Premium Cybersecurity Documentation For Your GRC Platform

If you are looking to jump start your GRC platform with editable cybersecurity policies, standards, controls, procedures and metrics then you have found the right place! Our documentation is widely used by many GRC platforms to solve the problem of weak "out of the box" GRC content. Our solution is:

  • Affordable

  • Editable

  • Scalable

  • Professionally-written

Clients have imported our controls and premium content into these and other GRC platforms: 

  • Ostendio MyVCM

  • Reciprocity ZenGRC

  • Ignyte Assurance Platform

  • LogicGate

  • Strake/IR

  • RequirementONE

  • ServiceNow (GRC module)

  • RSA Archer

  • RSAM

  • MetricStream

  • Allgress



   Editable GRC Content   

ComplianceForge offers a cost-effective and timely solution to the poorly-constructed or outdated cybersecurity documentation that hamper the onboarding and overall functionality of GRC platforms. Without documentation designed for a GRC platform, it is equivalent of buying a new car and having your old engine installed. Your GRC platform is designed to make you more efficient, so you need the content that will deliver on that promised functionality.

   Leading Cybersecurity Framework Alignment   

ISO 27002? NIST Cybersecurity Framework? NIST 800-53? Yes! We can provide content for those common cybersecurity frameworks, as well as several others! Our documentation solutions are based on leading cybersecurity and privacy practices.

Industry Best Practices - Picking The Ri

   Solving The Content Problem With GRC  

ComplianceForge offers a unique product lineup to provide “premium content” to GRC customers, since GRC customers generally face two (2) less-than-optimal options when onboarding to a GRC platform:

  1. Import your legacy documentation (e.g., existing policies, standards, procedures and controls) that likely are not designed to scale or be used in a  GRC instance; or

  2. Utilize overly generic "free content" from the GRC platform that is included in the basic subscription.


Generally, neither of those scenarios is optimal for the following reasons:

  • “Traditional” cybersecurity documentation is generally not written in a hierarchical manner that makes importing into a GRC platform a simple process. This is equivalent to making a square peg fit into a round hole.

  • Customers want to hit the ground running and generic GRC platform content requires significant customization to operationalize it for all but the most basic GRC implementations.

  • More often than not, GRC customers expect the GRC platform to include mapped controls to meet all of their applicable statutory, regulatory and contractual needs.

Our documentation is simply premium content for your GRC solution! Our products can provide a GRC with a customer-satisfying “tooth to tail” documentation solution:

  • Policies are mapped to control objectives.

  • Control objectives are mapped to standards.

  • Standards are mapped to controls.

  • Controls are mapped to procedures.

  • Metrics are mapped to controls.

  • Roles & responsibilities for procedures are mapped to the NIST NICE Cybersecurity Workforce Framework.

  • Program-level documentation exists to help clients operationalize the policies & standards.

Editable NIST 800-171 compliance documentaion. Editable Microsoft Word Excel Cyberscurity Policies Standard Procedures

   "Full Stack" Cybersecurity Documentation - More Than Policies & Standards   

We offer more than just policies & standards! Written cybersecurity policies and standards are just part of the requirements that organizations need to implement and maintain a reputable cybersecurity program. When it boils down to it, companies implement cybersecurity documentation for several key business reasons:

  • Comply with statutory, regulatory and contractual obligations;

  • Reduce operational losses from cybersecurity incidents; and

  • Maintain a competitive advantage through protecting Intellectual Property (IP).


From the compliance perspective, it is a two-sided coin where a company must demonstrate evidence of (1) due care and (2) due diligence. Written cybersecurity documentation is great at providing a written artifact to demonstrate due care, but it will not provide evidence of due diligence. ComplianceForge’s product line contains operational-level guidance for key cybersecurity components to help organizations provide evidence of due diligence.

The diagram shown below helps visualize the linkages in documentation that involve written procedures:


  • STANDARDS are written to support CONTROL OBJECTIVES

  • PROCEDURES are written to implement the requirements that STANDARDS establish

  • CONTROLS exist as a mechanism to assess/audit both the existence of PROCEDURES / STANDARDS and how well their capabilities are implemented and/or functioning

  • METRICS exist as a way to measure the performance of CONTROLS

2019 - CSOP - Cybersecurity Standardized

   Integrated Risk Management   

Cybersecurity documentation is an active defense and is an integral component of risk management. What can possibly go wrong with non-compliance with a law, regulation or contract? 

  • Contract Termination. It is reasonably expected that the other party will terminate contracts over non-compliance with major cybersecurity and privacy requirements since it is a failure to uphold contract requirements. Subcontractor non-compliance may also cause a prime contractor to be non-compliant, as a whole.

  • Criminal Fraud. If a company states it is compliant when it knowingly is not compliant, that is misrepresentation of material facts. This is a criminal act that is defined as any act intended to deceive through a false representation of some fact, resulting in the legal detriment of the person who relies upon the false information (e.g., False Claims Act).

  • Breach of Contract Lawsuits. Both prime contractors and subcontractors could be exposed legally. A tort is a civil breach committed against another in which the injured party can sue for damages. The likely scenario for a non-compliance related tort would be around negligence on behalf of the accused party by not maintaining a specific code of conduct (e.g., no documented procedures).

  • Fines. The Federal Trade Commission (FTC) has authority to investigate and fine companies found to have poor security programs. In addition to fines, companies can be forced to pay for recurring, annual audits to demonstrate cybersecurity program effectiveness.