bankingciooutlook

ComplianceForge: Comprehensive Cybersecurity and Privacy Documentation

CIO VendorTom Cornelius, Co-Founder & Senior Partner
Providing cybersecurity and privacy documentation is a niche within the cybersecurity profession and ComplianceForge is a leader in that field. ComplianceForge leverages a competitive advantage for generating semi-customized documentation, where it is able to deliver comprehensive documentation solutions for a fraction of the cost and time associated with hiring an external consulting firm. This niche specialization addresses a systemic lack of in-house knowledge in the field of Governance, Risk and Compliance (GRC) that is necessary to generate comprehensive documentation to meet common compliance requirements. Since ComplianceForge products are mapped directly to leading practices and are written in a business language, IT generalists can edit and maintain the documentation.

One area where ComplianceForge sets itself apart is in its role to help launch the Secure Controls Framework (SCF). According to Tom Cornelius, senior partner and co-founder of ComplianceForge, “Hackers share information on attack methods with other hackers, so why shouldn’t the good guys share information on how to best protect an organization? We decided to take action and make a difference.” That difference was the SCF. “We had the ambitious goal of providing free cybersecurity and privacy control guidance to cover the strategic, operational and tactical needs of businesses, regardless of its size, industry or country of origin,” says Cornelius. The end state is a free controls framework that help companies become and stay compliant with cybersecurity and privacy requirements.

“The latest trend in cybersecurity documentation is that contractual requirements are driving higher expectations for evidence of cybersecurity policies, standards and procedures than what is being demanded by statutory or regulatory changes,” says Cornelius. In addition to the requirements for evidence of due care through documentation, companies are pressed to hire talented personnel to actually execute those requirements.
ComplianceForge lessens the need for GRC specialists to allow companies to focus on protecting assets and responding to incidents. “Our solutions are all Microsoft Office-based documentation, so its clients are able to customize the documentation for their specific needs with tools they already own and know how to use,” says Cornelius.

Cornelius informs that the cybersecurity and privacy documentation lifecycle is a relatively new concept for businesses, where the same policies and standards may exist for nearly a decade or more, just being added onto and never revamped. ComplianceForge found that the catalysts for change are often predicated by staffing changes, where outside talent is brought into the organization and after an assessment of GRC processes, the decision is made that the documentation is outdated or inadequate to meet current or future needs and needs updating. In these cases, it is generally more efficient and economical to purchase documentation from ComplianceForge than it is to write the documentation in-house or hire a consultant to write it. Since many technology professionals change jobs every few years, ComplianceForge often encounters employees of clients seek out ComplianceForge from their new employer, since those individuals want the same level of documentation excellence at their current company.

Our solutions are all Microsoft Office-based documentation, so its clients are able to customize the documentation for their specific needs with tools they already own and know how to use


The compliance-focused approach to ComplianceForge’s cybersecurity documentation allows its solutions to scale for any sized business, since it is focused on leading industry practices. As evidence of their products’ ability to scale, their clients range from the Fortune 500 down to small businesses.

The company’s documentation products are designed to address an encompassing array of requirements that include NIST Cybersecurity Framework, European Union General Data Protection Regulation (EU GDPR), Payment Card Industry Data Security Standard (PCI DSS), Federal Financial Institutions Examination Council’s (FFIEC), New York’s Department of Financial Services (DFS) 23 NYCRR 500, DoD Federal Acquisition Regulation Supplement (DFARS 252.204-7012), Federal Acquisition Regulation (FAR 52.204- 21), NIST 800-171, and many more.