NIST CSF - Policies & Standards (WISP)

Email Delivery Within 1-2 Business Days

file types are bmp, gif, jpg, jpeg, jpe, jif, jfif, jfi, png, wbmp, xbm, tiff

NIST Cybersecurity Framework (NIST CSF) Based Cybersecurity Policies & Standards 

The NIST Cybersecurity Framework (CSF)-based Written Information Security Program (WISP) is a set of cybersecurity policies and standards that is tailored for smaller organizations that do not need to address more rigorous requirements that are found in ISO 27002 or NIST 800-53.

This product is ideal for organizations that need to align with leading cybersecurity practices, but do not have multiple statutory, regulatory and contractual obligations that are better addressed by a more robust cybersecurity framework. For this reason, the NIST CSF version of our WISP is very popular with insurance brokers, smaller financial organizations, law firms and other professions that need to address cybersecurity in manner scaled for smaller organizations. This includes NY school districts that need to address the NY Education Law 2D that requires NIST CSF compliance.


Product Example - NIST Cybersecurity Framework WISP - Cybersecurity Policies & Standards

This version of the Written Information Security Program (WISP) is based on the NIST Cybersecurity Framework (CSF) framework. It contains cybersecurity policies and standards that align with NIST CSF. You get fully-editable Microsoft Word and Excel documents that you can customize for your specific needs.

To understand the differences between the NIST 800-53, ISO 27002 and NIST CSF versions of the WISP, please visit here for more details.

logo-2020-product-written-information-security-program-nist-csf-written-it-security-policy-2020.1.jpg   Watch Our Product Walkthrough Video   View Product Example



Example Mapping

Cost Savings Estimate - Written Information Security Program (WISP)

When you look at the costs associated with either (1) hiring an external consultant to write cybersecurity documentation for you or (2) tasking your internal staff to write it, the cost comparisons paint a clear picture that buying from ComplianceForge is the logical option. Compared to hiring a consultant, you can save months of wait time and tens of thousands of dollars. Whereas, compared to writing your own documentation, you can potentially save hundreds of work hours and the associated cost of lost productivity. Purchasing the WISP from ComplianceForge offers these fundamental advantages when compared to the other options for obtaining quality cybersecurity documentation:

  • For your internal staff to generate comparable documentation, it would take them an estimated 240 internal staff work hours, which equates to a cost of approximately $18,000 in staff-related expenses. This is about 3-6 months of development time where your staff would be diverted from other work.
  • If you hire a consultant to generate this documentation, it would take them an estimated 140 consultant work hours, which equates to a cost of approximately $42,000. This is about 2-3 months of development time for a contractor to provide you with the deliverable.
  • The WISP is approximately 2% of the cost for a consultant or 5% of the cost of your internal staff to generate equivalent documentation.
  • We process most orders the same business day so you can potentially start working with the WISP the same day you place your order.


The process of writing cybersecurity documentation can take an internal team many months and it involves pulling your most senior and experienced cybersecurity experts away from operational duties to assist in the process, which is generally not the most efficient use of their time. In addition to the immense cost of hiring a cybersecurity consultant at $300/hr+ to write this documentation for you, the time to schedule a consultant, provide guidance and get the deliverable product can take months. Even when you bring in a consultant, this also requires involvement from your internal team for quality control and answering questions, so the impact is not limited to just the consultant's time being consumed. 


Comprehensive NIST Cybersecurity Framework-Based Documentation

Unlike some of our competition that sell “bronze, silver and gold” levels of documentation, we understand that a standard is a standard for a reason. We take out the guesswork associated with picking an appropriate package level - we focus on providing documentation that offers a straightforward solution to provide the appropriate coverage you need. This focus on providing the best solution for our clients makes us proud that we are providing the best set of IT security policies and standards available. Saving a few dollars on a cheap solution can easily leave you with a false sense of security and gaping holes in your documentation that can leave you liable.




The CSF-based WISP can serve as a foundational element in your organization's cybersecurity program. It can stand alone or be paired with other specialized products we offer. This product is an editable, easily implemented document that contains the policies, standards and guidelines that your company can use to establish a leading framework-based cybersecurity security program. Being Microsoft Word documentation, you have the ability to make edits to the documentation.

Our documentation is meant to address your requirements from strategic concepts all the way down to day-to-day deliverables you need to demonstrate compliance with common statutory, regulatory and contractual obligations. We offer up to 40% discounts on our documentation bundles, so please be aware that you have benefit from significant savings by bundling the documentation you need. You can see the available bundles here

We are here to help make comprehensive cybersecurity documentation as easy and as affordable as possible. We serve businesses of all sizes, from the Fortune 500 all the way down to small businesses, since our cybersecurity documentation products are designed to scale for organizations of any size or level of complexity. Our affordable solutions range from cybersecurity policies & standards documentation, to NIST 800-171 compliance checklists, to program-level documentation, such as "turn key" incident responserisk management or vulnerability management program documents. Our focus is on helping you become audit ready!


