1
Scope and gap review
We map your systems, data, headcount, and target framework — ISO 27001, NIST CSF, or a customer's security questionnaire — and identify which policies you have, which you are missing, and which need rework.
Information security · ISO 27001 / NIST CSF
Build the security policies your audits and customers ask for
A documented information-security policy suite — acceptable use, access control, incident response, vendor risk, and BYOD — aligned to ISO 27001 and the NIST Cybersecurity Framework. It is the written backbone an auditor or an enterprise customer expects to see, drafted to your business and kept current as you grow.
From $995 Quoted up front after a free scoping call
10,000+ clients11 attorneys5 offices10+ years
IIPLA Top IP Consultancy 2026Upwork · Top Rated Plus
Trusted by founders and brands worldwide
How it works
How a policy suite comes together with GTC
2
Drafting to your business
We draft each policy to how you operate — your stack, your access model, your vendors — not a generic template. Terms of art are used correctly so the suite reads as written by your organisation.
3
Review, adopt, and maintain
We walk your team through the suite, finalise wording, and prepare it for formal adoption. As your framework, tooling, or regulations change, we keep the documents current.
What it costs
Quoted by framework and scope
Cybersecurity Policy starts from $995. Every engagement is quoted up front after a free scoping call, once the target framework and the number of in-scope policies are known. The fee is scoped by the size of the suite and your environment — a focused set for a single customer review costs less than a full ISO 27001 or NIST-aligned suite. No per-seat software charge is included, and any certification-body or auditor fees are separate and paid directly to them.
What's included
- Scope and gap review against your target framework
- Overarching information-security policy
- Acceptable use, access control, and BYOD / mobile-device policies
- Incident-response policy with defined roles and breach-notification steps
- Vendor and third-party risk-management policy
- Mapping to ISO 27001 Annex A controls and NIST CSF functions
- Team walkthrough and preparation for formal adoption
- Ongoing revisions as your tooling, framework, or regulations change
- Focused suite for a customer security review
- Quoted by scope
- Full ISO 27001 / NIST-aligned policy suite
- Quoted by scope
- Ongoing maintenance and revisions
- Quoted by scope
- Certification-body / auditor fees
- At cost
No GTC fee is committed until the framework and policy set are confirmed and you have approved the quote. Certification and audit fees are paid directly to the certification body or auditor.
Get started
Scope your cybersecurity policy suite
Tell us your target framework, roughly how many people you are, and what systems you run. A GTC specialist will scope the policy set and email a quote after a free scoping call.
No payment required Reply within 1 business dayA GTC attorney reviews it & sends a flat-fee quote.
Why GTC
Why build the suite with GTC
Handled by
GTC's privacy team
Data-protection counsel
Attorney-led
Framework-aligned by design
Each policy is mapped to ISO 27001 Annex A controls and the NIST CSF functions, so the suite lines up with what an auditor or a Statement of Applicability expects rather than reading as boilerplate.
Drafted to your business
Policies describe your real access model, systems, and vendors. A template that does not match how you operate fails the first review; one written to your operations holds up.
Ready for a security review
When an enterprise prospect sends a security questionnaire, the documented suite is the evidence they ask for. We build it so it answers those reviews instead of stalling the deal.
Kept current, not filed away
Security policy is a standing obligation. As your tooling, headcount, or regulations change, we revise the suite so it stays accurate rather than drifting out of date the month after adoption.
Your Customer Success Team
A dedicated team that owns your matter from start to finish.
Every GTC client gets a dedicated Account Manager and a Senior Account Manager who learn your business and stay with you from first email to final filing. They are named people who pick up the phone and already know your matter, so every step moves forward without delay.
Your Account Manager
Your day-to-day point of contact, who coordinates every matter, keeps things moving, and already knows your file. They have your full history, so you start every conversation where the last one left off.
Your Senior Account Manager
Senior oversight on strategy and escalations, stepping in as your needs grow, so every important detail stays on track.
A named person, on email or a call, at every step.
How we compare
GTC vs. a generic template or a big consultancy
| What you get | GTC | Online filing services | Doing it yourself |
|---|---|---|---|
| Policies drafted to your real systems, access model, and vendors | |||
| Mapped to ISO 27001 Annex A controls and NIST CSF functions | |||
| Written to answer enterprise security-review questionnaires | |||
| Incident-response and breach-notification steps that name real roles | |||
| Kept current as your framework, tooling, and regulations change | |||
| Priced up front by scope, no per-seat software or audit fees bundled in |
Policies drafted to your real systems, access model, and vendors
GTC
Online filing services
Doing it yourself
Mapped to ISO 27001 Annex A controls and NIST CSF functions
GTC
Online filing services
Doing it yourself
Written to answer enterprise security-review questionnaires
GTC
Online filing services
Doing it yourself
Incident-response and breach-notification steps that name real roles
GTC
Online filing services
Doing it yourself
Kept current as your framework, tooling, and regulations change
GTC
Online filing services
Doing it yourself
Priced up front by scope, no per-seat software or audit fees bundled in
GTC
Online filing services
Doing it yourself
Timeline
From gap review to an adopted suite
A core policy suite is typically ready for adoption in two to four weeks, depending on how many policies are in scope and how quickly your team can review. Audit-readiness programmes run longer.
-
Days 1–3
Scope and gap review
We confirm your target framework, inventory your systems and data, and produce a gap list — which policies exist, which are missing, and which need rework.
-
Week 1–2
Drafting
We draft each policy to your operations — acceptable use, access control, incident response, vendor risk, BYOD, and the rest of the in-scope set — mapped to the relevant controls.
-
Week 2–3
Review and finalise
We walk your team through the suite, adjust wording to match how you work, and prepare the documents for formal sign-off and adoption.
-
Ongoing
Maintenance
As your tooling, headcount, framework, or regulations change, we revise the suite so it stays accurate and audit-ready.
In their words
All your legal, in one place.
One accountable team across every practice, operating since 2016.
10,000+
Clients served
11
In-house attorneys
5
Global offices
10+
Years since 2016
Cybersecurity policy FAQs
Frequently asked questions
A core suite usually includes an overarching information-security policy plus acceptable use, access control, incident response, vendor and third-party risk, and a BYOD or mobile-device policy. Depending on your framework and risk profile we add others — data classification, encryption and key management, change management, business continuity and disaster recovery, secure development, and a human-resources security policy. We confirm the exact set in the scoping review.
Ready to document your security
Ready when you are.
Tell us your target framework and a little about your environment. We will confirm the policies in scope, quote up front after a free scoping call, draft the suite to your business, and keep it current as you grow.
