> 02.a
SMB Security Audit and Remediation Plan
shape: scoped engagement · output: plain-language audit + prioritized remediation plan · pricing: on request
A security audit built for small and mid-sized businesses and sole proprietors. Not SOC 2. Reviews the controls, posture, and risk the business actually has, and produces a plain-language audit with a prioritized remediation plan the team or their vendor can execute. Guidance, not implementation. Useful before a customer security review, an insurance renewal, or a funding milestone.
› Applies Zero Trust posture proportionally. Least privilege, assume breach, verify explicitly.
> 02.b
SOC 2 / Security Readiness Review
shape: scoped engagement · output: prioritized plan
A single scoped engagement that tells you where you stand and what to do next. Useful before committing to a Type I timeline, before a customer security review, or before a funding milestone that will trigger diligence.
> 02.c
Security Leadership on Retainer
shape: retainer · cadence: quarterly · capacity: inquire · pricing: on request
An outside security voice in the room at the cadence your team needs. Strategic direction on controls, audit posture, vendor posture, incident response. Not a deputy CISO title, an advisor who keeps you honest.
> 02.d
SOC 2 Readiness Enablement Program
shape: program · duration: full path to Type I then Type II
The full path to Type I then Type II. Guided by an operator who has shipped it twice. The deliverables you walk away with are the artifacts your auditor will ask for. They are authored with you, tuned to your business, and reviewed before they reach the auditor. Not copied from a template farm.
› Applies Zero Trust posture proportionally. Least privilege, assume breach, verify explicitly.
- ISP Information Security Policy
- AC Access Control policy
- DC Data Classification policy
- IRP Incident Response Plan
- BCP Business Continuity Plan
- DRP Disaster Recovery Plan
- Change Mgmt change management procedure
- Vendor Risk vendor risk assessment framework
- Risk Methodology risk methodology documentation
- Control Matrix SOC 2 control matrix mapped to policies
- Employee Policies employee policies and acceptable use
- Security Awareness security awareness training content
- Auditor Readiness auditor-readiness brief
> 02.e
Trust Center Enablement
shape: program · outcome: published trust center
A published Trust Center turns ad-hoc security questionnaires into a repeatable artifact. Shipped one at trust.pkware.com. The playbook covers structure, content, gated-vs-public posture, and the review cadence that keeps it accurate.
> 02.f
Credential and Identity Foundation
shape: program · scope: password managers, MFA, Passkeys, credential automation · output: running foundation the client operates · pricing: on request
Enablement Program curriculum. Guided setup of a credential and identity foundation the business operates after the program ends. Password manager adoption, MFA posture, Passkeys, credential automation, identity hygiene for sole proprietors and small teams. Client owns the working systems. No ongoing advisor access to client credentials.
› Applies Zero Trust posture proportionally. Least privilege, assume breach, verify explicitly.