One implementation guide. 48 supporting templates. Built around a 90-day program. Sized for 5-99 employee businesses. Every artifact listed below by name, with what it does and when you'll use it.
174 pages. Nine sections. The guide walks you from purchase to operational compliance posture in 90 days of part-time work. It's the document you read; everything else in the kit is referenced from a specific point in the guide.
Section 1. How to use this kit. What you bought, what it does and doesn't do, who should implement it, how much time it will take.
Section 2. Pre-implementation. The inventory and scoping work that has to happen before you start writing policies. You can't manage what you don't know exists.
Section 3. Phase 1, Days 1-30. Foundational controls. Asset inventory, account management, multi-factor authentication, backup verification, and three foundational policies. The heaviest section in the guide; the most consequential.
Section 4. Phase 2, Days 31-60. Operational controls. Vendor risk, security awareness training, incident response readiness, vulnerability scanning, and six additional policies.
Section 5. Phase 3, Days 61-90. Monitoring and maturity. Quarterly access reviews, log review cadence, the first compliance health check, the state safe harbor self-attestation, and the cadences that keep the program alive after Day 90.
Section 6. Maintaining your TACSOP. What life looks like after Day 90. The annual cadence. When to upgrade.
Section 7. Stakeholder communication templates. Ready-to-use language for owner briefings, MFA rollouts, vendor questionnaires, cyber insurance applications, customer questionnaires, and incident disclosure.
Section 8. Frequently asked questions. Common questions answered in one place, including the edge cases the guide doesn't otherwise address.
Section 9. Glossary and artifact index. Plain-language definitions plus the comprehensive list of every kit artifact and what it does.
Three phases, sequenced so the foundations come first. Four to eight hours a week, calendar-flexible. You can pause around busy seasons; CPAs typically implement outside tax season, retail outside Q4, schools during summer.
Asset management operationalized. Account hygiene baseline. Multi-factor authentication enforced. Backups verified. Three foundational policies adopted in week 4 (Information Security Policy, Acceptable Use Policy, Incident Response Policy). The remaining policies are adopted incrementally through Phase 2 alongside the operational work that gives each one substance.
Risk register populated. Vendors tiered. First security awareness training delivered. Incident response tabletop exercise completed. Vulnerability scanning cadence established. Eight additional policies adopted.
Quarterly cadences scheduled. First compliance health check completed. State safe harbor self-attestation signed (if applicable). Customer questionnaire response template populated. Cyber insurance application cheat sheet populated.
15 policies, 18 procedures, 12 questionnaires and checklists, 3 framework crosswalks. Each one referenced from a specific point in the implementation guide. Listed below in adoption or operationalization order.
Each policy is a template you customize for your business and adopt with owner approval. Listed in adoption sequence.
Asset Management Policy
Access Control Policy
Password and Authentication Policy
Business Continuity and Disaster Recovery Policy
Information Security Policy
The master policy under which everything else operates.
Acceptable Use Policy
Incident Response Policy
Risk Management Policy
Vendor and Third-Party Management Policy
Security Awareness and Training Policy
Email and Web Use Policy
Data Classification and Handling Policy
Data Retention and Disposal Policy
Remote Work and Mobile Device Policy
Change Management Policy
Each procedure is a step-by-step template you customize and operationalize alongside the relevant policy. Listed in operationalization sequence.
Asset Inventory and Tagging Procedure
Periodic Access Review Procedure
Multi-Factor Authentication Enforcement Procedure
Backup and Restore Verification Procedure
Quarterly Vulnerability Scan Procedure
Patch and Update Management Procedure
Vendor Onboarding and Annual Review Procedure
Security Awareness Training Delivery Procedure
Incident Detection and Triage Procedure
Incident Response Execution Procedure
Employee Onboarding Security Procedure
Employee Offboarding Security Procedure
Log Management and Review Procedure
Quarterly Compliance Health Check Procedure
Annual Risk Assessment Procedure
Continuous Improvement Procedure
Annual Program Review Procedure
Customer Security Questionnaire Response Procedure
A mix of working documents you populate and maintain over time, and templates you customize once for your business.