What Is The NIST CSF Written Information Security Program (WISP)?

Our products are one-time purchases with no software to install - you are buying Microsoft Office-based documentation templates that you can edit for your specific needs. If you can use Microsoft Office or OpenOffice, you can use this product! The WISP contains NIST Cybersecurity Framework (NIST CSF) based cybersecurity policies & standards in an editable Microsoft Word format:

  • The WISP contains NIST Cybersecurity Framework (CSF)-based cybersecurity policies & standards in an editable Microsoft Word format.
  • Each of the NIST Cybersecurity Framework controls is mapped to a standard within the WISP and each of those standards is mapped to a policy statement.
  • The NIST CSF-based WISP covers version 1.1 of the NIST Cybersecurity Framework.  
  • The WISP addresses the “why?” and “what?” questions in an audit, since policies and standards form the foundation for your cybersecurity program.
  • The WISP provides the underlying cybersecurity standards that must be in place, as stipulated by statutory, regulatory and contractual requirements.
  • Just as Human Resources publishes an “employee handbook” to let employees know what is expected for employees from a HR perspective, the WISP does this from a cybersecurity perspective.

What Problem Does The WISP Solve?

  • Lack of In House Security Experience - Writing security documentation is a skill that many good cybersecurity professionals simple are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. The WISP is an efficient method to obtain comprehensive NIST CSF based security policies and standards for your organization!
  • Compliance Requirements - Nearly every organization, regardless of industry, is required to have formally-documented security policies and standards. The NIST CSF WISP is designed for smaller organizations and focuses on leading security frameworks to address reasonably-expected security requirements. The WISP maps to several leading compliance requirements so you can clearly see what is required!
  • Audit Failures - Security documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. The WISP's standards provides mapping to leading security frameworks to show you exactly what is required to both stay secure and compliant.  
  • Vendor Requirements - It is very common for clients and partners to request evidence of a security program and this includes policies and standards. The WISP provides this evidence!

How Does The Wisp Solve It

  • Clear Documentation - The WISP provides comprehensive documentation to prove that your security program exists. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!
  • Time Savings - The WISP can provide your organization with a semi-customized solution that requires minimal resources to fine tune for your organization's specific needs. 
  • Alignment With Leading Practices - The NIST-based WISP is written to align your organization with the NIST Cybersecurity Framework! 

Creating A Cybersecurity Program Based On The NIST Cybersecurity Framework

ComplianceForge provides businesses with exactly what they need to protect themselves - professionally written policies, procedures, standards and guidelines at a very affordable cost. Similar documentation standards can be found in Fortune 500 company that have dedicated IT Security staff. All information security policies and standards are backed up by documented best practices. The following leading practices are mapped into the NIST-based Written Information Security Program (WISP) and you will get an Excel spreadsheet with the mapping as part of your purchase:

The NIST Cybersecurity Framework WISP is intended for smaller organizations that "fly under the radar" where they  are not subject to common cybersecurity requirements that would usually dictate alignment with ISO 27002 or NIST 800-53. The NIST Cybersecurity Framework is a perfect framework for smaller organizations to align with in this situation. The following leading practices are mapped into the NIST Cybersecurity Framework (NIST CSF)-based Written Information Security Program (WISP) and you will get an Excel spreadsheet with the mapping as part of your purchase

  • NIST Cybersecurity Framework
  • Federal Acquisition Regulation (FAR) 52.204-21
  • Federal Financial Institutions Examination Council (FFIEC
  • Gramm-Leach-Bliley Act (GLBA)
  • NY Department of Financial Services (NY DFS) 23 NYCRR 500
  • MA 201 CMR 17.00
  • Oregon ID Theft Protection Act (ORS 646A)


FAR vs DFARS (NIST 800-171) Implications 

NIST 800-171 isn’t just for Department of Defense (DoD) contractors. Representatives from the National Institute of Standards and Technology (NIST) and DoD officials have recently been putting this information out in webinars and other training seminars on NIST 800-171. Many of our clients who need to address DFARS 252.204-7012 also have to address FAR 52.204-21. One common question we receive from clients pertains to aligning with the correct security framework to ensure they have the proper coverage for compliance. This generally revolves around aligning with ISO 27001/27002, the NIST Cybersecurity Framework or NIST 800-53, since those are the most common security frameworks.

