← All posts

How to build a cybersecurity program document your customers accept

The contents, structure and maintenance cadence for a cybersecurity program document that holds up to customer audits, cyber insurance renewals and SOC 2 readiness assessments.

· Atticus Rowan

Enterprise customers, cyber insurance carriers and SOC 2 auditors all ask for roughly the same document. They call it different things — “cybersecurity program overview,” “information security program,” “security whitepaper,” “security posture document.” The content is substantially the same: a written description of how the firm approaches cybersecurity, what controls are in place, who operates them and how evidence is maintained.

Firms that have the document produce it in one business day when asked. Firms that do not spend two weeks reconstructing it under pressure during an audit or a customer review, and the reconstructed version often reads weaker than it should because the writing happens fast and defensively.

Here is what actually goes in a cybersecurity program document that holds up to scrutiny, how to structure it and how to maintain it so it stays current between audits.

Why the document matters

Three external audiences read it:

  • Enterprise customers evaluating the firm as a vendor. They want to understand the security posture before signing a contract or increasing data exposure.
  • Cyber insurance underwriters assessing the firm for renewal. The program document often accompanies the renewal application and provides context for the individual question answers.
  • SOC 2 and other framework auditors using it as the baseline for testing. The auditor reads the document, maps it against the criteria and decides where to sample.

A well-constructed document answers 60 to 80 percent of a typical customer security questionnaire by reference. “See sections 3, 5 and 8 of our attached cybersecurity program document” beats a 40-page questionnaire-specific response every time for both speed and consistency.

The 10 sections that should exist

A defensible cybersecurity program document covers 10 sections. Each is a few paragraphs to a few pages depending on firm complexity.

1, program governance

Who is accountable for cybersecurity. What their authority and reporting relationships are. How the program is reviewed and updated.

Content:

  • Named cybersecurity officer or equivalent (CISO, vCISO, security lead)
  • Reporting relationship (to CEO, to board committee, to operations)
  • Review cadence (annual at minimum, often quarterly at the leadership level)
  • Risk-management framework alignment (NIST CSF 2.0 is the most common reference)
  • How changes to the program are approved and documented

Weak example: “Our IT team handles security.” (no named owner, no framework, no review cadence)

Strong example: “The Chief Information Security Officer (or equivalent named role) reports to the Chief Operating Officer and presents a quarterly cybersecurity review to the executive team. The program is aligned to the NIST Cybersecurity Framework 2.0 and reviewed comprehensively on an annual basis, with material changes approved by the executive team.”

2, scope and boundaries

What is in and out of the program’s scope. Defines the assets, data types and systems the program covers.

Content:

  • Entities included (the whole firm, specific subsidiaries, specific product lines)
  • Data types covered (customer data, employee data, financial data, intellectual property)
  • Systems in scope (production environment, corporate IT, development environment)
  • Known exclusions with rationale
  • Third-party boundaries (what the firm does vs what vendors do)

3, asset and data management

How the firm knows what it has and what is sensitive.

Content:

  • Asset inventory approach (device management platform, discovery tools, manual inventory cadence)
  • Data classification scheme (public, internal, confidential, regulated)
  • Data handling rules per classification
  • Data retention and disposal policies

4, identity and access management

How people and systems authenticate and what they can access.

Content:

  • Authentication approach (MFA universal, phishing-resistant for privileged)
  • Access control model (role-based, need-to-know, least privilege)
  • Privileged access management practices
  • Access review cadence (quarterly for privileged, annual for standard)
  • Workforce lifecycle controls (onboarding, role changes, offboarding)

5, protection controls

The technical controls protecting systems and data.

Content:

  • Endpoint protection (EDR, antivirus, encryption)
  • Network protection (firewalls, segmentation, web filtering, email security)
  • Application protection (secure development, vulnerability management, patching)
  • Data protection (encryption at rest and in transit, data loss prevention)
  • Cloud infrastructure protection (configuration management, secure-by-default baselines)

This is usually the longest section in terms of detail, but should stay at a summary level with references to specific control documents for deeper detail.

