Policy & Playbook Generator
Get your security policies in writing — before your customer asks for them.
Most small suppliers have no written information security policy, incident response plan, or business continuity plan — and their CNI customer is about to ask for all three. Paying a consultant to produce these documents is hard to justify when you're a small business. A short questionnaire generates tailored, fully editable templates in plain English, covering every document your customers are likely to request.
Compliant-looking, fast, and built for people who aren't security specialists.
How it works
From questionnaire to a full set of downloadable policy documents in around 15 minutes.
Complete the short questionnaire
Answer questions about your business, the data you handle, how you work, and the IT systems you use. Takes around ten minutes.
Get your tailored templates
The generator produces a set of policy documents written specifically for your business — not generic boilerplate. Each document is in plain English and ready to use.
Edit and adopt
Download your documents in Word or PDF format. Review them, make any adjustments, and adopt them as your own policies. They're yours to use and update as your business changes.
What the questionnaire asks about
Business size and sector
Tailors the scope and language to your organisation
Types of data handled
Personal, financial, health data or commercial-in-confidence
Remote working arrangements
Home working, BYOD, and mobile device usage
Cloud and SaaS services used
Microsoft 365, Google Workspace, third-party platforms
IT support arrangement
In-house team, MSP, or no dedicated IT support
Existing controls in place
What you already have so the output reflects reality
The documents it generates
Five documents, each tailored to your answers and ready to adopt as your own. All in plain English.
Information Security Policy
Your top-level statement of intent — covering how your organisation protects information, who is responsible, and the principles that govern every other policy. The document every customer asks to see first.
Includes
- Scope and purpose of the policy
- Roles and responsibilities for information security
- Classification and handling of information assets
- Consequences of policy violations
- Review and update schedule
Acceptable Use Policy
Sets out what employees and contractors can and cannot do with company systems, devices, and data. Reduces risk and gives you a documented basis for taking action if rules are broken.
Includes
- Approved and prohibited uses of company IT systems
- Personal device and BYOD rules
- Social media and internet use guidelines
- Password and account security expectations
- Remote working and home office requirements
Incident Response Plan
A step-by-step guide to what your team does when something goes wrong — covering detection, containment, notification, and recovery. Most customers in regulated sectors will ask to see this.
Includes
- Incident classification and severity levels
- Roles and escalation paths during an incident
- Containment and evidence preservation steps
- Customer and regulatory notification obligations
- Post-incident review and lessons-learned process
Business Continuity Plan
Covers how your business keeps running — or recovers quickly — when systems fail, staff are unavailable, or a major incident disrupts operations. Often required before a customer will award a contract.
Includes
- Critical business functions and their recovery priorities
- Recovery time and recovery point objectives
- Backup and restoration procedures
- Alternative working arrangements
- Communication plan during a disruption
Data Handling & Retention Policy
Documents how your organisation collects, stores, uses, and deletes personal and sensitive data. Supports UK GDPR compliance and answers the data-protection questions that customers increasingly ask.
Includes
- Types of data collected and legal basis for processing
- Data storage locations and access controls
- Retention periods for different data categories
- Secure deletion and disposal procedures
- Data subject rights and how to handle requests
Get your policies before your customer asks
Free, tailored, and ready in under 15 minutes. No consultant needed.