ISO 27002 Based Cybersecurity Policies & Standards
The Written Information Security Program (WISP) is our leading set of ISO 27002:2013-based set of cybersecurity policies and standards. This is a comprehensive, customizable, easily implemented document that contains the policies, control objectives, standards and guidelines that your company needs to establish a world-class IT security program. Being Microsoft Word documents, you have the ability to make edits, as needed.
When you look at ISO 27002 as it compares to other cybersecurity frameworks, it is right in the middle of the spectrum, based on the topics it covers. ISO 27002 (same as Appendix A from ISO 27001) consists of 14 different sections that correspond to a specific set of cybersecurity controls. The ISO 27002 WISP has a policy for each of these 14 sections and standards to address the controls of this framework. You can see example of the ISO 27002 WISP's policies and standards below, as well as a product walkthrough video.
Product Example - ISO 27002 WISP - Cybersecurity Policies & Standards
This version of the Written Information Security Program (WISP) is based on the ISO 27002:2013 framework. It contains cybersecurity policies and standards that align with ISO 27001/27002. You get fully-editable Microsoft Word and Excel documents that you can customize for your specific needs. To understand the differences between the NIST 800-53, ISO 27002 and NIST CSF versions of the WISP, please visit here for more details.
|Watch Our Product Walkthrough Video||View Product Example|
Example ISO 27002 WISP
Cost Savings Estimate - Written Information Security Program (WISP)
When you look at the costs associated with either (1) hiring an external consultant to write cybersecurity documentation for you or (2) tasking your internal staff to write it, the cost comparisons paint a clear picture that buying from ComplianceForge is the logical option. Compared to hiring a consultant, you can save months of wait time and tens of thousands of dollars. Whereas, compared to writing your own documentation, you can potentially save hundreds of work hours and the associated cost of lost productivity. Purchasing the WISP from ComplianceForge offers these fundamental advantages when compared to the other options for obtaining quality cybersecurity documentation:
- For your internal staff to generate comparable documentation, it would take them an estimated 240 internal staff work hours, which equates to a cost of approximately $18,000 in staff-related expenses. This is about 3-6 months of development time where your staff would be diverted from other work.
- If you hire a consultant to generate this documentation, it would take them an estimated 140 consultant work hours, which equates to a cost of approximately $42,000. This is about 2-3 months of development time for a contractor to provide you with the deliverable.
- The WISP is approximately 2% of the cost for a consultant or 5% of the cost of your internal staff to generate equivalent documentation.
- We process most orders the same business day so you can potentially start working with the WISP the same day you place your order.
The process of writing cybersecurity documentation can take an internal team many months and it involves pulling your most senior and experienced cybersecurity experts away from operational duties to assist in the process, which is generally not the most efficient use of their time. In addition to the immense cost of hiring a cybersecurity consultant at $300/hr+ to write this documentation for you, the time to schedule a consultant, provide guidance and get the deliverable product can take months. Even when you bring in a consultant, this also requires involvement from your internal team for quality control and answering questions, so the impact is not limited to just the consultant's time being consumed.
Comprehensive ISO 27002-Based Documentation
The WISP can serve as a foundational element in your organization's cybersecurity program. It can stand alone or be paired with other specialized products we offer.
Unlike some of our competition that sell “bronze, silver and gold” levels of documentation, we understand that a standard is a standard for a reason. We remove the guesswork associated with picking an appropriate package level - we focus on providing documentation that offers a straightforward solution to provide the appropriate coverage you need. This focus on providing the best solution for our clients makes us proud that we are providing the best set of IT security policies and standards available. Saving a few dollars on a cheap solution can easily leave you with a false sense of security and gaping holes in your documentation that can leave you liable.
Our customers choose the ISO 27002 Written Information Security Program (WISP) because they:
- Have a need for comprehensive IT security documentation built on an industry framework
- Need to be able to edit the document to their specific needs
- Have documentation that is directly linked to best practices, laws and regulations
- Need an affordable solution
What Is The Written Information Security Program (WISP)?
Our products are one-time purchases with no software to install - you are buying Microsoft Office-based documentation templates that you can edit for your specific needs. If you can use Microsoft Office or OpenOffice, you can use this product! The WISP contains NIST 800-53 based cybersecurity policies & standards in an editable Microsoft Word format:
- Each of the ISO 27002:2013 major sections has a policy associated with it, so there is a total of 14 policies.
- Under each of the policies are standards that support it.
- The WISP addresses the “why?” and “what?” questions in an audit, since policies and standards form the foundation for your cybersecurity program.
- The WISP provides the underlying cybersecurity standards that must be in place, as stipulated by statutory, regulatory and contractual requirements.
- Just as Human Resources publishes an “employee handbook” to let employees know what is expected for employees from a HR perspective, the WISP does this from a cybersecurity perspective.
What Problem Does The WISP Solve?
