NIST Cybersecurity Framework - Tailored IT Security Policies & Standards For Smaller Organizations

The NIST Cybersecurity Framework (CSF)-based Written Information Security Program (WISP) is a set of cybersecurity policies and standards that is tailored for smaller organizations that do not need to address more rigorous requirements, such as ISO 27002 or NIST 800-53. This product is an editable, easily implemented document that contains the policies, standards and guidelines that your company can use to establish a leading framework-based cybersecurity security program. Being Microsoft Word documentation, you have the ability to make edits, as needed.  

Unlike some of our competition that sell “bronze, silver and gold” levels of documentation, we understand that a standard is a standard for a reason. We take out the guesswork associated with picking an appropriate package level - we focus on providing documentation that offers a straightforward solution to provide the appropriate coverage you need. This focus on providing the best solution for our clients makes us proud that we are providing the best set of IT security policies and standards available. Saving a few dollars on a cheap solution can easily leave you with a false sense of security and gaping holes in your documentation that can leave you liable.

The CSF-based WISP can serve as a foundational element in your organization's cybersecurity program. It can stand alone or be paired with other specialized products we offer.


Editable MS Word Template


Editable MS Excel Mapping Matrix

What Is The NIST CSF-Based Written Information Security Program (WISP)?

  • The WISP contains NIST Cybersecurity Framework (CSF)-based cybersecurity policies & standards in an editable Microsoft Word format.
    • Each of the NIST Cybersecurity Framework controls is mapped to a standard.
    • Each of the standards is mapped to a policy.
    • The NIST CSF-based WISP covers version 1.1 of the NIST Cybersecurity Framework.  
  • The WISP addresses the “why?” and “what?” questions in an audit, since policies and standards form the foundation for your cybersecurity program.
    • The WISP provides the underlying cybersecurity standards that must be in place, as stipulated by statutory, regulatory and contractual requirements.
    • Just as Human Resources publishes an “employee handbook” to let employees know what is expected for employees from a HR perspective, the WISP does this from a cybersecurity perspective.

We are here to help make comprehensive cybersecurity documentation as easy and as affordable as possible. We serve businesses of all sizes, from the Fortune 500 all the way down to small businesses, since our cybersecurity documentation products are designed to scale for organizations of any size or level of complexity. Our affordable solutions range from cybersecurity policies & standards documentation, to NIST 800-171 compliance checklists, to program-level documentation, such as "turn key" incident responserisk management or vulnerability management program documents. Our focus is on helping you become audit ready!


   What Problem Does The NIST CSF WISP Solve?  

  • Lack of In House Security Experience - Writing security documentation is a skill that many good cybersecurity professionals simple are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. The NIST Cybersecurity Framework-based WISP is an efficient method to obtain comprehensive NIST Cybersecurity Framework based security policies and standards for your organization!
  • Compliance Requirements - Nearly every organization, regardless of industry, is required to have formally-documented security policies and standards. The NIST CSF WISP is designed for smaller organizations and focuses on leading security frameworks to address reasonably-expected security requirements. The WISP maps to several leading compliance requirements so you can clearly see what is required!
  • Audit Failures - Security documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. The WISP's standards provides mapping to leading security frameworks to show you exactly what is required to both stay secure and compliant.  
  • Vendor Requirements - It is very common for clients and partners to request evidence of a security program and this includes policies and standards. The WISP provides this evidence!

 How Does the NIST CSF WISP Solve It?  

  • Clear Documentation - The WISP provides comprehensive documentation to prove that your security program exists. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!
  • Time Savings - The WISP can provide your organization with a semi-customized solution that requires minimal resources to fine tune for your organization's specific needs. 
  • Alignment With Leading Practices - The NIST CSF WISP is written to align your organization with the NIST Cybersecurity Framework!  


SEE FOR YOURSELF - EXAMPLE NIST CSF IT Security Policies & Standards 

Don't take our word for it - take a look at the examples of NIST Cybersecurity Framework (NIST CSF) written IT security policy and standard statements to see for yourself the level of professionalism and detail that went into it.


NIST Cybersecurity Framework Security Program

Our customers choose the NIST Cybersecurity Framework Written Information Security Program (WISP) because:

  • There is a need for IT security documentation built on an industry framework
  • The ISO 27002 and NIST 800-53 WISP versions are "overkill" for their needs (note - the NIST 800-53 version of the WISP covers all NIST Cybersecurity Framework requirements)
  • Documentation needs to be editable
  • Solution needs to be affordable for smaller businesses 


The NIST Cybersecurity Framework WISP is intended for smaller organizations that "fly under the radar" where they  are not subject to common cybersecurity requirements that would usually dictate alignment with ISO 27002 or NIST 800-53. The NIST Cybersecurity Framework is a perfect framework for smaller organizations to align with in this situation.

