Your insurer wants a security policy. Your client's questionnaire requires one. Do you have one?
The standard five-policy set covers what AU and NZ businesses actually get asked for โ by insurers, enterprise clients, and government questionnaires. Drafted to reflect your actual controls. Delivered in three weeks.
"Our insurer asked for a copy of our information security policy as part of a cyber insurance application. We don't have one."
Missing policies on an insurance application delay or block coverage. A completed policy set resolves this immediately.
"A client's vendor security questionnaire asked whether we have documented security policies. We said yes. We need to make that accurate."
Claiming policies you don't have creates liability. CyberCraft writes what you actually need โ based on your real controls.
"A new staff member asked where our security policies were. We realised we've never written any."
New staff asking about policies is a healthy trigger. The standard set covers what employees need to know and what clients need to see.
"We're working toward SMB1001 or ISO 27001. A consultant told us we need documented policies as a foundation."
Every certification pathway requires documented policies as a baseline. The standard set covers what both frameworks require at the starting level.
CyberCraft's standard policy set is built around what AU and NZ businesses actually get asked for โ not what a compliance framework says should exist in theory. Each policy is drafted to reflect your actual controls, not aspirational statements.
Information Security Policy
The master document โ states the organisation's commitment to security, the scope of the programme, and the governance structure. Required by every framework and every insurer.
Acceptable Use Policy
Rules for use of business systems, devices, and data by employees and contractors. Covers personal device use, email, internet, and business data handling.
Access Control Policy
How access to systems and data is granted, reviewed, and revoked. Addresses role-based access, privileged access, and leaver procedures.
Incident Response Policy
How the business responds to security incidents โ roles, reporting lines, and escalation procedures. Links to the IR Plan if that service has been completed.
Data Handling and Privacy Policy
How personal and sensitive business information is collected, stored, used, and disposed of โ calibrated to your Privacy Act obligations and APP 11 requirements.
Policy register + acknowledgement template
A master register of all five policies with version numbers, owners, and review dates. Plus a staff acknowledgement template for audit evidence.
Intake interview โ one hour
Covers your environment, systems, controls, and the specific requirement driving the engagement. This is what makes the policies accurate rather than generic.
Policy drafting โ no client time required
CyberCraft drafts all five policies and the register, calibrated to your actual controls. Draft delivered for review at the end of week two.
Review call and final delivery
One-hour review session to walk through the draft set. Amendments applied. All documents delivered in editable Word and PDF formats.
Policy and Procedures โ Pricing Configurator
Standard set. Defined scope. No scoping call required.
โณ JS configurator to be built. Inputs: staff count, existing policies (none / some / reviewing only), requirement driver. Additional policies beyond the 5-policy core are priced per policy.