- Lack of In House Security Experience - Writing security documentation is a skill that many good cybersecurity professionals simple are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. The ISO-based WISP is an efficient method to obtain comprehensive ISO 27002:2013-based security policies and standards for your organization!
- Compliance Requirements - Nearly every organization, regardless of industry, is required to have formally-documented security policies and standards. Requirements range from PCI DSS to HIPAA to EU GDPR. The WISP is designed with compliance in mind, since it focuses on leading security frameworks to address reasonably-expected security requirements. The WISP maps to several leading compliance frameworks so you can clearly see what is required!
- Audit Failures - Security documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. The WISP's standards provides mapping to leading security frameworks to show you exactly what is required to both stay secure and compliant.
- Vendor Requirements - It is very common for clients and partners to request evidence of a security program and this includes policies and standards. The WISP provides this evidence!
How Does the WISP Solve It?
- Clear Documentation - The WISP provides comprehensive documentation to prove that your security program exists. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!
- Time Savings - The WISP can provide your organization with a semi-customized solution that requires minimal resources to fine tune for your organization's specific needs.
- Alignment With Leading Practices - The ISO-based WISP is written to align your organization with ISO 27002:2013!
Creating A Cybersecurity Program Based On ISO 27002 - Information Security Management System (ISMS)
ComplianceForge provides businesses with exactly what they need to protect themselves - professionally written policies, procedures, standards and guidelines at a very affordable cost. Similar documentation standards can be found in Fortune 500 company that have dedicated IT Security staff. All information security policies and standards are backed up by documented best practices. The following leading practices are mapped into the ISO-based Written Information Security Program (WISP) and you will get an Excel spreadsheet with the mapping as part of your purchase:
- ISO 27002
- FAR 52.204-21
- NIST Cybersecurity Framework
- PCI DSS v3.2
- MA 201 CMR 17.00
- NY DFS 23 NYCRR 500
- OR 646A
- UK Cyber Essentials
- UK Data Protection Act
This Is How ISO 27002 Cybersecurity Documentation Is Meant To Be Structured!
ComplianceForge provides businesses with exactly what they need to protect themselves - professionally written policies, procedures, standards and guidelines at a very affordable cost. Similar documentation standards can be found in Fortune 500 company that have dedicated IT Security staff. All information security policies and standards are backed up by documented best practices.
Hierarchical Approach - Built To Scale & Evolve With Your Business
Our experience has proven that when it comes to Information Security policies, a standard is a standard for a reason. With that in mind, our Written Information Security Program (WISP) is based on industry-recognized best practices and Information Security standards so that you can meet your legal requirements. Unlike some competitor sites that offer “Bronze, Silver or Gold” packages that may leave you critically exposed, we offer a comprehensive Information Security solution to meet your specific compliance requirements. Why is this? It is simple - in the real world, compliance is penalty-centric. Courts have established a track record of punishing businesses for failing to perform “reasonably expected” steps to meet compliance with known standards.
The Written Information Security Program (WISP) follows a hierarchical approach to how the structure is designed so that standards map to control objectives and control objectives map to policies. This allows for the standards to be logically grouped to support the policies.
Policies are “high level” statements of management’s intent and are intended to guide decisions to achieve rational outcomes. Policies are not meant to be prescriptive, but provide an overall direction for the organization.
Control Objectives support policy by identifying applicable requirements that the organization needs to address. These applicable requirements can be best practices, laws or other legal obligations.
Standards establish formal requirements in regards to processes, actions and configurations. Standards are entirely focused on providing narrowly-focused, prescriptive requirements that are quantifiable.
Procedures are formal methods of performing a task, based on a series of actions conducted in a defined and repeatable manner.
Controls are technical or administrative safeguards that may prevent, detect or lessen the ability of the threat actor to exploit a vulnerability.
Metrics are designed to facilitate decision-making, improve performance, and improve accountability through the collection, analysis, and reporting of relevant performance-related data.
The Most Comprehensive ISO 27002-Based Security Documentation Available Online
The ISO 27002-based Written Information Security Program (WISP) is a Microsoft Word document that contains Information Security-related policies, standards, procedures and guidelines that are customized to your organization. The WISP is a comprehensive document that you can edit to your own specific needs, so you have the flexibility to make changes as you need. The WISP i is a fraction of the cost of doing it yourself or hiring a consultant to write one for you. Lesser Information Security policies and standards are a liability that could prove immensely costly if they do not meet all of your current and future compliance needs.
Our Written Information Security Program (WISP) contains fourteen information security policies that map directly to ISO 27002:2013:
- Information Security Program Policy
- Information Security Organization Policy
- Human Resource Security Policy
- Asset Management Policy
- Access Control Policy
- Cryptography Policy
- Physical & Environmental Security Policy
- Operations Security Policy
- Communications Security Policy
- System Acquisition, Development & Maintenance Policy
- Vendor Management Policy
- Information Security Incident Management Policy
- Business Continuity Management Policy
- Compliance Policy
Each of these policies contain multiple standards and guidelines, so the Written Information Security Program (WISP) provides your company with a scalable, best practices-based set of documentation to address your needs now and in the future!
