Compliance forge explains that procedures represent an established way of doing something such as a series of actions conducted in a specified order or manner.
The CSOP is fully-editable and is delivered as editable Microsoft Word and Excel files, so there is no software to install. If you can use Microsoft Office, then you can edit these procedures!
One very special aspect of the CSOP is that it leverages the NIST NICE Cybersecurity Workforce Framework.
NIST released the NICE framework in 2017 with purpose of streamlining cybersecurity roles and responsibilities. We adopted this in the CSOP since work roles have a direct impact on procedures.
One of the most important things to keep in mind with procedures is that the “ownership” is different than that of policies and standards:
- Policies, standards and controls are designed to be centrally-managed at the corporate level (e.g., governance, risk & compliance team, CISO, etc.).
- Controls are assigned to stakeholders, based on applicable statutory, regulatory and contractual obligations.
- Procedures are by their very nature de-centralized, where control implementation at the team-level is defined to explain how the control is addressed (e.g., network team, desktop support, HR, procurement, etc.).
Given this approach to how documentation is structured, based on “ownership” of the documentation components:
- Policies, standards and controls are expected to be published for anyone within the organization to have access to, since it applies organization-wide. This may be centrally-managed by a GRC/IRM platform or published as a PDF on a file share, since they are relatively static with infrequent changes.
- Procedures are “living documents” that require frequent updates based on changes to technologies and staffing. Procedures are often documented in “team share” repositories, such as a wiki, SharePoint page, workflow management tool, etc.
Information Security Procedures, Standards, and Forms – Reference
Documented Procedures & Control Activities – Reference