01
Consultant invoices that don't end
Big-4 firms charge $15K–$50K for gap assessments and SAQ prep. The deliverable is usually a workbook you could own outright.
Banking · Finance
Professional-grade NIST CSF 2.0 and PCI DSS v4.0.1 workbooks — 45 tabs, 701 sub-requirements, every artifact a QSA or auditor expects. Built by IT Risk & Compliance practitioners with a decade across banking, defense, and financial services. Pay once. Download instantly. Audit-ready.
Most teams pay consultants thousands for spreadsheets that could have been built once and reused forever. RiskForge gives you the workbooks the consultants charge you for — without the invoice.
Big-4 firms charge $15K–$50K for gap assessments and SAQ prep. The deliverable is usually a workbook you could own outright.
Every audit cycle, someone rebuilds the same tracker from scratch in Excel. Hours lost. Inconsistent across business units.
Online templates skip Govern, omit testing procedures, and lack maturity scoring. They fail the audit they were built for.
NIST CSF moved to 2.0 in Feb 2024. PCI DSS v4.0.1 made every future-dated requirement mandatory in March 2025. Most templates online still ship the old versions.
Each workbook is built to the latest version of the framework, with cross-references and evidence trackers. Two ship today; four are on the roadmap and included in the Full Vault.
All 106 CSF subcategories across the six functions with NIST's official Implementation Examples, Informative References cross-walk (ISO 27001, NIST 800-53 Rev. 5, CIS v8), Tier Self-Assessment, Org Profile, and a radar Executive Summary.
All 10 official SAQ types, 595 sub-requirements, plus every artifact a QSA mandates: TRA, CCW, CAW, Scope, and Diagrams. Dynamic Roadmap with P1/P2/P3 priority tiering.
Control families AC through SR with baselines for Low / Moderate / High impact systems. POAM tracker and SSP outline included.
Cyber Risk Institute's financial-services profile mapped to NIST CSF and FFIEC CAT, with regulator-ready reporting tabs.
Cloud Controls Matrix with CAIQ-style questionnaire, shared-responsibility mapping, and provider evidence collection.
Governance and management objectives with capability scoring, design factors workbook, and goals cascade worksheet.
Two free tools run the exact logic that ships inside the workbooks — no download, nothing to install. Use either one right here, then optionally add your details to receive a free, watermarked sample of the matching workbook by email.
Up to eight yes/no questions resolve which of the 10 official SAQ types applies to you — with the same precedence the workbook enforces (service provider beats stored-CHD beats virtual-terminal-only). It shows your result first, then offers the email capture.
Add your details (name + email required, company + role optional) and we’ll email a free sample of the PCI SAQ Prep Workbook — a generous teaser faithful to the real thing: a “Free Sample” cover, 3–6 populated example rows per key tab, “··· N more rows in the full version ···” notes, a “Get Full Version” tab, and a SAMPLE footer on every sheet.
Twelve quick questions — two per CSF function, on a 5-point maturity scale — produce an instant radar chart of maturity by function, your overall maturity level, and your two biggest gaps. Exactly what the workbook’s Executive Summary produces.
Add your details (name + email required, company + role optional) and we’ll email a free sample of the NIST CSF 2.0 Gap Assessment Workbook — a generous teaser faithful to the real thing: a “Free Sample” cover, 3–6 populated example rows per key tab, “··· N more rows in the full version ···” notes, a “Get Full Version” tab, and a SAMPLE footer on every sheet.
One-time payment. Instant download. No subscriptions, no renewal fees. Secure checkout via Payhip.
All 106 CSF 2.0 subcategories with NIST's official Implementation Examples and Informative References cross-walked to ISO 27001, NIST 800-53, and CIS Controls. Organizational Profile, Tier Self-Assessment, Risk-Adjusted Roadmap, and a radar-chart Executive Summary.
SAQ selector that actually computes. All 10 SAQ types with 595 sub-requirements. Targeted Risk Analysis, Compensating & Customized Approach Worksheets, scope and CHDFD templates — every artifact a QSA expects. Dynamic Roadmap auto-prioritized from your status entries.
Both current workbooks plus every future framework on the roadmap. Save $400 vs. buying individually.
Both workbooks share the same workpaper hygiene, integration, and accessibility features — the conventions QSAs, internal audit, and GRC reviewers actually expect to see.
Preparer / reviewer / approver sign-off on every workbook. Document control via Revision History. Industry-standard tickmark legend (✓ Vouched, ∆ Recalculated, ※ Confirmed).
Likelihood × magnitude scoring with the three official PCAOB categories: Deficiency / Significant Deficiency / Material Weakness.
AU-C 530 sample-size guidance per control frequency. Random / systematic / judgmental / haphazard method definitions and a sample-selection record table.
Frequency (Continuous / Daily / Weekly / Monthly / Quarterly / Annual / Event-driven), Type (Manual / IT-Dependent / Automated), and Nature (Preventive / Detective) per control.
Flat Export tab on both workbooks. Normalized columns, copy as values, save as CSV — ingest into Archer, ServiceNow GRC, OneTrust, or AuditBoard. Stable across versions.
Hidden Branding tab with 10 brand strings (name, tagline, URL, footer, primary/accent color, logo reference, license). Unhide, rebrand, ship under your own name.
Status colors paired with bold high-contrast text on every cell. Works for Deuteranopia and Protanopia users (1 in 12 men). Documented in the Tickmarks tab.
Landscape, fit-to-width, headers with CONFIDENTIAL marker. Sheet protection without passwords. Excel 2016+, Microsoft 365, Google Sheets, LibreOffice Calc — tested.
RiskForge was founded by a senior IT Risk & Compliance practitioner with a decade of work across regulated industries — banking, defense contracting, financial services, and FinTech.
Every workbook is structured the way auditors actually want to see evidence presented. No filler. No theatre. Just the deliverables the consulting bill was hiding.
Early customers were heads of GRC, audit managers, and CISOs at mid-market firms. Here's what they said.
"Replaced a $22K consultant engagement. The Govern tab alone was worth the price. Our auditor accepted the maturity scoring without revisions."
"The PCI SAQ Type Selector saved me a week of arguing with our QSA about which SAQ applied. Clean, accurate, the way I'd have built it if I had the time."
"Bought the Full Vault for our team. Standardized our gap assessments across four business units in under a month. Easiest yes I've given all year."
If you have a question we haven't answered, email us at hello@riskforge.tech — we usually reply within one business day.
Download the workbooks today and put them to work before your next audit cycle.