GRC-Ready Procedures / Control Activities   

Properly-written cybersecurity procedures are both clearly-written and concise, since these procedures are meant to provide evidence of due diligence that standards are complied with.


Procedures are critical to a security program, since procedures represents the specific activities that are performed to protect systems and data.


Logo - Product - Cybersecurity Standardi

ComplianceForge developed a standardized template for procedures and control activity statements, the Cybersecurity Standardized Operating Procedures (CSOP). For anyone who has written procedures, the answer for why companies routinely fail to maintain procedures is clear - it can take considerable time and effort to properly document processes!


Part of this problem is tied to a lack of leading practices around what good procedures look like - every organization tends to do something different, based on internal staff preferences or auditor pressure. This leads to a lack of standardization across departments and business functions, which can be an issue when trying to maintain "what right looks like" if a benchmark does not exist.


Given the difficult nature of writing templated procedure statements, we aimed for approximately a "80% solution" since it is impossible to write a 100% complete cookie cutter procedure statement that can be equally applied across multiple organizations.


What this means is ComplianceForge did the heavy lifting and you just need to fine-tune the procedure with the specifics that only you would know to make it applicable to your organization. It is pretty much filling in the blanks and following the helpful guidance that we provide to identify the who / what / when / where / why / how to make it complete. 

   Requirements For Procedures   

There are clear needs for having documented cybersecurity procedures. Below is a short list of statutory and regulatory requirements, as well as leading cybersecurity frameworks, that fully expect every organization documents and maintains cybersecurity-related procedures. If you need to address one or more of those frameworks, then you need to maintain documented procedures.


  • CIS CSC 7

  • Criminal Justice Information Services (CJIS)

  • COBIT5

  • COSO



  • FedRAMP



  • ISO 27001

  • ISO 27002

  • ISO 27018

  • ISO 29100

  • ISO 39100

  • New Zealand Information Security Manual (NZISM)

  • NIST Cybersecurity Framework

  • NIST 800-53

  • NIST 800-160

  • NIST 800-171

  • NY DFS 23 NYCRR 500


  • SOC 2

  • UK Cyber Essentials

  • UL 2900-1

   NIST NICE Cybersecurity Workforce - Roles & Responsibilities   

The Cybersecurity Standardized Operating Procedures (CSOP) leverages the NIST NICE Cybersecurity Workforce Framework. The purpose of this framework is that work roles have an impact on an organization’s ability to protect its data, systems and operations. By assigning work roles, it helps direct the work of employees and contractors to minimize assumptions about who is responsible for certain cybersecurity and privacy tasks. 

The CSOP uses the work roles identified in the NIST NICE Cybersecurity Workforce Framework to help make assigning the tasks associated with procedures/control activities more efficient and manageable. Keep in mind these are merely recommendations and are fully editable for every organization – this is just a helpful point in the right direction!

CSOP - NIST NICE Framework Alignment.jpg