Services

Who It’s For

Growing organizations that need a Chief Information Security Officer but are not ready for a full-time hire. Ideal for startups scaling into enterprise, mid-market companies facing compliance pressure, and organizations preparing for their first audit or certification.

What’s Included

• —Ongoing security strategy and program roadmap development
• —Executive and board-level advisory and reporting
• —Security program maturity assessment and improvement
• —Vendor and security tool evaluation and oversight
• —Policy governance and compliance program ownership
• —Incident coordination, escalation leadership, and tabletop facilitation
• —Representation in client, investor, and regulatory conversations

Expected Outcomes

A fully functioning, maturing security program led by a CISSP/CISM-certified executive at a fraction of full-time cost.

Who It’s For

Technology companies, SaaS providers, and service organizations that need to demonstrate security controls to enterprise customers, investors, or partners.

What’s Included

• —SOC 2 Trust Services Criteria gap assessment
• —Control design and implementation guidance
• —Evidence collection program setup and management
• —Auditor-ready documentation package
• —Coordination with your chosen audit firm
• —SOC 2 Type I and Type II readiness support

Expected Outcomes

Audit-ready posture for SOC 2 Type I or Type II. TMCP has completed SOC 2 Type I and led active Type II readiness programs.

Who It’s For

Healthcare organizations, health technology companies, and business associates subject to HIPAA or client-mandated HITRUST assessments.

What’s Included

• —HIPAA Security Rule gap assessment
• —Remediation planning and control implementation
• —HIPAA policy and procedure development
• —HITRUST CSF assessment scoping and preparation
• —Evidence collection and remediation management
• —HITRUST Validated Assessment coordination
• —Ongoing compliance monitoring guidance

Expected Outcomes

Documented HIPAA compliance posture and successful HITRUST Validated Assessment. TMCP has directed the full HITRUST process and built the accompanying security program from scratch for a regulated healthcare organization.

Who It’s For

Organizations without formal security documentation or those preparing for their first audit or certification.

What’s Included

• —Written Information Security Program (WISP)
• —Complete core policy suite: Acceptable Use, Data Classification, Access Control, Data Retention, Incident Response, Remote Work, Password Management, BYOD, Vendor Management, and more
• —Standards and procedures aligned to ISO 27001, NIST CSF, SOC 2, or HITRUST
• —Policy review and approval workflow design
• —Employee acknowledgment process

Expected Outcomes

A complete, audit-ready policy library tailored to your organization — not boilerplate.