The bottom line is that utilizing the NIST Cybersecurity Framework or ISO 27001/27002 as a security framework does not directly meet the requirements of NIST 800-171. In fact, NIST 800-171 (Appendix D) maps out how the CUI security requirements of NIST 800-171 relate to NIST 800-53 and ISO 27001/27002 security controls. This includes callouts where the ISO 27001/27002 framework does not fully satisfy the requirements of NIST 800-171. Therefore, policies and standards based on NIST 800-53 are what is needed to comply with NIST 800-171. 

This means that only the NIST 800-53 framework is going to meet FAR requirements of NIST 800171 - ISO 27002 and the NIST Cybersecurity Framework are going to be insufficient in coverage.



This Is How Good Cybersecurity Documentation Is Meant To Be Structured!

ComplianceForge provides businesses with exactly what they need to protect themselves - professionally written policies, procedures, standards and guidelines at a very affordable cost. Similar documentation standards can be found in Fortune 500 company that have dedicated IT Security staff. All information security policies and standards are backed up by documented best practices.


Hierarchical Approach - Built To Scale & Evolve With Your Business 

Our experience has proven that when it comes to Information Security policies, a standard is a standard for a reason. With that in mind, our Written Information Security Program (WISP) is based on industry-recognized best practices and Information Security standards so that you can meet your legal requirements. Unlike some competitor sites that offer “Bronze, Silver or Gold” packages that may leave you critically exposed, we offer a comprehensive Information Security solution to meet your specific compliance requirements. Why is this? It is simple - in the real world, compliance is penalty-centric. Courts have established a track record of punishing businesses for failing to perform “reasonably expected” steps to meet compliance with known standards. 

The Written Information Security Program (WISP) follows a hierarchical approach to how the structure is designed so that standards map to control objectives and control objectives map to policies. This allows for the standards to be logically grouped to support the policies.


Example Content  
comprehensive-cybersecurity-documentation.jpg   comprehensive-cybersecurity-documentation-example.jpg

Policies are “high level” statements of management’s intent and are intended to guide decisions to achieve rational outcomes. Policies are not meant to be prescriptive, but provide an overall direction for the organization.

Control Objectives support policy by identifying applicable requirements that the organization needs to address. These applicable requirements can be best practices, laws or other legal obligations.

Standards establish formal requirements in regards to processes, actions and configurations. Standards are entirely focused on providing narrowly-focused, prescriptive requirements that are quantifiable.

Procedures are formal methods of performing a task, based on a series of actions conducted in a defined and repeatable manner.

Controls are technical or administrative safeguards that may prevent, detect or lessen the ability of the threat actor to exploit a vulnerability.

Metrics are designed to facilitate decision-making, improve performance, and improve accountability through the collection, analysis, and reporting of relevant performance-related data.



Videos Hide Videos Show Videos

Related Products

Related Products


  • 1. Couldn't have spent the money better elsewhere 5

    These documents saved my team a lot of time and money and accelerated our timeline for completing an aggressive deliverable. There was still a lot of work to do writing policies unique to our business but it really helped not having to focus on documents that we really didn't need to invest time and money in writing.

    - Bryan on Mar 25th 2019

    From a small business / startup perspective, living on razor thin margins, ComplianceForge products are critical. I don’t have 180k laying around to hire cyber security and documentation experts… The NIST 800-171 product offering, of which the WISP is a critical part, will do more than just get you off the ground and running. And compared to other offerings out there on the market, this is the most complete set of documents to get you ready and compliant with NIST 800-171.

    - Steve - CTO, Government Contracting Small Business on Feb 21st 2018
  • 3. Well worth the money 5

    I can’t thank you enough for the tools you guys have created. It has saved us countless hours in the implementation of 800-171.

    - Director of Information Technology on Jan 10th 2018
  • 4. Top quality, cost effective and quick! 5

    I’ve been doing Infosec and Compliance policy work for 15 years and haven’t seen an offering as impressive and easy to implement as Compliance Forge. The WISP 27002 package (with an extra hint of HIPAA), provided us quality and complete content, excellent formatting, flexibility and critical supplemental documentation (exceptions, data classification and handling, roles, risk assessment, RACI, etc.). Of course you have to customize but that’s fast and easy and it would be great to have some of the control content in Excel. Controls are linked to authoritative sources through clear annotation; policy implementation time is cut in half - at least. Other market offerings couldn’t meet control requirements or ease of use and we had to invest in a framework that our clients and regulators instantly recognized. Compliance Forge is “one and done” at a fraction of the competition’s price and tremendous. Support is top notch.

    - JT Jacoby, Information Security, International Rescue Committee on Nov 16th 2016
  • 5. Great product and great price 5

    A good start to a proper security plan. Compliance Forge Support is very responsive and very helpful.

    - Sean on Oct 9th 2016

Find Out Exclusive Information On Cybersecurity