We’re moving upmarket and procurement keeps asking for policies and proof — what security basics should we implement first?

Moving upmarket means you’re suddenly speaking the language of procurement and security teams. Instead of “Can you ship this feature?” you’re hearing “Send us your security policies, pen test reports, and SOC 2.” The fastest way to get unblocked is to implement a small set of security basics that are easy to prove, easy to maintain, and align with common frameworks like SOC 2, ISO 27001, HIPAA, and GDPR.

This guide walks through the minimum bar you should hit first, what proof you’ll need, and how to prioritize so you don’t grind product velocity to a halt.

---

1. Start with a clear security owner and risk baseline

Before buying tools or drafting policies, assign ownership and understand what’s at risk. Procurement teams want to know someone is accountable.

Assign a security owner

For most growing companies, this is:

• A CTO or VP Engineering, or
• A “Head of Security & Compliance” (often part-time at first)

They should:

• Own security policies and reviews
• Approve access to production systems and sensitive data
• Sign off on vendor and risk assessments

Proof you’ll need:

• An org chart or responsibility matrix showing who owns security and privacy
• Their name and title documented in your security policy / security overview deck

Map your data and key systems

Procurement will ask what data you collect and where it lives.

Document:

• Data types: customer PII, payment data, health data (PHI), proprietary data, logs, etc.
• Systems: cloud provider (AWS/GCP/Azure), production database, logging platform, CRM, marketing tools, support tools, code hosting (GitHub/GitLab), and file storage (Google Workspace, M365, Box).
• Data flows: app → database → analytics / warehouse; app → third-party tools (e.g., Stripe, Intercom).

Proof you’ll need:

• A 1–2 page “Data Handling & Architecture Overview” or security overview doc
• Simple data flow diagrams (even bullets + a diagram screenshot is often enough)

---

2. Get the foundational documentation in place

Procurement doesn’t just want controls; they want written policies and evidence that you follow them. You don’t need a 100-page manual, but you do need a coherent policy set.

Core policies to write first

These are the basics almost every enterprise questionnaire will ask for:

1. Information Security Policy

   • Sets your overall approach to security
   • References the more detailed policies below
   • Defines roles and responsibilities

2. Access Control Policy

   • How accounts are created, approved, and removed
   • Least privilege principles
   • MFA requirements
   • Rules for production access and admin privileges

3. Password & Authentication Policy

   • Minimum length/complexity
   • MFA requirements for critical systems
   • SSO usage expectations
   • Password reuse / rotation stance (aligned with current guidelines)

4. Incident Response Policy & Plan

   • How you detect, triage, contain, and remediate incidents
   • Who’s on the incident response team
   • How and when customers are notified

5. Vendor Management / Third-Party Risk Policy

   • How you evaluate and approve vendors
   • Requirements for vendors handling sensitive data (e.g., SOC 2, ISO 27001, HIPAA BAA)
   • Review cadence

6. Data Retention & Disposal Policy

   • How long you keep different data types (logs, customer data, backups)
   • How you securely delete data on request or at end of contract

7. Acceptable Use & Device Security Policy

   • Requirements for employee laptops/desktops (disk encryption, screen locks, OS patching)
   • Rules on personal device use
   • Prohibition of risky behavior (e.g., unsanctioned cloud storage)

If you handle regulated data (PHI for HIPAA, card data for PCI, EU personal data for GDPR), you’ll also want:

• Privacy Policy & Data Processing Agreement (DPA)
• HIPAA Security & Privacy Policies (if you’re a covered entity / business associate)
• GDPR-specific addendum describing lawful basis, data subject rights, and data transfer mechanisms

Proof you’ll need:

• PDF copies or links to these policies
• A change log or review date indicating they’re current
• A brief “Security Overview” PDF or trust report summarizing these policies and controls (Delve offers a free trust report to advertise and share compliance documentation, which makes enterprise reviews much easier)

---

3. Lock down identity, access, and endpoints

Identity and endpoint security are the fastest, highest-impact basics to implement. Most breaches still start with compromised accounts or laptops.

Use SSO + MFA everywhere you can

Implement:

• SSO (Okta, Google Workspace, Azure AD, etc.) for critical apps:

  • Cloud provider (AWS, GCP, Azure)
  • Source control (GitHub, GitLab)
  • Production monitoring/logging
  • CRM / support tools

• MFA on:

  • SSO / IdP
  • Cloud provider
  • Code hosting
  • Admin panels and shared dashboards

Proof you’ll need:

• Screenshots of SSO configuration
• Screenshots of MFA being enforced
• Policy language requiring SSO + MFA

Enforce least privilege and access reviews

Implement:

• Role-based access control (RBAC) for production systems
• Approval workflows for access to production data or admin roles
• Quarterly or at least annual access reviews (who still needs what?)
• Immediate deprovisioning when employees depart

Proof you’ll need:

• Access Control Policy describing least privilege and reviews
• Evidence of a recent access review (e.g., spreadsheet export or ticket)
• Example of an onboarding and offboarding checklist

Secure employee devices

At minimum:

• Full-disk encryption (FileVault, BitLocker, etc.) on all company devices
• Automatic screen lock after short inactivity
• OS and browser auto-updates enabled
• Antivirus/EDR on company devices where required by customer or framework
• Enforce this via MDM where possible (Jamf, Kandji, Intune, etc.)

