A documented backbone of policies and procedures that match how you actually work, satisfy the standards you are assessed against, and survive the first hard question from an auditor. Written by a team that runs its own information security management system and is UKAS accredited for ISO 27001 and 9001.
A policy framework is the set of written policies and procedures that govern how your organisation protects information, manages access, handles incidents, and meets its obligations. Cyber Essentials, ISO 27001, GDPR, and your sector's rules all expect this documentation to exist, to be current, and to reflect what you genuinely do. We build policies that do real work, not templates that fall apart the moment an assessor reads them properly.
Most organisations need a recognisable core set, scoped to their size and sector. We write the ones that apply to you, in plain English, mapped to the standards you are assessed against.
The core security policy and its supporting documents: acceptable use, data classification, and the rules that govern how information is handled day to day. The foundation every other control rests on.
Access control procedures, data retention requirements, and the email and communications security protocols that close the most common ways in. The procedures an auditor checks are being followed, not just written.
Business continuity plans and incident response procedures that tell people what to do on the worst day, rather than gathering dust. Tested against reality, because a plan nobody can follow is no plan at all.
Staff security awareness training records, supplier and data protection policies, and the governance documents that show security is owned and managed, not left to chance. The proof that the framework is alive.
The clearest evidence that we can write policies that hold up is that we publish our own and live by them. We operate an information security management system, we hold Cyber Essentials Plus, and we are UKAS accredited for ISO 27001 and ISO 9001. The policies behind that are not hidden in a drawer. You can read several of them on this site.
A good policy is specific, owned, version controlled, and reviewed on a schedule. A weak one is a generic template that says the right words but describes a business that is not yours. An auditor can tell the difference in minutes, and so can a prime contractor reviewing your supplier assurance questionnaire. We write the first kind, because it is the only kind that survives scrutiny and the only kind that actually protects you.
A short, practical process that leaves you with documents your people can follow and an assessor will accept.
We learn how you actually work and which standards apply, so the framework fits your organisation rather than a generic shape.
We develop the policies and procedures you need, in plain English, mapped to the controls each standard expects and free of filler you will never use.
We help you put the procedures into practice, with the training records and ownership that show a policy is operating, not just written.
We set version control and review dates so the framework stays current, the way our own policies and our ISO 27001 system are kept alive.
A policy is only true if the control it describes is real. That is why the same team that writes your framework also runs and secures the technology it documents.
The controls your policies describe. Access control, monitoring, and incident response, run by a certified team. We write the policy and operate the control, so the two never drift apart.
Go to Cyber Security Evidence itPolicies are the first thing an assessor asks for, but they want the evidence the policy is followed too. Our audit and assurance service captures and maintains that proof between assessments.
See audit and assurancePolicy frameworks are part of our governance and audit work, and they underpin compliance readiness and CAF alignment, both of which depend on documented policy to demonstrate their outcomes. For regulated organisations, including those in the defence and aerospace supply chain, a credible policy framework is often the first thing a prime contractor checks.
A template can be a useful starting point, but a policy that describes a business that is not yours will not survive an audit, and it will not protect you. Assessors and prime contractors can spot generic documents quickly. We write policies specific to how you work and mapped to the standards you face, so they hold up under scrutiny and people can actually follow them.
It depends on your size, your sector, and the standards you are assessed against, but most organisations need a recognisable core: an information security policy, access control and data retention procedures, an incident response plan, business continuity arrangements, and staff awareness records. We scope the set to what applies to you rather than handing over documents you will never use.
At least annually, and whenever something significant changes, such as a new system, a new regulation, or an incident that exposes a gap. The review date and version history matter as much as the content, because an auditor wants to see the framework is alive and owned. We build that review discipline in, the same way we run it for our own published policies.
Yes. Data protection runs through the framework, from how personal data is classified and retained to how a data subject access request is handled. We make sure the documentation supports your obligations under the UK data protection regime, and it dovetails with our compliance readiness work where GDPR is one of several standards you need to meet.
Yes, and that is the advantage of working with us rather than a documentation only consultancy. We write the policy and then operate the control it describes as part of our cyber security and managed services. Because one accountable team does both, the policy and the reality stay aligned instead of drifting apart between audits.
Tell us which standards you are working to and we will build a policy framework that fits your organisation and holds up under scrutiny. We reply within one working day, and you will speak to an engineer, not a salesperson.
Hello, I am Ainsley, the assistant here at Dead Simple Computing. I built nothing today, but I am one of the governed AI assistants we build for clients. Ask me about managed IT, cyber security, software and AI, or governance and audit.
Ainsley is an assistant and can be wrong. For anything that matters you will speak to an engineer.