In addition to ISO-based Cybersecurity Policies & Standards, The ISO 27002 WISP Comes With These Supplemental Cybersecurity Resources
As an extra bonus, we include the following supplemental documentation at no additional cost:
- Excel spreadsheet that maps the standards to multiple statutory, regulatory and contractual frameworks
- User acknowledgement form
- User equipment receipt of issue
- Service provider non-disclosure agreement form
- Incident response form
- Information Security Officer (ISO) appointment orders
- Administrator account request form
- Change Control Board (CCB) meeting documentation template
- Plan of Action & Milestones (POA&M) documentation template
- Ports, protocols & services documentation template
- Statutory, Regulatory & Legal compliance checklist
- Incident Response Plan (IRP) template
- Business Impact Analysis (BIA) template
- Disaster Recovery Plan (DRP) template
- Business Continuity Plan (BCP) template
- Privacy Impact Assessment (PIA) template
- Electronic discovery (e-discovery) guidelines
This documentation saves hundreds of hours by not having to make it on your own!
Why Does Your Business Need A Written Information Security Program (WISP)?
It is well documented that the lack of standards and lack of employee awareness are the leading causes of security breaches, malware infections (e.g. viruses & spyware), and identity theft. If you have two or more employees, a WISP is just as important as the professional liability insurance you carry on your business. The ISO 27002 Written Information Security Program (WISP) provides a comprehensive framework to manage your company’s Information Security program. The ISO 27002 Written Information Security Program (WISP) allows you to implement and document the steps to be compliant with Federal, state and industry laws and regulations.
It is well documented that the lack of standards and lack of employee awareness are the leading causes of security breaches, malware infections (e.g. viruses & spyware), and identity theft. If you have two or more employees, a WISP is just as important as the professional liability insurance you carry on your business.
We were the industry's first source for a customized, on-demand Written Information Security Program (WISP) that is specifically tailored for small and medium sized business. Our Written Information Security Program (WISP) follows industry-recognized best practices (e.g. ISO 27001 and ISO 27002) and we reference applicable laws, requirements, standards, and best practices that businesses need to follow to be considered compliant with common information security requirements. Unfortunately, ignorance is neither bliss, nor is it an excuse! What your employees do not know has the proven ability to hurt your company. In terms of liability for a company, security does not exist until it is documented.
The benefits of Information Security for businesses of any size are many:
- Decreased costs - less reactive IT support
- Improved productivity - decreased distractions
- Less virus & spyware outbreaks - decreased downtime & expense
- More efficient operations - better performing network & computers
- Better accountability of assets & resources
- Better educated & trained employees
- Having documentation to prove you are doing the right thing
How Is A Written Information Security Program (WISP) Applicable To You?
Our ISO 27002-based Written Information Security Program (WISP) is something applicable to every business, regardless of the number of employees. The harsh reality is that small and medium-sized businesses have always been at a disadvantage when it comes to securing their networks from threats. Generally, the lack of IT expertise and staffing are the contributing factors, but the overwhelming issue is a false sense of security.
Most smaller businesses lack a dedicated IT staff and must rely on outsourced expertise. This is a good solution for most technology needs, but the vast majority of IT companies that support smaller businesses lack the expertise to properly consult their clients on Information Security and what compliance issues they should be concerned with. This is where ComplianceForge is a wonderful resource, since our focus on Information Security products and services can be implemented by your current IT provider. We provide them with the roadmap and the tools to properly secure your network and make you compliant. It is as easy as that!
Lesser products are a liability that could prove immensely costly if they do not meet all of your current and future compliance needs. Since ignorance is neither bliss, nor is it an excuse, you need to be able to prove you followed due care & due diligence to protect your business. In terms of liability for a company, security does not exist until it is documented! We developed our products based on NIST 800-53 and ISO 27002 best practices, which follow the ISO 27001 framework for an Information Security Management System (ISMS). This false sense of security comes from business owners not asking the question of what issues they should be compliant with and from the IT provider or staff not being proactive and bringing up compliance issues to management. This scenario creates a dangerous set of assumptions that can potentially put the company out of business.
Which Product Is Right For You?
Our documentation is meant to address your requirements from strategic concepts all the way down to day-to-day deliverables you need to demonstrate compliance with common statutory, regulatory and contractual obligations. We offer up to 45% discounts on our documentation bundles, so please be aware that you have benefit from significant savings by bundling the documentation you need. You can see the available bundles here.
We are here to help make comprehensive cybersecurity documentation as easy and as affordable as possible. We serve businesses of all sizes, from the Fortune 500 all the way down to small businesses, since our cybersecurity documentation products are designed to scale for organizations of any size or level of complexity. Our affordable solutions range from cybersecurity policies & standards documentation, to NIST 800-171 compliance checklists, to program-level documentation, such as "turn key" incident response, risk management or vulnerability management program documents. Our focus is on helping you become audit ready!