In both the Written Information Security Program (WISP) and Digital Security Program (DSP), we use a hierarchical model to design the documentation. The idea is the structure allows the mapping of policies all the way down to metrics.
Policies are “high level” statements of management’s intent and are intended to guide decisions to achieve rational outcomes. Policies are not meant to be prescriptive, but provide an overall direction for the organization.
Control Objectives support policy by identifying applicable requirements that the organization needs to address. These applicable requirements can be best practices, laws or other legal obligations.
Standards establish formal requirements in regards to processes, actions and configurations. Standards are entirely focused on providing narrowly-focused, prescriptive requirements that are quantifiable.
Procedures are formal methods of performing a task, based on a series of actions conducted in a defined and repeatable manner.
Controls are technical or administrative safeguards that may prevent, detect or lessen the ability of the threat actor to exploit a vulnerability.
Metrics are designed to facilitate decision-making, improve performance, and improve accountability through the collection, analysis, and reporting of relevant performance-related data.
Give us a call or send us an email - we are happy to help you find the right solution for your needs! Each of our products is unique, but we have coverage for the following cybersecurity and privacy frameworks: