Overview
Draft and validate an Information Security Policy aligned with ISO 27001:2022 — the foundational “constitution” of your organization’s security program. The skill produces a complete ISP document with mandatory language and a Statement of Applicability that explicitly addresses all 93 Annex A controls (Organizational, People, Physical, and Technological). Two built-in validation tools ensure the SoA has no gaps and the policy language is enforceable, not aspirational.
Example
You: We need an Information Security Policy for our SaaS company. We’re about 200 people, fully remote, all infrastructure on AWS. We’re pursuing ISO 27001 certification and also need to comply with GDPR. We have no physical offices or data centres.
Agent: I’ll draft the ISP and SoA tailored to your context. (Copies the template, fills in all 20 sections for a cloud-native, remote-first company, then builds the SoA.) Since you have no physical premises, controls like A.7.1 (Physical security perimeters) and A.7.2 (Physical entry) are excluded with rationale citing your fully remote model and AWS shared-responsibility. I’ve run the Annex A Cross-Referencer — all 93 controls are addressed (78 applicable, 15 excluded). The Policy Jargon Simplifier scores the draft at 97% enforceability; two remaining “as needed” phrases have been flagged with specific replacement suggestions.
Excerpt of a generated policy
Below is a condensed example of the Access Control section from a generated ISP:
## 9. Access Control
**Applicable controls:** A.5.15, A.5.16, A.5.17, A.5.18, A.8.2, A.8.3, A.8.5
- Access to all information systems must be granted on a least-privilege,
need-to-know basis, approved by the resource owner before provisioning.
- All user identities must be uniquely assigned. Shared or generic
accounts are prohibited except where documented and approved by the CISO.
- Multi-factor authentication must be enforced for all remote access,
privileged accounts, and production systems.
- Access rights must be reviewed quarterly by the resource owner. Access
must be revoked within 24 hours of role change or termination.
- Privileged access rights must be restricted to the minimum number of
personnel required and logged for audit.
Validation tools
The skill includes two extension tools that automate compliance checks:
Annex A Cross-Referencer — Validates a Statement of Applicability JSON against all 93 ISO 27001:2022 Annex A controls. Reports missing controls, applicable entries without justification, excluded entries without rationale, and per-theme coverage percentages with a visual progress bar.
Policy Jargon Simplifier — Scans the policy for vague or unenforceable wording (“should”, “may”, “try to”, “where possible”, “periodically”, “in a timely manner”) and flags each occurrence with a mandatory replacement suggestion. Produces an enforceability score so you can track progress toward audit-ready language.
Getting Started
Describe your organization (industry, size, infrastructure, regulatory requirements) in chat or upload existing policy documents. Activate the Information Security Policy (ISO 27001) skill; the agent will gather any missing context and produce a tailored ISP and Statement of Applicability, validated by both tools.