40+
Policies & Procedures
Developed
Audit-ready
Policies written for real audits
Framework-aligned
NIST / ISO / SOC 2
Customised
Policies fit your environment
Fast
Delivered in weeks not months
Information Security Policy Suite
We develop the full set of information security policies required by frameworks including ISO 27001, SOC 2, HIPAA, and PCI DSS. This includes the overarching information security policy, acceptable use, access control, data classification, incident management, supplier security, and all supporting topic-specific policies written to your organizational context rather than copied from generic templates.
Standards & Supporting Documentation
Policies define what must be done. Standards define how. We develop technical and operational standards that give your teams clear, implementable requirements for areas such as password management, encryption, network configuration, patch management, and secure development. Standards are written to a level of specificity that policies alone cannot provide, giving your staff the guidance they need to make consistent decisions.
Standard Operating Procedures
Compliance frameworks require evidence that key processes are not just documented but consistently followed. We develop Standard Operating Procedures for critical security and compliance processes including access provisioning and deprovisioning, vulnerability management, incident response, backup verification, change management, and security monitoring, giving your team step-by-step guidance that generates the evidence auditors expect to see.
Governance Framework Documentation
Effective compliance programs require documented governance structures that define roles, responsibilities, decision rights, and escalation paths. We develop governance documentation including security committee charters, RACI matrices, management review procedures, and risk acceptance frameworks that demonstrate to auditors and leadership alike that your compliance program has proper oversight and accountability structures in place.
Control Narratives & Compliance Artifacts
Audit-facing documentation requires more than policies. Control narratives explain how each control operates in practice, who owns it, how it is monitored, and what evidence it produces. We develop control narratives and compliance artifacts including Statements of Applicability, control matrices, risk treatment plans, and evidence registers that give auditors a clear, accurate picture of your control environment without requiring your team to reconstruct everything from scratch at audit time.
Documentation Maintenance & Review
Policies that are written once and forgotten become liabilities. We support ongoing documentation maintenance including annual policy reviews, updates triggered by significant changes to your environment, and version control processes that ensure your documentation library stays current. We also help you establish internal review cycles so that documentation upkeep becomes a managed process rather than a last-minute scramble before an audit.
What Makes Us Different From Others
- Written for Real Teams, Not Just Auditors – Documentation that only satisfies auditors but cannot be followed by your staff is a compliance liability. We write policies and procedures that your teams can actually use, so controls get followed and evidence gets generated consistently throughout the year.
- Mapped to Your Specific Frameworks – We develop documentation with your compliance obligations in mind, whether that is ISO 27001, SOC 2, GDPR, HIPAA, PCI DSS, or a combination. Every document is written to satisfy the specific evidence requirements of the frameworks you are working toward.
- Built Around Your Existing Controls – We document what your organization actually does rather than writing aspirational policies that do not reflect reality. Documentation that describes controls you do not have creates audit risk; documentation that accurately captures what you have builds it.
- Consistent Structure Across the Full Library – A fragmented documentation library where each policy looks different and uses different terminology creates confusion and audit friction. We establish a consistent structure, format, and taxonomy across your full documentation suite so everything works together.
- Integrated With Ongoing Compliance Work – Documentation setup is most effective when it runs alongside your broader compliance program rather than as a separate workstream. We integrate documentation development with gap remediation, control implementation, and audit preparation so everything stays aligned.
- Transferable Ownership After Delivery – We deliver documentation your team can own, update, and extend without ongoing consultant dependency. Every document includes version history, review schedules, and ownership assignments so your team has everything needed to keep the library current going forward.
Our auditor told us our policy documentation was the weakest part of our compliance program. garrisonOne developed a complete policy framework tailored to our business: not generic templates: covering everything our SOC 2 auditor needed. We went from weakest area to a point of strength in our next examination.
Related Services: Security Risk Management | ISO 27001 Compliance | Virtual CISO Services | All Compliance Services
Frequently asked questions
Why does compliance documentation matter so much?
Auditors cannot verify that a control exists unless there is evidence it is operating. Documentation serves as that evidence. A control that functions correctly but is not documented, not followed consistently, or not generating records is treated as a gap during an audit. Strong documentation gives your compliance program the ability to demonstrate, not just assert, that controls are in place and working.
What is the difference between a policy, a standard, and a procedure?
A policy states what your organization requires and why. A standard specifies the technical or operational requirements that must be met to satisfy a policy. A procedure describes step by step how a specific task is performed. All three levels of documentation are needed in a complete compliance program. Policies alone do not give staff enough guidance, and procedures without supporting policies lack the governance context that auditors look for.
Which policies are required for ISO 27001 certification?
ISO 27001 does not specify a mandatory list of named policies, but it requires documented information covering the ISMS scope, information security policy, risk assessment and treatment methodology, Statement of Applicability, risk treatment plan, and evidence of control operation. In practice, most certified organizations also maintain policies on access control, asset management, cryptography, supplier security, incident management, and business continuity to satisfy specific Annex A control requirements.
What documentation is needed for a SOC 2 audit?
SOC 2 auditors expect to see policies and procedures covering the trust service criteria relevant to your audit scope. For the Security criterion, this typically includes policies for access management, change management, incident response, risk management, and vendor management, along with supporting procedures and evidence of consistent operation. The auditor will test whether documented controls are actually followed, so procedures need to reflect what your team does in practice.
What is a Statement of Applicability?
A Statement of Applicability is a document required by ISO 27001 that lists all Annex A controls, indicates whether each control is applicable to your organization, documents the justification for any exclusions, and references how applicable controls are implemented. It is one of the most scrutinized documents in an ISO 27001 certification audit and must be kept current as your control environment evolves.
How often should security policies be reviewed?
Most compliance frameworks require at least annual policy reviews, and more frequently when significant changes occur to your business, technology environment, or regulatory obligations. Reviews should be documented with approval records showing that management has formally accepted the current version. Policies that carry outdated review dates are a common audit finding that is easy to avoid with a properly managed review schedule.
Can you work with documentation we already have in place?
Yes. We review your existing documentation library, assess it against the requirements of your applicable frameworks, identify gaps and weaknesses, and update or supplement what you have rather than replacing it entirely. Building on existing documentation is almost always more efficient and produces better outcomes because it preserves the organizational context already embedded in your current policies and procedures.
How long does it take to build a full documentation library?
A complete policy and documentation suite for a mid-size organization pursuing a single framework typically takes four to eight weeks, depending on the number of policies needed, the complexity of your environment, and how much existing documentation can be retained. Engagements covering multiple frameworks simultaneously take longer but are more efficient overall than running separate documentation projects for each standard. We provide a realistic timeline estimate at the start of each engagement based on your specific scope.
Resources
Company
Contact
- US: 4752 Euclid Rd Suite 11,
Virginia Beach, VA 23462 - India: Orchard Street, Sector 61,
Gurgaon, Haryana - Phone: (301) 825-5518
- info@garrisonone.com
