- The HCGF is a top-down governance model where everything traces from external/internal influencers → policies → control objectives → standards → controls → procedures → metrics.
- Cybersecurity documentation has 6 core components: policies, control objectives, standards, controls, procedures/control activities, and guidelines.
- Every component maps to controls - controls are the central nexus linking standards, procedures, risks, threats, and metrics together.
- Documentation provides evidence of due diligence (policies & standards) and due care (procedures & metrics) to withstand external scrutiny.
- The Secure Controls Framework (SCF) fits into this model by providing the cybersecurity and privacy controls an organization needs to stay secure, compliant, and resilient.
Hierarchical Cybersecurity Documentation Structure
The ComplianceForge Reference Model is entirely based on industry-recognized "best practices" for structuring cybersecurity and data protection documentation according to terminology definitions from NIST, ISO, ISACA and AICPA. This approach is designed to encourage clear communication by clearly defining cybersecurity and privacy documentation components and how those are linked. This comprehensive view identifies the primary documentation components that are necessary to demonstrate evidence of due diligence and due care. It addresses the inter-connectivity of policies, control objectives, standards, guidelines, controls, risks, procedures & metrics. ComplianceForge simplified the concept of the hierarchical nature of cybersecurity and privacy documentation that visualizes the unique nature of these components, as well as the dependencies that exist.
Our Hierarchical Cybersecurity Governance Framework (HCGF)) demonstrates the linkages from policies all the way through metrics, based on definitions from NIST, ISO, ISACA and AICPA (see page 6 of the HCGF for details):
Influencers (Laws, Regulations, Contracts, etc.)
The External & Internal influencers that establish what is considered necessary based on Minimum Compliance Requirements (MCR) and Discretionary Security Requirements (DSR).
Policies
High-level statements of management intent from an organization's executive leadership that are designed to influence decisions and guide the organization to achieve the desired outcomes.
Control Objectives
Targets or desired conditions to be met. These are statements describing what is to be achieved as a result of the organization implementing a Control.
Standards
Mandatory requirements in regard to processes, actions, and configurations that are designed to satisfy Controls & Control Objectives.
Guidelines
Recommended practices that are based on industry-recognized secure practices. Guidelines help augment Standards when discretion is permissible.
Controls
Technical, administrative or physical safeguards. Controls are the nexus used to manage risks through preventing, detecting or lessening the ability of a particular threat from negatively impacting business processes.
Procedures
Documented set of steps necessary to perform a specific task or process in conformance with an applicable standard.
Risks
A situation where someone or something valued is exposed to danger, harm or loss (noun) or to expose someone or something valued to danger, harm or loss (verb).
Threats
A person or thing likely to cause damage or danger (noun) or to indicate impending damage or danger (verb).
Metrics
A "point in time" view of specific, discrete measurements, unlike trending and analytics that are derived by comparing a baseline of two or more measurements taken over a period of time. Analytics are generated from the analysis of metrics.
This top-down chain creates an unbroken line of traceability: every procedure traces to a control, every control traces to a standard, every standard traces to a control objective, and every control objective traces to a policy, which itself traces back to an external or internal influencer.
Policy vs Standard vs Procedure
This comparison helps clarify the critical differences between the three most commonly confused documentation types: