Book a call
Menu
763-332-9976
Book a call
Home
/
Services
/
policy development
Policy development

Policy & procedure development

Practical, implementable policies — not boilerplate Word docs from 2019. Customized to your environment, framework-aligned, and written in plain language your engineers and auditors can both follow.

Book a scoping call
All services
  • 2 to 8 weeks initial
  • 10 to 35+ customized policies
  • Regulatory changes scoped as change orders

Policies that hold up under real scrutiny

Policy programs fail when they are generic. Auditors can tell. Enterprise buyers can tell. We write policies that reflect how your company actually operates, which means they hold up under scrutiny and your team can actually implement them.

Important: Policy updates triggered by new regulatory requirements are not included as minor updates — they are scoped and quoted as change orders.

Pricing tiers

Launch
$3,500–$6,000
one-time · 18–32 hrs · 2–3 weeks
Overage: $185/hr · 1 review call + 2 revision cycles
  • 10 foundational security policies (customized, not templates)
  • Acceptable Use, Access Control, Incident Response, Data Classification, Business Continuity, Vendor Management, Password, Encryption, Remote Work, Asset Management
  • Policy acknowledgment tracking template
  • GRC platform upload (Drata or Vanta)
Growth · Most popular
$7,000–$12,000
one-time · 38–65 hrs · 3–5 weeks
Overage: $195/hr · 1 editorial refresh at 6 months
  • Everything in Launch, plus:
  • 25+ policies covering full SOC 2 or ISO 27001 requirements
  • Procedures for each policy (operational runbooks — how, not just what)
  • Role-based policy matrix (owner assignments by department)
  • Policy exception and waiver process + templates
  • Annual policy review schedule
  • Staff-ready policy summaries (plain language)
Scale
$13,000–$22,000
one-time + optional annual retainer · 70–130 hrs · 4–8 weeks
Overage: $225/hr · Legal firm fees client-paid
  • Everything in Growth, plus:
  • Multi-framework policy alignment (SOC 2 + ISO 27001, or + HIPAA, or + GDPR)
  • Policy gap analysis against current controls
  • Board and executive policy approval workflow
  • Full governance framework (policy → procedure → standard → guideline)
  • Regulatory-specific addenda (HIPAA, GDPR, SOC 2, ISO 27001, ISO 42001)
  • Legal and compliance review coordination
  • Custom policy branding and formatting

Bundle recommendation

  • Training is most effective when staff are trained on the policies they are acknowledging
  • Bundle with Security Awareness Training for maximum impact

Policies your team can actually follow.

Bundle with Security Awareness Training — and add tabletop exercises to stress-test whether the training has changed behavior when it matters most.

Talk to a practitioner