Learn
Practical articles on getting audit-ready — real costs and timelines, what auditors actually look for, and the regulations that apply to small teams. Need a definition? See the glossary; for framework overviews, read the guides.
Getting started
How to Respond to a Customer Security Questionnaire
A vendor security questionnaire is a buyer's way of vetting your security before they trust you with their data. You answer it fastest, and most credibly, by assembling the policies and evidence you already have and answering every question honestly.
Do You Need an AI Use Policy for ChatGPT & Copilot at Work?
Yes — if your team uses ChatGPT, Copilot, or Gemini, you need an acceptable-use AI policy, because the alternative is "shadow AI" running with no rules at all. Here is what that policy should cover, and why writing it is only half the job.
Costs & timelines
How Much Does SOC 2 Cost (and How Long Does It Take)?
A SOC 2 report is a CPA attestation, and its real cost is several pieces stacked together: the examination fee, readiness work, optional tooling, and staff time. Here is how each one typically breaks down, with realistic ranges and ways to spend less.
How Much Does ISO 27001 Certification Cost?
ISO 27001 certification costs are driven mainly by the accredited audit and the work to build a working ISMS — not by buying documents. Here are realistic, illustrative ranges and a kickoff-to-certificate timeline for a small or mid-sized organization.
Getting audit-ready
What Auditors Actually Look For in Your First Audit
A first ISO 27001 or SOC 2 audit rarely fails on the framework itself — it stumbles on missing evidence, reconstructed records, and policies that do not match reality. Here is what an auditor actually examines, and how to be ready.
How to Write an Information Security Policy
The Information Security Policy is the cornerstone document of an ISO 27001 ISMS or a SOC 2 program — and usually the first thing an auditor reads. Here is what it should contain, who owns it, and why short and honest beats long and aspirational.
How to Do an ISO 27001 Risk Assessment (Step by Step)
An ISO 27001 risk assessment is required by clause 6.1.2, and its quality depends on reflecting your real environment, not the template you start from. Here is how to define a repeatable method, identify and rank risks, and turn the results into a treatment plan and Statement of Applicability.
Vendor Risk Management for Small Teams
Every vendor that touches your data or systems inherits a piece of your risk. Here is a lightweight, repeatable way for a small team to inventory, tier, vet, and monitor third parties — without building a procurement department.
Regulations
Do Tax Preparers Need a WISP? The FTC Safeguards Rule & IRS Form W-12, Explained
Yes—if you prepare tax returns, federal law treats you as a "financial institution," and the FTC Safeguards Rule requires you to develop, implement, and maintain a Written Information Security Plan (WISP). Here is where that obligation comes from and what your plan has to cover.
The EU AI Act for Small Companies: What You Actually Need to Do
The EU AI Act can reach small and non-EU companies whose AI outputs touch the EU. Here is a plain-English map of who it covers, the four risk tiers, and how a governance program helps you get ready.
GDPR for US Companies: Does It Apply to You?
A US company with no European office can still fall under the GDPR. The trigger is Article 3: if you offer goods or services to people in the EU, or monitor their behavior, the regulation reaches you across the Atlantic.
HIPAA for Small Practices: What You Actually Have to Do
HIPAA applies to small medical, dental, and therapy practices the same way it applies to large ones — but there is no "HIPAA certification" to buy. Here is what the rules actually require, and where a documented program ends and your daily operation of it begins.