AI-Generated ISO 27001 and NIS2 Policies: A 2026 SME Guide
Twelve compliance policies you actually need under ISO 27001:2022 and the NIS2 Directive — with a practical method to draft them in minutes rather than weeks. Includes the seven sections every audit-ready policy must have.
Most SMEs need a stack of compliance policies and most SMEs do not have one. The blocker is rarely budget or appetite — it is the gap between a generic Word template downloaded from the internet and an audit-ready document tailored to the business.
This guide covers the twelve compliance policies UK and EU SMEs actually need in 2026, the structure every audit-grade policy must follow, the regulation citations auditors will check for, and a practical method that produces an audit-ready first draft in minutes rather than weeks. It assumes a working knowledge of ISO 27001:2022, the NIS2 Directive (Regulation (EU) 2022/2555), UK GDPR / EU GDPR, and the EU AI Act (Regulation (EU) 2024/1689). It is written for compliance officers, IT leaders and operations directors at organisations between 10 and 500 employees.
The twelve compliance policies you need
The list below is mapped to ISO/IEC 27001:2022 Annex A controls and the NIS2 Article 21(2) measures. Each policy stands alone but should reference the others — auditors look at consistency between them.
- Information Security Policy — the top-level ISMS document. ISO 27001 A.5.1; NIS2 Article 21(2)(a).
- Risk Management Policy — risk identification, scoring, treatment options. ISO 27001 A.5.4, A.6.1.2; NIS2 Article 21(2)(a).
- Access Control Policy — joiner/mover/leaver, privileged access, MFA. ISO 27001 A.5.15-18, A.8.2-5; Cyber Essentials.
- Cryptography & Key Management Policy — approved algorithms, key lifecycle. ISO 27001 A.8.24; GDPR Article 32.
- Business Continuity Policy — RTO/RPO, recovery strategy, exercise schedule. ISO 27001 A.5.29-30, A.8.13-14; NIS2 Article 21(2)(c); ISO 22301.
- Incident Response Policy — detection, containment, regulator notification. ISO 27001 A.5.24-28; NIS2 Article 23 (24h early warning, 72h notification, 1 month final report); GDPR Article 33 (72-hour).
- Supply Chain Security Policy — supplier due diligence, contract clauses, audit rights. ISO 27001 A.5.19-23; NIS2 Article 21(2)(d); GDPR Article 28.
- Asset Management Policy — inventory, classification, secure disposal. ISO 27001 A.5.9-14, A.7.10, A.8.10.
- Acceptable Use Policy — staff IT, internet, BYOD, generative AI use rules. ISO 27001 A.5.10, A.6.7, A.8.1.
- Data Retention & Disposal Policy — retention schedule, lawful disposal. GDPR Article 5(1)(e); ISO 27001 A.5.33, A.8.10.
- Privacy Policy (UK GDPR / EU GDPR) — lawful basis, subject rights, transfers, DPIA triggers. GDPR Articles 5, 6, 9, 13-22, 28, 30, 32, 35.
- AI Governance Policy — AI inventory, risk classification, human oversight, transparency, EU AI Act roles. EU AI Act Articles 4, 5, 6, 14, 25, 50, 53; GDPR Article 22.
The seven sections every audit-ready policy must have
Auditors are not impressed by length. They are impressed by traceability. Every policy that gets through an external audit follows the same skeleton — and policies that miss any section fail consistently in the same places.
- Purpose — one paragraph stating why the policy exists. State the regulation or framework it supports.
- Scope — the systems, locations, business units and personnel covered. Where exclusions exist, say so explicitly.
- Definitions — every term that has a specific meaning in the policy. Auditors look for ambiguity here first.
- Roles and Responsibilities — name the policy owner, the approver, and the operational roles. Where headcount is small, name actual people; where structure permits, name roles. Empty placeholders ("[Information Security Officer]") are an audit finding.
- Policy Statements — the rules themselves. Use "shall" or "must" for binding requirements. Avoid aspirational language ("we strive to") which has no audit value.
- Procedures and Controls — how the policy is operationalised. Concrete steps, sized to the organisation. A 5-person business does not run quarterly access reviews.
- Compliance, Monitoring and Enforcement — KPIs, cadence, breach consequences. Auditors check whether the metrics in the policy match what is actually measured in the dashboard.
Two further short sections complete the document: Review and Maintenance (review interval, change management) and Document Control (version table with effective date, owner, approver, next review). Without the document control table, the policy is not a managed artefact and auditors will say so.
The four regulation-citation traps
The fastest way to fail an audit is to cite a regulation incorrectly. Four traps recur in the policies we review.
