GRC-Ready Procedures / Control Activities   

Properly-written cybersecurity procedures are both clearly-written and concise, since these procedures are meant to provide evidence of due diligence that standards are complied with.


Procedures are critical to a security program, since procedures represents the specific activities that are performed to protect systems and data.


Logo - Product - Cybersecurity Standardi

ComplianceForge developed a standardized template for procedures and control activity statements, the Cybersecurity Standardized Operating Procedures (CSOP). For anyone who has written procedures, the answer for why companies routinely fail to maintain procedures is clear - it can take considerable time and effort to properly document processes!


Part of this problem is tied to a lack of leading practices around what good procedures look like - every organization tends to do something different, based on internal staff preferences or auditor pressure. This leads to a lack of standardization across departments and business functions, which can be an issue when trying to maintain "what right looks like" if a benchmark does not exist.

Given the difficult nature of writing templated procedure statements, we aimed for approximately a "80% solution" since it is impossible to write a 100% complete cookie cutter procedure statement that can be equally applied across multiple organizations.


What this means is ComplianceForge did the heavy lifting and you just need to fine-tune the procedure with the specifics that only you would know to make it applicable to your organization. It is pretty much filling in the blanks and following the helpful guidance that we provide to identify the who / what / when / where / why / how to make it complete. 

   Requirements For Procedures   

There are clear needs for having documented cybersecurity procedures. Below is a short list of statutory and regulatory requirements, as well as leading cybersecurity frameworks, that fully expect every organization documents and maintains cybersecurity-related procedures. If you need to address one or more of those frameworks, then you need to maintain documented procedures.


  • CIS CSC 7

  • Criminal Justice Information Services (CJIS)

  • COBIT5

  • COSO



  • FedRAMP



  • ISO 27001

  • ISO 27002

  • ISO 27018

  • ISO 29100

  • ISO 39100

  • New Zealand Information Security Manual (NZISM)

  • NIST Cybersecurity Framework

  • NIST 800-53

  • NIST 800-160

  • NIST 800-171

  • NY DFS 23 NYCRR 500


  • SOC 2

  • UK Cyber Essentials

  • UL 2900-1

   NIST NICE Cybersecurity Workforce - Roles & Responsibilities   

The Cybersecurity Standardized Operating Procedures (CSOP) leverages the NIST NICE Cybersecurity Workforce Framework. The purpose of this framework is that work roles have an impact on an organization’s ability to protect its data, systems and operations. By assigning work roles, it helps direct the work of employees and contractors to minimize assumptions about who is responsible for certain cybersecurity and privacy tasks. 

The CSOP uses the work roles identified in the NIST NICE Cybersecurity Workforce Framework to help make assigning the tasks associated with procedures/control activities more efficient and manageable. Keep in mind these are merely recommendations and are fully editable for every organization – this is just a helpful point in the right direction!

© Compliance Forge, LLC (ComplianceForge). All Rights Reserved.

This website does not render professional services advice and is not a substitute for dedicated professional services. If you have compliance questions, you should consult a cybersecurity or privacy professional to discuss your specific needs. Compliance Forge, LLC (ComplianceForge) disclaims any liability whatsoever for any documentation, information, or other material which is or may become a part of the website. ComplianceForge does not warrant or guarantee that the information will not be offensive to any user. User is hereby put on notice that by accessing and using the website, user assumes the risk that the information and documentation contained in the web site may be offensive and/or may not meet the needs and requirements of the user. The entire risk as to the use of this website is assumed by the user.

ComplianceForge reserves the right to refuse service, in accordance with applicable statutory and regulatory parameters.

  • LinkedIn Social Icon
  • Facebook Social Icon
  • Google+ Social Icon