I write practical, audit-ready information security policies and procedures tailored to your organization — not generic boilerplate, which is exactly what auditors look for and mark down.
Common policies: Information Security Policy (master policy); Acceptable Use Policy; Access Control Policy; Incident Response Policy and Playbook; Change Management Policy; Vulnerability Management Policy; Business Continuity and Disaster Recovery Plan; Supplier and Third-Party Security Policy; Data Classification and Handling Policy; Cryptography Policy; Physical Security Policy; and Secure Development Policy.
Each policy is tailored to your organization's size, tech stack, team structure, and how you actually operate — with version control built in, a review cycle convention, and an approval signature block. Delivered in Microsoft Word (editable) and PDF (for audit evidence).
Compliance mapping: ISO 27001 Annex A controls, NIST CSF functions, SOC 2 Trust Services Criteria, PCI-DSS requirements, or HIPAA safeguards — mapped to each policy section so auditors can trace controls to documentation.
Share your industry, compliance target, org size, and list of policies needed. I'll recommend a prioritized policy set if you're starting from scratch.