CIS Logo
tagline: Confidence in the Connected World
HomeResourcesCase Study • Compliance Forge offers Security Program Documentation That Allows Organizations To Align to the CIS Controls

Compliance Forge offers Security Program Documentation That Allows Organizations To Align to the CIS Controls

Compliance Forge Offers Comprehensive Mapping To CIS Controls

Compliance Forge specializes in professionally-written information security documentation to help businesses get and stay compliant with cybersecurity requirements. They offer IT security policies and standards that are affordable, editable, professional, and compliance-focused solutions. Tom Cornelius, a Senior Partner at Compliance Forge, stated, “We’ve been leveraging the Center for Internet Security Critical Security Controls (CIS Controls) for years, as it mapped into ISO 27002 and NIST 800-53. Recently, we launched the Digital Security Program (DSP) that is a hybrid approach to security documentation that takes a ‘best in class’ approach to developing a comprehensive security program. This greatly expanded our mapping to include all CIS Controls, as well as two-dozen other leading frameworks.”

CIS Controls

Compliance Forge found that most companies cannot adopt a cookie cutter framework when it comes to compliance. While a company might want to align with ISO 27002, it may face the requirements to “bolt-on” controls for privacy, cloud, or ecommerce security in order to stay compliant with its legal and contractual requirements.

“Many companies we assist with their security program documentation talk about the CIS Controls. When I found a program where we could partner with CIS, it was easy to see this was a great option for both our clients and our business model. We wanted to make sure that if a company wants to address all of the CIS Controls, our security documentation will provide a scalable and editable foundation for their policies, standards, controls and metrics. Through client interaction, we observed that CIS Controls are well known, but no one is enforcing CIS Controls in broad practice. Most commonly, CIS Controls were used to perform vendor risk assessments and the vendors being assessed we unprepared to show evidence of due care and due diligence to demonstrate compliance with these requirements, since in some ways the CIS Controls are more prescriptive than ISO and NIST. The CIS Controls definitely fills a gap where other leading frameworks gloss over and that is where we reference them,” stated Mr. Cornelius.

Compliance Forge’s new Digital Security Program (DSP) is their most comprehensive document that leverages two dozen leading frameworks, including the CIS Controls. The result is documentation that creates a comprehensive, enterprise-class security program. “Digital Security” is the all-encompassing security ecosystem as it addressess technology, information, physical securty, privacy and safety. The DSP is built to scale and adapts to the needs of the organization, all the while mapping to leading security frameworks. The modular nature of the DPS means that each policy has its own standards, all the way down to mapped controls and metrics. The structure of the DSP allows for an organization to add or remove policy sections and stardards as the business needs change. A unique feature of the DSP is that it comes in both an editable MS Word document, as well as Excel for importing into a GRC solution. The DSP consists of thirty-two policies with control objectives, standards and guidlines. It also comes with controls and metrics, which can enable an organization to quickly improve the maturity of its security program.

Mr. Cornelius explained that the editable nature of the DSP’s policies and standards allow companies to customize the documentation to meet specific needs. These documents are footnoted with references that makes it easy to understand the applicable best practices and legal requirements. These professionally-written security policies are include mapping for NIST 800-53 (moderate requirements), ISO 27002, CIS Controls, NIST-800-171, NIST CSF, PCI DSS, HIPAA, GLBA, FACTA, MA 201 CMR 17, DIACAP, SOC2, FedRAMP compliance and more.

“We fill a niche market.  We are corporate America’s dirty little secret.”
-Tom Cornelius
Sr Partner, Compliance
 Forge

Mr. Cornelius stated, “We fill a niche market. We are corporate America’s dirty little secret!” Compliance Forge writes a lot of security program documentation that range from the Fortune 100 to the SMB market. Their experience found that many companies, both large and small, do not want to write their own documentation, nor do they want to spend hundreds of thousands of dollars on consulting firms to write something generic that will not be used. This is where Compliance Forge fills a niche market that appeals to the mid-level managers, IT security staff, and IT directors who seek out Compliance Forge for the products they offer. This program-level documentation includes the Digital Security Program (DSP), ISO or NIST-based Written Information Security Program (WISP), Vendor Compliance Program (VCP), Cybersecurity Risk Management Program, PCI DSS v3.2 Informaton Security Policy and Standards, Vulnerability and Patch Management Program (VPMP), Cybersecurity Risk Assessment Template, NIST 800-171 Compliance Criteria and NIST 800-53 Based Information Security Assessment Template.

Product Metrics

The Digital Security Program (DSP) from Compliance Forge provides metrics that are designed to facilitate decision-making, improve performance, and improve accountability through the collection, analysis and report of relevant performance related data.

Vendor Assessments

Mr. Cornelius mentioned, “We have seen an increase in vendor risk assessments over the last two years, due in large part to version 3 of PCI DSS. This new vendor management requirement puts the liability on the merchant to ensure it evaluates security in picking and using its vendors.” He pointed out that nearly all companies accept payment cards, regardless of the industry vertical and that has been a huge influence to upgrade their security programs to address these new requirements. In addition, he mentioned the new regulations for NIST 800-171 have similar impacts for US government contractors to have security programs.
He said, “Taking someone’s word for it is no longer enough. Many third parties are requesting either self-attestations or third-party audits.” Mr. Cornelius believes this is being driven by insurance requirements, external partners, and vendors. This change is forcing companies to show a level of maturity that they have not done before. It is also a requirement that companies cannot hide from, since they will lose contracts or be down-selected for not meeting minimum contract requirements.