Methodology
How our templates are built and maintained
Full transparency on how PolicyForge produces framework-aligned policies — and on the tool’s limits.
1. Control alignment
Each template is mapped to the control(s) of the framework(s) it covers — for example an ISO 27001:2022 Annex A control, a SOC 2 criterion, a NIST CSF function or a GDPR article. A single document can cover several frameworks: we state this explicitly through compliance tags, without artificially inflating the catalogue.
2. Wizard-based tailoring
A generic template has no audit value. Our wizard asks targeted questions (scope, sector, hosting, roles, tooling) and injects your answers into the content: names, responsibilities, frequencies, exceptions. The result is a document specific to your organisation, not a copy-paste.
3. Bilingual by design
Every template exists in French and English, written — not machine-translated — to respect each framework’s terminology in both languages. Useful for organisations facing international auditors or customers.
4. Versioning and audit log
Every generated policy carries a version number, an approval block and a history. Changes are tracked in an audit log — exactly what an auditor expects to verify that a policy is live, reviewed and approved, not a dead document.
5. Keeping frameworks current
Frameworks evolve (for example ISO 27002:2022, or the national transpositions of NIS2). We track these changes and update the affected templates. Our public roadmap details ongoing additions and revisions.
What PolicyForge is not
PolicyForge produces the documentary layer of a compliance programme. It does not grant certification (only an accredited body does), does not perform continuous evidence collection from your clouds, and does not replace the judgement of a CISO or auditor. You remain responsible for tailoring and approving the documents. For continuous monitoring, PolicyForge is used alongside a dedicated platform.
See the method in action
Generate a real policy in minutes, for free.