The foundation for an organization's cybersecurity and privacy program is its policies and standards. These components form the alignment with leading practices to help ensure applicable statutory, regulatory and contractual requirements for cybersecurity and privacy are addressed. From these policies and standards, procedures and other program-level guidance provide the specific details of how these policies and standards are implemented.
Effective cybersecurity and data protection is a team effort involving the participation and support of every user that interacts with your company’s data and/or systems, it is a necessity for your company’s cybersecurity & data protection requirements to be made available to all users in a format that they can understand. That means your company must publish those requirements in some manner, generally in either PDF format or published to an internal source (e.g., wiki, SharePoint, Jira, GRC, etc.). Our goal is to make that process as efficient, cost-effective and scalable, as possible.
Since words have meanings, it is important to provide examples from industry-recognized sources for the proper use of these terms that make up cybersecurity & privacy documentation. Simply because you have heard a term used in one manner for the last decade, it does not mean that is correct. That is why we wrote the following guide to help explain how cybersecurity and data protection documentation is meant to be developed, based on authoritative definitions of the components that make up documentation (e.g., policies, standards, procedures, controls, etc.).
As a "rule of thumb" to understand how documentation ages, if your cybersecurity policies, standards and procedures are old enough to start kindergarten (4-5 years old) then it is time to perform a thorough refresh / update cycle. Cybersecurity and privacy are evolving fields and your documentation needs to be current to address these new requirements and threats.
What Is The "Best" Cybersecurity Framework For Your Needs?
The concept of a "best" cybersecurity framework is misguided, since the most appropriate framework to align with is entirely dependent upon your business model. The applicable laws, regulations and contractual obligations that your organiation must comply with will most often point you to one of four (4) starting points to kick off the discussion about "Which framework is most appropriate for our needs?":
NIST Cybersecurity Framework (NIST CSF);
ISO 27001/27002;
NIST SP 800-53 (moderate or high baselines); or
Secure Controls Framework (SCF) (or a similar metaframework).
ComplianceForge Sells More Than Just Policies & Standards
While policies, standards and procedures form the foundation of any cybersecurity and data protection program, there are many other components that build off of those documents:
Secure Controls Framework (SCF) "Premium Content" - Expertise-Class Policies, Control Objectives, Standards, Guidelines, Controls & Metrics.
Product Walkthrough Video
This short product walkthrough video is designed to give a brief overview about...
NIST 800-53 Rev5 Policy Template LOW & MODERATE BASELINE
Product Walkthrough Video
This short product walkthrough video is designed to give a brief overview about what the CDPP is to help answer common questions we receive...
NIST SP 800-53 Rev5 Policy Template LOW, MODERATE & HIGH BASELINE
Product Walkthrough Video
This short product walkthrough video is designed to give a brief overview about what the CDPP is to help answer common questions we receive...