Trap 1 — Citing GDPR Articles that do not match what is being said
Privacy policies routinely cite Article 6 for data subject rights (Articles 15-22), Article 32 for breach notification (Article 33), or Article 5 for record-keeping (Article 30). Auditors notice. Cite the right Article every time, or do not cite specifics.
Trap 2 — Outdated NIS2 references
The NIS2 Directive's reporting timelines are precise: 24 hours early warning, 72 hours incident notification, 1 month final report. Policies citing the old NIS1 timeline (which was vaguer) are common, especially in templates that have not been refreshed since 2024.
Trap 3 — EU AI Act citation drift
The Article 5 prohibitions, Annex III categories and Article 50 transparency obligations are commonly conflated in early-2026 policies. Each is distinct: Article 5 is "banned outright"; Annex III is "high-risk with substantial obligations"; Article 50 is "transparency duty regardless of tier". Confusing them in a written policy creates a regulatory misrepresentation risk.
Trap 4 — Inventing ISO 27001 controls
ISO/IEC 27001:2022 Annex A has 93 controls in four themes (organisational, people, physical, technological). Policies citing pre-2022 control numbers (such as A.7.5 for cryptography, which is now A.8.24) are common in older templates. The 2022 version is now eight years from the 2013 version it replaced, and certified organisations on the new control set are the norm.
Right-size the policy to the business
The single biggest reason audit-ready policies fail is over-engineering. A 30-page Information Security Policy at a 12-person SME is unreadable, unimplementable, and unmaintainable. Auditors recognise this.
Right-sizing means three things:
- Length proportionate to organisation size — a 5-page policy at a 50-person SME is usually right; 25 pages is usually wrong.
- Procedures sized to operational capacity — quarterly access reviews are reasonable at 200 employees, biennial is reasonable at 20.
- Roles named honestly — at a small SME the Managing Director acts as Information Security Officer, and the policy should say so explicitly. "Information Security Officer (no dedicated role; held by Managing Director)" is more auditable than a fictional org chart.
How long does it take to draft these properly?
Working from a regulation-aware template, a competent compliance professional drafts each policy in 2-4 hours of focused work. Twelve policies is typically 30-50 hours from the team. With AI-assisted drafting using a properly-prompted model — one that has the regulation context and the SME's profile baked into the input — the same set of audit-ready first drafts is achievable in about an hour total, with each policy generated in 30-60 seconds.
The trade-off matters. AI-drafted first drafts need a competent review for: regulation accuracy, organisational fit, and tone consistency. The review takes ~20-30 minutes per policy. Net time saving is significant — and the variance in quality narrows because every policy gets the same scaffolding.
Where AI drafting goes wrong
Three failure modes recur with general-purpose AI policy drafting:
- Regulation hallucination — the model invents Article numbers or ISO clause references. Defend by using a model with up-to-date regulation context and explicit instructions to cite only what it is certain of, or omit specifics.
- Generic tone — the policy reads as if it could be any organisation's policy, with no specific reference to the company's actual sector, headcount, country or data flows. Defend by giving the model a concrete intake (sector, headcount, jurisdictions, data types, AI usage, supplier count) and prompting it to use these inputs.
- Wrong policy depth for the organisation — enterprise-grade procedures sized for SME headcount, or vice versa. Defend by including organisation size in the prompt and instructing the model to right-size accordingly.
What "audit-ready" actually means
An audit-ready policy is one a competent ISO 27001 lead auditor would accept as evidence in a stage-1 readiness audit. It does not need to be enterprise-grade. It needs to:
- Cover the relevant Annex A control or NIS2 Article 21 measure
- State concrete rules, not aspirations
- Name owners and approvers
- Have a document-control table with effective date, version and next review
- Be consistent with the other policies in the stack — terms, roles, retention periods all match
- Be implementable — the procedures it sets out are actually run
The last point matters most. A policy that describes a process the organisation does not run is worse than no policy at all — it creates a gap between stated and actual controls that an auditor will find immediately.
Where SummitBridge Horizon fits
Policy Generator Pro drafts the twelve policies above tailored to your sector, headcount, country and data flows, with proper regulation citations and the seven-section structure. £29/month, unlimited generations, branded PDF export. The free EU AI Act risk classifier is a complementary one-shot tool.
For organisations that need an ISO 27001:2022 certification readiness audit, a NIS2 essential-entity gap analysis, or financial-services policy review (FCA SYSC, Consumer Duty), our advisory team takes it further from £750.
Need help with this?
Our team can help you assess where you stand and build a practical remediation plan. Free 30-minute consultation — no obligation.
Book a Free Consultation