policy-drafterlisted

# Policy Drafter > **Disclaimer**: this skill supports technical and operational policy drafting. Legal review (employment-law aspects of an AUP, privacy interfaces, contractual carry-through to customers) belongs with legal/HR/DPO. This skill does not produce a legally binding text. ## When to use Security policies are the documented rules your ISMS, your compliance audits, and your day-to-day operations are measured against. This skill helps with drafting, structural consistency, review workflows, and clause libraries. Triggers on: - A question like "write an AUP", "IRP template", "access control policy", "review our security policies", "what goes in a data classification policy", "how often to review policies". - A handoff from `iso27001` (Cl 5.2 Information Security Policy, Annex A.5 group), `soc2` (CC1-CC2-CC5 policy requirements), `nis2` (Art 21 first measure), `dora` (Art 6 framework). - A new organization or new product line where the policy stack is still missing. - An annual review cycle, or event-driven revision (incident, organizational change, new legislation). ### When NOT (handoff) - Privacy-specific policies (privacy statement, DPA, cookie policy) → `gdpr-pia` context plus legal. Touches on this skill but requires separate legal expertise. - Technical implementation of what policies require → security skills (`secure-coding`, `security-review`, `container-hardening`, etc.). - Contractual policies aimed at vendors → `vendor-questionnaire` + legal. - Risk