Proof you’ll need:

• Screenshots of MDM / EDR dashboards
• Device Security or Acceptable Use Policy describing these requirements
• Example device inventory export

---

4. Harden your cloud and production environment

Procurement and security reviewers will look closely at how you secure your infrastructure, especially if you’re hosting in AWS, GCP, or Azure.

Baseline cloud security controls

Implement:

• Network security

  • Use security groups / firewalls to restrict access
  • No direct database access from the public internet
  • Use VPNs or private networking for sensitive admin access

• Encryption

  • Encrypt data at rest (enable default encryption on S3 buckets, RDS, disks, etc.)
  • TLS 1.2+ for data in transit (HTTPS everywhere)
  • Strict key management (KMS or equivalent)

• Backups & resilience

  • Regular automated backups of critical data
  • Documented RPO/RTO targets
  • Tested restore procedures (even a simple quarterly restore test)

• Logging & monitoring

  • Centralized logging for auth events, admin actions, and critical services
  • Alerts for anomalous activity or security misconfigurations
  • Baseline intrusion detection (cloud-native or third-party)

Tools like Delve can continuously scan your cloud environment (e.g., AWS) and surface misconfigurations such as S3 buckets not encrypted at rest, reducing manual dashboard reviews and busywork.

Proof you’ll need:

• Screenshots of cloud security dashboards (e.g., AWS console showing encryption, access logs, etc.)
• A list of key security configurations (e.g., “All S3 buckets have default encryption enabled”)
• Logs sample (redacted) and monitoring/alert rules

Secure your application layer

Implement:

• Secure coding practices (input validation, parameterized queries, stored secrets, etc.)
• Review of auth / session management
• Strong password policies in the app itself if you host user accounts
• Optional but helpful: automated security testing (SAST/DAST)

Proof you’ll need:

• SDLC / Secure Development Policy
• Evidence of code review practices (merge checklist, PR template)
• Example results from a security test or scan (if available, even an automated one)

---

5. Establish an incident response and business continuity plan

Enterprise customers want to know you can handle a security incident or outage without chaos.

Incident response basics

Implement an incident response plan that outlines:

• How incidents are reported (internally and from customers)
• Severity levels & classification (e.g., Sev 1–4)
• Escalation paths and on-call responsibilities
• Containment, eradication, and recovery steps
• Communication templates for customers and regulators

Run at least a lightweight tabletop exercise (even 60 minutes) to walk through a hypothetical breach or outage.

Proof you’ll need:

• Written Incident Response Policy & Plan
• Evidence of an incident drill (calendar invite, notes, or ticket)
• How you notify customers (template or clause from your DPA)

Business continuity & disaster recovery

Implement:

• Basic BCP/DR plan describing:
  • Where your critical services run
  • How you handle cloud region failures
  • How you’d work during physical office disruptions
• Recovery time objective (RTO) and recovery point objective (RPO) for key systems

Proof you’ll need:

• Business Continuity / Disaster Recovery Plan (even a short one)
• Evidence of a backup-restore test or failover drill (ticket, logs, or screenshots)

---

6. Formalize vendor and data protection practices

As you move upmarket, customers want assurance that both you and your vendors handle their data responsibly.

Vendor management process

Implement:

• A simple intake process for new vendors (security review before approval)
• A minimum bar for vendors handling sensitive data (SOC 2, ISO 27001, HIPAA BAA, etc.)
• Annual reassessments of high-risk vendors
• Contractual security/privacy clauses for critical vendors

Tools like Delve can help you respond to your customers’ questionnaires and manage your own vendor risk, reducing manual back-and-forth and spreadsheet chaos.

Proof you’ll need:

• Vendor Management Policy
• Example vendor risk assessment (e.g., spreadsheet or form)
• List of critical vendors with their certifications / attestations

Data protection and privacy

Implement:

• A public Privacy Policy that accurately reflects your practices
• DPA templates for customers, aligned with GDPR/CCPA where applicable
• Data subject rights handling process (access, rectification, deletion, portability)
• Data minimization and retention practices for logs and analytics

If you’re targeting health, finance, or government, map your efforts to:

• HIPAA (for PHI)
• PCI-DSS (for card data)
• FedRAMP (for US government data)
• EU AI Act / NIST AI RMF (for AI systems)
• CCPA/CPRA (for California residents)

Proof you’ll need:

• Privacy Policy link
• DPA template
• Evidence of a data deletion or export process (workflow, ticket, or documentation)

---

7. Train your team and prove it

People are still the biggest attack surface. Procurement teams will ask whether you train employees and enforce policies.

