Security Documentation Does Have A Life Cycle
Cybersecurity is a constantly-evolving field and this means security documentation eventually needs updates to reflect changes. These changes tend to come from evolving statutory, regulatory or contractual requirements, but documentation changes also come from evolving technologies. However, ComplianceForge designed its documentation to help with managing the life cycle of your organization's documentation through a hierarchical model that is easy to update and maintain. Our documentation is targeted for a 3-5 year life cycle before a major upgrade is needed.
- Policies - Policy statements are the most static components of the documentation hierarchy, since policies focus on high-level statements of management intent. Policies should be good for 3-5 years without making changes.
- Standards - For the most part, standards generally change when influenced by a statutory, regulatory or contractual obligation. Standards can also change when new technologies are introduced. Annual reviews of standards are needed to ensure those are still accurate for your environment, but similar to policies, your standards should be good for a 3-5 year life cycle without making many changes.
- Procedures - Procedures are the most dynamic component of your security documentation. Procedures are influenced by your available people, processes and technologies, so you have to expect procedure documentation to be a "living document" where it requires ongoing attention to keep it current.
NOTE - As of August 2018, there is no clear date on when NIST will release the final version of NIST 800-53 rev 5. ComplianceForge already completed work on the updated version of the NIST-based WISP, based on the initial draft version of NIST 800-53 rev 5 but we will not release the updated version until NIST releases the official version of 800-53 rev5. We are going to "grandfather" upgrades to the new version of the NIST-based WISP for clients going back to February 2017, since that was the original release timeline for the new version from NIST. ComplianceForge will announce the release of the NIST 800-53 rev5 WISP via its newsletter and provide upgrade instructions to existing customers for this product. There will be a 60-day window for existing customers to request the complimentary upgrades and after that point, the default upgrade pricing is applicable.
In an effort to reward existing customers, we have three different tiers of pricing for upgrades:
- Within 90 days of purchase - No charge
- Within 365 days of purchase - 25% of current product price
- Beyond 365 days of purchase - 50% of current product price
Why We Charge For Updates
It takes our staff time to keep current on these changes and we need to cover our costs so that we can continue to offer these quality products. For minor updates to mapping spreadsheets, we do not charge for those.
How To Get An Update
Contact us at firstname.lastname@example.org to start the process. We will send you an invoice that you can pay online or with a check. Upgrades are only eligible for purchases by the company that made the original purchase.
We let our customers know about major product updates and new products through our newsletter. You can sign up for the newsletter when you create an account or you can email us at email@example.com and we'll add you to the newsletter.