TACSOP gives 5-99 employee businesses the documentation a cyber insurance underwriter, a customer security questionnaire, or a state safe harbor statute is actually asking for. One implementation guide. 48 supporting templates. Built on CIS Controls IG1.
If you've landed here, one of these is probably why.
The application or renewal wants to know if you enforce multi-factor authentication, run backups, and review user access. The answers are supposed to be yes, with documentation. TACSOP is where the documentation lives.
SIG, CAIQ, or a custom version from their procurement team. The questions are from a standard list; the answers don't have to be invented every time. TACSOP gives you a response file you populate once.
Texas SB 2610, Connecticut, Ohio, Utah. Each statute offers liability protection to businesses that align with a recognized cybersecurity framework. TACSOP aligns with CIS Controls IG1 and produces the documentation the statute expects.
A customer audit, a regulator visit, a board-level cybersecurity question. The question is what you can produce. TACSOP is what you produce.
Two things, organized so the second serves the first.
174 pages. Nine sections. Walks you from purchase to operational compliance posture in 90 days of part-time work. The guide is what you actually pay for; the templates serve the guide.
15 policies, 18 procedures, 12 questionnaires and checklists, 3 framework crosswalks. Each one is referenced from a specific point in the implementation guide. You use them when the guide tells you to, not before.
The kit gives you the documentation. Documentation is necessary for compliance, but it's not sufficient. You still have to actually do the things the documentation says.
Four to eight hours a week, sequenced so the foundations come first and the cadences that maintain the program come last. You can pause around busy seasons; CPA firms typically implement outside tax season, retail outside Q4, schools during summer.
Asset inventory, account management, multi-factor authentication enforcement, backup verification, and the three foundational policies. The heaviest phase, the most consequential, the one most buyers reach for first.
Vendor risk tiering, security awareness training, incident response readiness, vulnerability scanning cadence. The operational rhythm of the program.
Quarterly access reviews, log review cadence, the first compliance health check, the state safe harbor self-attestation if applicable. The cadences that keep the program alive after Day 90.
The kit serves owner-operators, office managers, IT generalists, and operations leads who have been handed compliance as a real responsibility. A few of the businesses we built it for:
If your business has 5-99 employees and one of the four buying triggers above, TACSOP is built for you.
Pick the tier that matches how much help you want with the implementation work. The kit content is identical across tiers.
$499 / one-time
plus $99 / year
The kit, the implementation guide, all 48 templates, and the annual maintenance plan. For owners and operators with time and technical confidence to self-implement.
Buy Self-Service$748 / one-time
plus $99 / year
Self-Service plus a one-hour scoping call to confirm you're on track. For buyers who want a quick check before they start.
Buy Onboarding$1,999 / one-time
plus $99 / year
Self-Service plus hands-on help through Phase 1. For buyers who want a partner alongside them for the foundational work.
Buy Managed ImplementationTACSOP isn't every kind of compliance documentation. Here's what it isn't, so you can decide whether it fits.
TACSOP isn't HIPAA-specific, PCI-DSS-specific, NIST 800-171/CMMC-specific, or ISO 27001-specific. If your primary compliance driver is one of those frameworks, TACSOP can complement specialized documentation but doesn't replace it.
TACSOP documents the IT side of your security program. If you operate OT or ICS systems (PLCs, SCADA, plant-floor controls), or work under manufacturing-specific frameworks like NIST SP 800-82, IEC 62443, AS9100, IATF 16949, or ITAR, those need vendor-specific guidance the kit doesn't replace.
TACSOP doesn't determine attorney-client privilege or work product doctrine questions. Law practices using the kit should treat privilege determinations as a matter for counsel.
TACSOP isn't a substitute for cyber insurance, legal counsel, or a security professional's judgment.
TACSOP isn't software, a SaaS platform, or a continuous monitoring tool. If you need integrated evidence collection for a SOC 2 Type 2 audit, you need Vanta, Drata, or Sprinto. TACSOP serves the stage before that.
TACSOP isn't a guarantee of compliance with any specific framework. It's documentation that demonstrates reasonable due care, on which a compliance program runs.
Near the boundary? Tell us your situation
Three reasonable next steps, depending on where you are.