I write security documentation that serves two audiences simultaneously: auditors who need controls evidence, and engineers who need to know what to actually do.
Security policy writing: all standard InfoSec policies (Information Security, AUP, Access Control, Incident Response, Vulnerability Management, Change Management, Data Classification, Cryptography, Business Continuity) — tailored to your org and mapped to ISO 27001 Annex A, SOC 2 TSC, NIST CSF, PCI-DSS, or HIPAA as required.
Operational security documentation: STRIDE threat model documents (attack surface diagrams, trust boundary maps, threat register, mitigation mapping); developer security guidelines (secure coding standards, secret management practices, dependency policy, SAST configuration); security architecture decision records; and pentest report polishing (turning raw findings into a professional deliverable with executive summary and consistent severity ratings).
Security runbooks: credential rotation procedures, access revocation workflows, security alert response guides, and key management operational procedures.
My security engineering and penetration testing background means every document is grounded in how these controls actually work operationally — not just what a compliance template says.