Pre-Implementation Checklist
Asset Inventory Spreadsheet
Vendor Security Questionnaire
To send to your vendors.
Vendor Risk Tier Worksheet
Phishing Simulation Tracking Log
Incident Response Playbook (tabletop edition)
Employee Acknowledgment Tracker
Customer Security Questionnaire Response Template
Pre-populated answers to SIG, CAIQ, and similar.
Cyber Insurance Application Cheat Sheet
Pre-populated answers to common renewal questions.
State Safe Harbor Self-Attestation
For Texas, Connecticut, Ohio, or Utah.
Annual Risk Assessment Questionnaire
Quarterly Compliance Health Check
Each crosswalk maps the kit's CIS Controls IG1 alignment to the framework your stakeholders ask about.
CIS IG1 → NIST CSF 2.0
For cyber insurance applications and customer questionnaires that use NIST language.
CIS IG1 → SOC 2 Trust Services Criteria
For the SOC 2 Type 1 conversation, when that becomes a real requirement.
CIS IG1 → State safe harbor statutes
Texas SB 2610, Connecticut Public Act 21-119, Ohio SB 220, Utah Cybersecurity Affirmative Defense Act.
Two excerpts from the kit: one from the implementation guide, one from a policy template. The guide walks you through the work; the templates are what you adopt. Reading both shows the two registers the kit speaks in.
The opening of §3.4, on enforcing multi-factor authentication. The single highest-leverage control in the kit, and the section we treat with the most depth.
Read the MFA section openingThe opening of the Acceptable Use Policy, through §4.2. The policy your employees encounter most often, and a fair test of whether the kit's voice fits your business.
Read the AUP openingA single archive containing every artifact in two formats: editable Word documents for the policies, procedures, and templates, and Markdown source files for buyers who prefer plain-text editing or want to integrate the content with their own document systems.
Delivered as a PDF for reading, plus the same content in Markdown for buyers who want to integrate excerpts into their own materials.
Arrives by email at the address you provide. The key unlocks the archive download and identifies your kit for update access during your maintenance year.
Notified by email when new content ships. The update mechanism is simple: download the latest archive, replace your existing files, and the changes are integrated into your kit.
TACSOP is the kit described above. It isn't a substitute for the work the kit asks you to do.
The kit doesn't implement itself. Adopting a policy is more than approving a template; it's making the policy real in how your business operates. The implementation guide walks you through that work; the templates support it. Neither does the work for you.
The kit doesn't replace specialized framework documentation. HIPAA, PCI-DSS, NIST 800-171/CMMC, and ISO 27001 each need framework-specific work the kit doesn't provide. For more on how TACSOP fits alongside specialized documentation, see the Honest Scoping section on the home page.
The kit documents the IT side of your security program. OT and ICS systems (PLCs, SCADA, plant-floor controls) need vendor-specific guidance the kit doesn't replace. Manufacturing-specific frameworks (NIST SP 800-82, IEC 62443, AS9100, IATF 16949, ITAR) need framework-specific work TACSOP doesn't address.
The kit doesn't determine attorney-client privilege or work product doctrine questions. Law practices using TACSOP should treat privilege determinations as a matter for counsel; the kit's documentation is your firm's documentation, not Foxtrot's.
The kit isn't software, a platform, or a continuous monitoring tool. It's documentation. If you need integrated evidence collection for SOC 2 Type 2, you need Vanta, Drata, or Sprinto. TACSOP is the stage before that.
A few reasonable next steps.
Book a 15-minute scoping call. No pitch, just an honest answer — including whether something other than TACSOP would serve you better. A Foxtrot consultant on the call, not a sales rep.
No follow-up unless you ask for one. The call is the only step.