6, detection and monitoring

How the firm identifies security events in progress.

Content:

  • Monitoring scope (which systems, which events)
  • Monitoring operator (in-house SOC, MDR provider, SOC-as-a-service)
  • Coverage hours (24x7, business hours plus on-call, etc.)
  • Alert-to-response process
  • Log retention periods

7, incident response

What happens when something goes wrong.

Content:

  • Named incident commander and alternate
  • Severity classification and escalation thresholds
  • Response workflow from detection through recovery
  • Breach notification obligations and process
  • External response support (IR firm retainer, legal counsel, cyber insurance carrier)
  • Tabletop exercise cadence and last exercise date

8, business continuity and recovery

How the firm recovers from an event.

Content:

  • Backup approach (immutable, offsite, retention)
  • Restore testing cadence and most recent test
  • Recovery time and point objectives (RTO/RPO) per system tier
  • Business continuity plan overview
  • Disaster recovery plan overview and most recent test

9, third-party risk management

How the firm manages risk from vendors.

Content:

  • Vendor inventory maintenance
  • Tier classification approach
  • Due diligence process for material vendors
  • Ongoing monitoring cadence
  • Breach notification expectations from vendors

10, training and awareness

How the workforce is prepared.

Content:

  • Training cadence (annual at minimum, role-based where applicable)
  • Phishing simulation program
  • Completion tracking
  • Specialized training for developers, finance, executives if applicable

What the document is not

A defensible cybersecurity program document is a concise overview, typically 15 to 40 pages. It is:

  • Not the policy library. The document references policies, it does not replace them. Written policies (acceptable use, information security, incident response, vendor management, etc.) are separate artifacts maintained outside the program document.
  • Not the evidence package. SOC 2 reports, penetration test results, tabletop after-actions and compliance certificates are attachments to the program document, not part of its body.
  • Not a marketing document. The tone is factual and plain. Marketing language reduces credibility with auditors and underwriters. No “industry-leading” or “best-in-class” — replace with specifics or remove.

Maintenance cadence

A program document that is written once and never updated becomes stale within 12 months. Maintenance:

  • Quarterly touch-up. Review for factual accuracy. Update any sections where tooling, vendors or processes changed.
  • Annual comprehensive review. Full rewrite pass. Reissue version numbering and approval signature.
  • Event-driven updates. Material changes (new tool, new regulation, material incident) trigger specific section updates.

Version control matters. Auditors and customers often ask for the previous 1 to 3 versions of the document to see how the program has evolved.

Who writes the document

Three common models:

  • Internal cybersecurity officer writes it. Works well when a dedicated security function exists. Requires discipline to prioritize documentation against other pressures.
  • MSP or consultant writes it with internal input. Works well for mid-market firms without dedicated security staff. AR typically operates in this model for clients.
  • Hybrid. Consultant produces the first version, internal owner maintains it thereafter.

The worst pattern: nobody writes it until a customer asks, then IT writes it in 3 days under pressure. The document produced this way reads defensively and sets the baseline expectation low for subsequent interactions.

Where we fit

Atticus Rowan produces and maintains the cybersecurity program document as a standard element of managed engagements. For most clients, the document is 20 to 30 pages, anchored on NIST CSF 2.0 vocabulary, cross-referenced with the policy library and the evidence package.

Beyond the initial creation, maintenance happens quarterly as part of the ongoing engagement. When a customer security questionnaire arrives, the document answers 60 to 80 percent of questions by reference and the remaining questions are handled individually with the document as context.

If your firm has been asked for a cybersecurity program document and is currently figuring out what should be in it, or you have a document that has not been reviewed in several years, schedule a discovery call. We can walk through what a credible document looks like for your specific environment and scope the creation or refresh work.