, Regulations, Contracts, etc.)
The External & Internal influencers that establish what is considered necessary based on Minimum Compliance Requirements (MCR) and Discretionary Security Requirements (DSR).
Policies
High-level statements of management intent from an organization's executive leadership that are designed to influence decisions and guide the organization to achieve the desired outcomes.
Control Objectives
Targets or desired conditions to be met. These are statements describing what is to be achieved as a result of the organization implementing a Control.
Standards
Mandatory requirements in regard to processes, actions, and configurations that are designed to satisfy Controls & Control Objectives.
Guidelines
Recommended practices that are based on industry-recognized secure practices. Guidelines help augment Standards when discretion is permissible.
Controls
Technical, administrative or physical safeguards. Controls are the nexus used to manage risks through preventing, detecting or lessening the ability of a particular threat from negatively impacting business processes.
Procedures
Documented set of steps necessary to perform a specific task or process in conformance with an applicable standard.
Risks
A situation where someone or something valued is exposed to danger, harm or loss (noun) or to expose someone or something valued to danger, harm or loss (verb).
Threats
A person or thing likely to cause damage or danger (noun) or to indicate impending damage or danger (verb).
Metrics
A "point in time" view of specific, discrete measurements, unlike trending and analytics that are derived by comparing a baseline of two or more measurements taken over a period of time. Analytics are generated from the analysis of metrics.
This top-down chain creates an unbroken line of traceability: every procedure traces to a control, every control traces to a standard, every standard traces to a control objective, and every control objective traces to a policy, which itself traces back to an external or internal influencer (e.g., law, regulation, framework or other obligation).
Due Diligence & Due Care?
Documentation serves two critical legal and compliance functions:
Due Diligence
The development and publication of policies, standards, and control objectives demonstrates that the organization identified and designed reasonable steps to address its applicable requirements. This is the "planning" evidence. You knew what you needed to do and documented it.
Due Care
The documented execution of procedures provides evidence that reasonable practices are being performed. Stakeholders generating deliverables from executing procedures creates the "doing" evidence. You are actively implementing and maintaining your controls.
If a data breach occurs and root causes are investigated, having appropriate evidence of due diligence and due care can be your "get out of jail free card" by demonstrating that reasonable security practices were in place.
Why Does Quality Documentation Matter?
Free templates from the Internet are generally of little value. Without cybersecurity expertise, selecting individual policies creates significant liability exposure.
ComplianceForge documentation is comprehensive, professionally written, and structured to meet the requirements auditors and assessors expect. Quality documentation can be half the battle in audit and assessment preparation. Having professionally written content pays for itself many times over. Each product page includes cost savings estimates so you can see for yourself what it would reasonably cost to write equivalent documentation yourself or hire someone to write it for you.
We recognize that "a standard is a standard for a reason," so we adhere to industry-recognized definitions and structure. Our goal is for our clients to have appropriate evidence of due diligence and due care to withstand external scrutiny.
What Is The Best Cybersecurity Framework?
This is one of the most common questions we receive. The concept of a "best" cybersecurity framework is misguided, since the most appropriate framework to align with is entirely dependent upon your business model. The applicable laws, regulations and contractual obligations that your organiation must comply with will most often point you to one of these cybersecurity frameworks to kick off the discussion about "Which framework is most appropriate for our needs?":
- NIST Cybersecurity Framework (NIST CSF)
- ISO 27001/27002
- NIST SP 800-171 (e.g., CMMC compliance)
- NIST SP 800-53 (moderate or high baselines); or
- Secure Controls Framework (SCF) (cybersecurity & privacy metaframework / common controls framework)