Add-on or standalone

Security Policy Writing

A practical, readable security policy written specifically for your business — covering the rules your staff needs to follow to keep your data, systems, and customers safe. Written in plain language, not legal boilerplate.

What it is

Rules your team will actually read — and follow.

Most small businesses don't have a written security policy. That means staff make up the rules as they go — using personal email for work, sharing passwords, connecting to public Wi-Fi without a VPN, and countless other habits that create real risk.

A security policy doesn't need to be a 40-page legal document. It needs to be clear, specific to your business, and short enough that people will actually read it. That's what we write.

When paired with a Security Assessment, the policy is written to directly address the risks and gaps we found — turning findings into enforceable practice.

You know your business. We know security. We work from your intake responses and, where applicable, your assessment findings. The result is a policy that reflects how your business actually operates — not a generic template with your logo on it.

What a policy covers

Policies typically include: password requirements, acceptable use of devices and email, data handling and classification, remote work guidelines, staff onboarding and offboarding, and what to do if something goes wrong.

Why written policies matter

Beyond reducing risk, a written security policy is often required for cyber insurance, certain client contracts, and some regulatory frameworks. It also gives you legal standing if a staff member violates security rules.

Delivered as a ready-to-use document

You receive a clean, formatted policy document in Word and PDF format — ready to share with staff, include in onboarding, or attach to a contract.

What's included

What the policy covers.

  • Password policy — Requirements for length and complexity, prohibition on reuse, password manager guidance
  • Acceptable use policy — What staff can and can't do on company devices, networks, and email accounts
  • Data handling — How customer and business data should be stored, shared, and disposed of
  • Remote work & mobile devices — VPN use, personal device policies, public Wi-Fi rules
  • Onboarding & offboarding — Account provisioning, access levels, and account revocation procedures
  • Incident reporting — What counts as a security incident, who to notify, and what to do immediately
  • Software & updates — Expectations for keeping devices and applications up to date
  • Delivered in Word & PDF — Formatted, ready to distribute or include in your employee handbook
  • One round of revisions — We incorporate your feedback before delivering the final version
What's not included

Scope boundaries.

  • Legal review or certification (we recommend having an attorney review any policy before formal adoption)
  • Regulatory compliance documentation (HIPAA, PCI-DSS, SOC 2)
  • Staff training or policy enforcement
  • More than one round of revisions (additional rounds available at hourly rate)
Standalone vs. paired

Policy Writing works as a standalone service if you already understand your risks and need the documentation. It's most impactful as a follow-on to a Security Assessment, where the policy is built directly around your specific findings.

The process

From conversation to document.

Most policies are delivered within 5–7 business days of the initial intake session.

01

Intake

We review your business type, staff size, the tools you use, and (if applicable) your assessment findings to understand what the policy needs to cover.

02

Draft

We write a first draft tailored to your business — plain language, practical rules, and specific enough to be enforceable.

03

Your review

You review the draft and provide feedback. We incorporate one round of revisions to make sure the policy fits your business.

04

Final delivery

You receive the final policy in Word and PDF formats, ready to share with staff or include in your onboarding materials.

Related services

Often paired with.

Security Assessment

Pairing assessment findings with a written policy turns diagnoses into enforceable practice — the most effective combination.

Learn more →

Vulnerability Scan

Scan findings often reveal gaps in update and patch practices that a written policy can formalize for the future.

Learn more →

Attack Surface Assessment

Web-facing findings can be addressed through policy — acceptable use of external tools, update schedules, and access controls.

Learn more →
Pricing

Simple, transparent pricing.

Priced per engagement. Delivered within 5–7 business days of intake session.

Standalone
$347
one-time
  • Custom policy for your business
  • Word + PDF delivery
  • One round of revisions included
  • All core policy sections included
Add-on
$197
when added to an assessment
  • Same deliverable as standalone
  • Built directly from assessment findings
  • Most targeted, highest impact

Additional revision rounds available at $75/hr. Annual policy updates available at 40% off original price.

Give your team clear rules to follow.

A written security policy is one of the most cost-effective things a small business can have.

Get started →