The following leading practices are mapped into the NIST Cybersecurity Framework (NIST CSF)-based Written Information Security Program (WISP) and you will get an Excel spreadsheet with the mapping as part of your purchase:

  • NIST Cybersecurity Framework
  • Federal Acquisition Regulation (FAR) 52.204-21
  • NY Department of Financial Services (NY DFS) 23 NYCRR 500
  • MA 201 CMR 17.00
  • Oregon ID Theft Protection Act (ORS 646A)


FAR vs DFARS (NIST 800-171) Implications 

Many of our clients who need to address DFARS 252.204-7012 (NIST 800-171) also have to address FAR 52.204-21. One common question we receive from clients pertains to aligning with the correct security framework to ensure they have the proper coverage for compliance. This generally revolves around aligning with ISO 27001/27002 or NIST 800-53, since those are the two most common security frameworks.

The bottom line is that utilizing the NIST Cybersecurity Framework or ISO 27001/27002 as a security framework does not meet the requirements of NIST 800-171. In fact, NIST 800-171 (Appendix D) maps out how the CUI security requirements of NIST 800-171 relate to NIST 800-53 and ISO 27001/27002 security controls. This includes callouts where the ISO 27001/27002 framework does not fully satisfy the requirements of NIST 800-171. Therefore, policies and standards based on NIST 800-53 are what is needed to comply with NIST 800-171. 

When you look at choosing ISO or NIST from the viewpoint of complying with US government regulations, there are considerations that need to be accounted for since FAR has different requirements from DFARS.

  • If you only need to address FAR 52.204-21, it is possible to comply with either the NIST Cybersecurity FrameworkISO 27002 or NIST 800-53.
  • However, if you need to address DFARS 252.204-7012, then both the NIST Cybersecurity Framework and ISO 27002 will be insufficient and you need to align with NIST 800-53.



This Is How Cybersecurity Documentation Is Meant To Be Structured!

ComplianceForge provides businesses with exactly what they need to protect themselves - professionally written policies, procedures, standards and guidelines at a very affordable cost. 

Since the NIST Cybersecurity Framework-based WISP is intended for smaller organizations, we removed the Control Objectives from this version of the WISP. This is intended to streamline the document and allow smaller organizations to focus on the policies and standards. Larger or more mature organizations generally benefit from Control Objectives by having a central mapping point for statutory, regulatory and contractual compliance requirements. The included Excel spreadsheet provides clear mapping to the NIST CSF, FAR, NY DFS and several state data protection requirements. 



Written Information Security Program (WISP) Cost Savings Estimate

As you can see, when you factor in internal staff time to perform reviews and refinements with key stakeholders, purchasing a WISP from ComplianceForge is approximately 4% ($17,000+ savings) of the cost as compared to writing your own documentation and 2% ($41,000+ savings) of the cost as compared to hiring a consultant to write it for you!



Which Product Is Right For You?

Our documentation is meant to address your requirements from strategic concepts all the way down to day-to-day deliverables you need to demonstrate compliance with common statutory, regulatory and contractual obligations. 

We offer up to 40% discounts on our documentation bundles, so please be aware that you have benefit from significant savings by bundling the documentation you need. You can see the available bundles here.




In addition to NIST Cybersecurity Framework-based IT Security Policies & Standards, NIST CSF WISP Comes With These Supplemental IT Security Resources

As an extra bonus, we include the following supplemental documentation at no additional cost:

  • User acknowledgement form
  • User equipment receipt of issue
  • Service provider non-disclosure agreement form
  • Incident response form
  • Information Security Officer (ISO) appointment orders
  • Administrator account request form
  • Change Control Board (CCB) meeting documentation template
  • Plan of Action & Milestones (POA&M) documentation template
  • Ports, protocols & services documentation template
  • Statutory, Regulatory & Legal compliance checklist
  • Incident Response Plan (IRP) template
  • Business Impact Analysis (BIA) template
  • Disaster Recovery Plan (DRP) template
  • Business Continuity Plan (BCP) template
  • Privacy Impact Assessment (PIA) template
  • Electronic discovery (e-discovery) guidelines





Sign up for our Newsletter!