Resources
Real tools from real engagements.
Checklists, scorecards, and runbook templates we use on client engagements. Free, editable, grounded in operating reality rather than vendor marketing frameworks. Use them as-is, adapt them, or borrow what's useful.
Why we publish these
The compliance and security industry runs on gated whitepapers and slide decks built to capture emails rather than inform practitioners. The resources below are the opposite. These are the exact working documents we use on client engagements, published for anyone who needs a starting point that isn't marketing.
How to use them
Each resource is a browser-ready page with print-friendly formatting. Open it, work through it, print it to PDF if you want a saved copy. No forms, no email capture, no drip campaign. If you want help applying any of them in your environment, the free assessment is where that conversation starts.
AI Governance
NIST AI RMF 1.0 Practical Implementation Guide
NIST AI RMF 1.0 + GAI Profile (NIST AI 600-1) translated from framework into daily operations. Four-function structure (Govern, Map, Measure, Manage), 12-framework comparison matrix, sample AI inventory + 3-tier risk classification, and the 90-day implementation runbook we use on real engagements.
AI Governance
AI Governance for Law Firms
ABA Formal Opinion 512 (July 2024) operationalized across the five core duties. Seven state bar AI opinions, Mata v. Avianca progeny, 15-vendor legal AI BAA-equivalent matrix (Harvey, CoCounsel, Lexis+AI, Spellbook, Copilot, ChatGPT Enterprise), privilege-safe prompt protocol, and a 90-day firm-wide AI policy runbook.
AI Governance
HIPAA-Aligned MSSP for Small Clinics Using AI
Small-clinic HIPAA + Section 1557 governance for the AI scribe / AI coder / GenAI era. 12-vendor BAA matrix (DAX Copilot, Abridge, Suki, Heidi, M365 Copilot, ChatGPT Enterprise), HICP 405(d) practical mapping, and a 90-day clinic AI governance runbook with honest MSSP pricing bands.
AI Governance
SR 11-7 Model Risk Management for Community Banks with AI
SR 11-7 + OCC Bulletin 2011-12 + FFIEC AI guidance + CFPB Circular 2023-03 translated for $1-10B AUM community banks adopting AI for fraud, AML, credit, and customer service. Model inventory template, validation expectations by tier, examiner question bank, and a 90-day runbook.
AI Governance
Colorado AI Act for Healthcare Deployers
Colorado AI Act SB 24-205 applied to US healthcare AI. High-risk system classification across nine consequential-decision categories, clinical AI vendor BAA matrix (Abridge, Suki, DAX, Heidi, MS DAX Copilot), HHS-OCR Section 1557 algorithmic non-discrimination overlay, and the 90-day deployer compliance roadmap.
Compliance
SOC 2 Type II Readiness Checklist
The exact 80-control checklist we use to evaluate SOC 2 readiness on client engagements. Mapped to the 2017 Trust Services Criteria, with evidence guidance per control and a scoring model that tells you whether you're 6 months or 12 months from a clean audit.
Compliance
CMMC Level 2 Readiness Scorecard
Self-assessment scorecard for all 110 NIST SP 800-171 controls, with the exact evidence expectations a CMMC Level 2 C3PAO assessor will look for. Includes the common interpretation gaps that cause assessments to fail on first attempt.
Cybersecurity
Incident Response Runbook Template
Editable runbook template aligned to NIST SP 800-61. Covers ransomware, business email compromise, insider threat, and supply-chain compromise scenarios with the decision points, role assignments, and evidence-preservation steps we use in real incidents.
Third-Party Risk
Vendor Risk Questionnaire
The 60-question vendor risk questionnaire we use on third-party risk assessments. Covers security controls, compliance certifications, subcontractor use, data handling, incident notification, and the business continuity questions most SIG Lite templates miss.
Cybersecurity
vCISO for SMB — When to Hire, Engagement Models, Pricing
Practitioner 2026 buyer's guide to virtual CISO services for US small and mid-sized businesses. Six triggers for hiring, three engagement tiers with pricing benchmarks ($2.5K-$25K+/month), four provider types compared, eight evaluation questions, six failure modes.
Cybersecurity
MDR Provider Comparison 2026 — Platform vs Service vs MSSP
Practical 2026 buyer's guide to Managed Detection and Response. Six MDR provider categories with named examples (CrowdStrike, Red Canary, Arctic Wolf, etc.), decision matrix by company size and regulatory profile, eight evaluation questions, six common pitfalls.