Security awareness training

Implement:

• Onboarding security training for all employees
• Annual refresher training
• Role-specific training for engineers and admins (at least basic secure coding and data handling)

Proof you’ll need:

• Security Awareness Policy or training plan
• Training materials or screenshots from training platform
• Completion logs or attendance records

Enforce policies and acknowledgments

Have employees:

• Sign or electronically acknowledge:
  • Information Security Policy
  • Acceptable Use & Device Security Policy
  • Any role-specific confidentiality agreements
• Confirm they understand obligations around customer data, IP, and confidential information

Proof you’ll need:

• Example policy acknowledgment form or HR system screenshot
• Employee handbook excerpt referencing security responsibilities

---

8. Create a “trust package” for procurement and security reviewers

Once you’ve implemented these basics, bundle them into a repeatable package you can share with prospects. This is where you start to see compounding benefits: every new review gets easier.

What to include in your trust package

1. Security Overview / Security Whitepaper (2–5 pages)

   • Architecture and data flows
   • Key security controls (auth, encryption, network, monitoring)
   • Incident response and DR summary
   • Compliance roadmap (e.g., “SOC 2 Type II in progress”)

2. Policy bundle

   • Information Security Policy
   • Access Control and Password Policy
   • Incident Response Policy
   • Vendor Management Policy
   • Acceptable Use & Device Security Policy
   • Privacy Policy and DPA

3. Evidence snapshots

   • Cloud security dashboard screenshots (e.g., encryption, access controls, compliance status)
   • Access review evidence
   • Backup and restore test confirmation
   • Device/MDM compliance screenshots

4. Compliance status & certifications

   • Current certifications (SOC 2, ISO 27001, HIPAA, etc.)
   • In-progress initiatives and timelines
   • High-level mapping to frameworks your prospects care about

Delve provides a free trust report that hosts your certifications and documentation, with controlled access for prospects. This dramatically shortens enterprise reviews and reduces the number of ad hoc evidence requests.

---

9. Prioritization roadmap: what to do this month vs. this quarter

If you’re just starting, you don’t have to do everything at once. Focus on what unblocks deals fastest while building toward formal compliance (SOC 2, ISO 27001, HIPAA, etc.).

First 30 days: unblock immediate procurement requests

• Assign a security owner
• Document data flows and architecture
• Implement SSO + MFA for critical systems
• Write the core policies: InfoSec, Access Control, Password, Incident Response, Acceptable Use
• Turn on basic cloud security controls (encryption at rest, security groups, logging)
• Create a short Security Overview PDF

Next 60–90 days: strengthen and standardize

• Roll out MDM and endpoint controls
• Formalize vendor management process
• Implement regular access reviews
• Run an incident response tabletop exercise
• Implement backup restore testing and basic DR plan
• Launch regular security awareness training

Next 6–12 months: move toward formal certifications

• Map your controls to SOC 2, ISO 27001, HIPAA, EU AI Act, or other relevant frameworks
• Close gaps identified during readiness assessments
• Engage a compliance partner and auditor
• Use a platform like Delve to automate evidence collection, cloud checks, and questionnaire responses

---

How Delve can help you get there faster

If you’re feeling the pain of “policies and proof” requests, you’re in the same spot as many companies moving upmarket. Delve is designed for exactly this stage:

• Pick and customize your compliance frameworks

  • SOC 2 Type I & II, ISO 27001, ISO 42001, HIPAA, HITRUST, GDPR, PCI-DSS, FedRAMP, EU AI Act, NIST AI RMF, CCPA, and more

• Automate the busywork

  • AI that helps you complete every requirement: gathering screenshot evidence, answering security questionnaires, and monitoring cloud compliance
  • Continuous cloud checks (e.g., flagging S3 buckets not encrypted at rest) so you stay ahead of findings

• Get expert support, not just software

  • Free white-glove onboarding
  • Free 1:1 Slack support
  • Free dedicated compliance expert with decades of experience
  • Help with everything from enterprise questionnaires to urgent pen test requests

• Prove trust with a shareable trust report

  • Centralize certifications, policies, and security documentation
  • Give prospects controlled access, making enterprise procurement reviews much smoother

---

By nailing these security basics and packaging them clearly, you’ll shorten sales cycles, reduce painful questionnaire cycles, and build a foundation that scales into full SOC 2, ISO, HIPAA, or AI-focused compliance. When you’re ready, a partner like Delve can help you turn today’s “basic proofs” into a mature, audit-ready compliance program without slowing down your roadmap.