Cybersecurity & Privacy Documentation Starts with Policies & Standards
The foundation for an organization's cybersecurity and privacy program is its policies and standards. These components form the alignment with leading practices to help ensure applicable statutory, regulatory and contractual requirements for cybersecurity and privacy are addressed. From these policies and standards, procedures and other program-level guidance provide the specific details of how these policies and standards are implemented.
Do You Need To Align With A Specific Cybersecurity Framework?
There are a lot of choices to pick from when selecting a cybersecurity framework. If you are not sure what works best for you, you can read more here. The most common frameworks are NIST 800-53, ISO 27002, the NIST Cybersecurity Framework and the Secure Controls Framework (SCF). To do NIST CSF, ISO 27002 or NIST SP 800-53 properly, it takes more than just a set of policies and standards. While those are foundational to building a cybersecurity program aligned with that framework, there is a need for program-specific guidance that helps operationalize those policies and standards (e.g., risk management program, third-party management, vulnerability management, etc.). It is important to understand what is required to comply with NIST CSF vs ISO 27002 vs NIST SP 800-53, since there are significantly different levels of expectation.
It is important to understand that picking a cybersecurity framework is more of a business decision and less of a technical decision. Realistically, the process of selecting a cybersecurity framework must be driven by a fundamental understanding of what your organization needs to comply with from a statutory, regulatory and contractual perspective, since that understanding establishes the minimum set of requirements necessary to (1) Not be considered negligent with reasonable expectations for cybersecurity & data protection; (2) Comply with applicable laws, regulations and contractual obligations; and (3) Implement the proper controls to secure your systems, applications and processes from reasonable threats, based on your specific business case and industry practices.
This understanding makes it easy to determine where on the "framework spectrum" (shown below) you need to focus for selecting a set of cybersecurity principles to follow. This process generally leads to selecting the NIST Cybersecurity Framework, ISO 27002, NIST SP 800-53 or SCF as a starting point.
Effective cybersecurity and data protection is a team effort involving the participation and support of every user that interacts with your company’s data and/or systems, it is a necessity for your company’s cybersecurity & data protection requirements to be made available to all users in a format that they can understand. That means your company must publish those requirements in some manner, generally in either PDF format or published to an internal source (e.g., wiki, SharePoint, Jira, GRC, etc.). Our goal is to make that process as efficient, cost-effective and scalable, as possible.
Since words have meanings, it is important to provide examples from industry-recognized sources for the proper use of these terms that make up cybersecurity & privacy documentation. Simply because you have heard a term used in one manner for the last decade, it does not mean that is correct. That is why we wrote the following guide to help explain how cybersecurity and data protection documentation is meant to be developed, based on authoritative definitions of the components that make up documentation (e.g., policies, standards, procedures, controls, etc.).
As a "rule of thumb" to understand how documentation ages, if your cybersecurity policies, standards and procedures are old enough to start kindergarten (4-5 years old) then it is time to perform a thorough refresh / update cycle. Cybersecurity and privacy are evolving fields and your documentation needs to be current to address these new requirements and threats.
ComplianceForge Sells More Than Just Policies & Standards
While policies, standards and procedures form the foundation of any cybersecurity and data protection program, there are many other components that build off of those documents:
In both the Cybersecurity & Data Protection Program (CDPP) and Digital Security Program (DSP), we use a hierarchical model to design the documentation. The idea is the structure allows the mapping of policies all the way down to metrics.
Policies are “high level” statements of management’s intent and are intended to guide decisions to achieve rational outcomes. Policies are not meant to be prescriptive, but provide an overall direction for the organization.
Control Objectives support policy by identifying applicable requirements that the organization needs to address. These applicable requirements can be best practices, laws or other legal obligations.
Standards establish formal requirements in regards to processes, actions and configurations. Standards are entirely focused on providing narrowly-focused, prescriptive requirements that are quantifiable.
Procedures are formal methods of performing a task, based on a series of actions conducted in a defined and repeatable manner.
Controls are technical or administrative safeguards that may prevent, detect or lessen the ability of the threat actor to exploit a vulnerability.
Metrics are designed to facilitate decision-making, improve performance, and improve accountability through the collection, analysis, and reporting of relevant performance-related data.
Give us a call or send us an email - we are happy to help you find the right solution for your needs! Each of our products is unique, but we have coverage for the following cybersecurity and privacy frameworks:
Digital Security Program (DSP) - Enterprise-Class, Hybrid Framework For Cybersecurity & Privacy
The DSP is an enterprise-class solution for cybersecurity & privacy documentation consisting of thirty-two (32) domains that defines a modern,...
NIST Cybersecurity Framework (NIST CSF) Based Cybersecurity Policies & Standards The NIST Cybersecurity Framework (CSF)-based Cybersecurity & Data Protection Program (CDPP) is a set of cybersecurity policies and standards that...
ISO 27002 Based Cybersecurity Policies & Standards UPDATED FOR ISO 27001:2022 & 27002:2022
The Cybersecurity & Data Protection Program (CDPP) is our leading set of ISO 27001/2:2013 / 27001/2:2022-based...