Are you unsure when a control “shall” be mandatory versus when it “should” remain guidance—and how that plays out under SOC 2 and ISO/IEC 27001? By the end of this lesson, you’ll draft audit-ready language that maps source authority to the right modality, structures documents across policy/standard/procedure layers, and avoids self-inflicted findings. You’ll find concise explanations, real-world examples and dialogue, a practical crosswalk and drafting method, plus targeted exercises and corrections to test and sharpen your judgement.