Compliance & Policy Generation

20 min · S4

Module Objective

Compliance documentation is the task security professionals most often postpone — not because it is unimportant, but because it is tedious. Writing an Acceptable Use Policy from scratch takes a full day. Mapping controls against a framework takes a week. Producing the quarterly board security report takes two days of formatting work. Claude compresses all of these — not by generating generic content, but by producing structured drafts with organizational context that you refine and deploy.

Deliverable: Workflows for policy drafting, compliance gap analysis, risk assessment documentation, and board reporting — with the prompting patterns and Skills that produce output reviewers and auditors accept.

⏱ Estimated completion: 20 minutes

Policy drafting: context is everything

Claude produces well-structured security policies that cover the required sections of a given framework. The difference between a generic policy and a deployable draft is the organizational context you provide.

A prompt that says “write an information security policy” produces a generic document from any AI tool. A prompt that provides your organization’s industry, size, regulatory environment, existing controls, specific risks, and the framework you are implementing produces a draft that your compliance officer recognizes as relevant to your organization.

Worked artifact — contextualised policy prompt:

<task>Draft an Acceptable Use Policy for AI tools.</task>

<organization>
UK-based engineering company. 500 employees. M365 E5 environment.
Currently no formal AI policy. Employees are using Claude, ChatGPT,
and Copilot informally. Engineering team uses AI for CAD analysis.
Finance team uses AI for report drafting. SOC team uses Claude for
log analysis and KQL generation.
</organization>

<framework>
ISO 27001:2022 A.5.10 (Acceptable use of information and other
associated assets). Must also address GDPR data handling for any
AI tool processing personal data.
</framework>

<requirements>
- Define approved AI tools by classification level
- Specify what data can and cannot be entered per tool tier
- Address shadow AI (unapproved tool usage)
- Include incident reporting for AI-related data exposure
- Practical — employees must understand it, not just sign it
</requirements>

<output_format>
Complete policy document with: purpose, scope, definitions,
approved tools, data classification restrictions, prohibited
uses, monitoring, incident reporting, review schedule, and
acknowledgment section. Professional tone, plain English.
</output_format>

Claude produces a complete, structured policy draft in two minutes. Review it for organizational accuracy, add any company-specific details Claude could not know, and pass it to your compliance officer for final review. A policy that took a full day to write from scratch is now a 2-hour review-and-refine exercise.

For recurring policy work, create a Skill that defines your organization’s policy template (sections, formatting, tone, review schedule format). Claude applies the Skill automatically whenever you ask it to draft or review a policy — ensuring every policy document matches your organizational standard.

Compliance gap analysis

Upload a compliance framework document (or reference it in your prompt if Claude knows it well — NIST CSF, ISO 27001, and SOC 2 are extensively covered in Claude’s training data). Provide your current control inventory. Ask Claude to identify the gaps — controls required by the framework that are not adequately addressed by your existing controls.

Claude’s gap analysis is a first-pass assessment that identifies the obvious gaps and highlights areas requiring further investigation. It is not an audit — it does not verify that your documented controls are actually implemented. But as a starting point for an internal assessment, it compresses the initial gap identification from a week of manual framework reading to an hour of Claude-assisted analysis followed by verification.

Risk assessment documentation

Claude assists with risk register entries — drafting the risk description, identifying the threat source, assessing the likelihood and impact based on the context you provide, and proposing treatment options. The risk scoring requires your judgment (Claude cannot assess your organization’s risk appetite), but the documentation structure and the prose can be Claude-assisted.

For board-level risk reporting, ask Claude to translate the risk register entries into executive language. Risk register entries are typically written for the security team (technical threat description, control references, residual risk scores). Board reporting requires business language (financial impact, operational disruption potential, regulatory exposure).

Board security reporting

The quarterly security report is a recurring documentation burden that Claude compresses significantly. Provide the metrics (alert volumes, MTTD/MTTR, incident counts, vulnerability scan results, compliance scores) and ask Claude to produce the executive narrative — the prose that explains what the numbers mean, what changed since last quarter, and what the board should know.

Create a Skill for your board report format. The Skill defines the sections (executive summary, key metrics, notable incidents, risk posture changes, recommendations, next quarter priorities), the tone (strategic, not technical), and the formatting (your organization’s template). Every quarterly report is then a data-input exercise: provide the numbers, Claude produces the narrative, you verify and deliver.

Compliance Myth

"AI-generated compliance documentation will not satisfy an auditor."

Production reality: Auditors evaluate the content of the documentation — whether it addresses the required controls, whether it reflects the organization's actual practices, and whether there is evidence of implementation. The tool used to draft the document is irrelevant. A Claude-assisted policy that accurately describes your controls, references the correct framework requirements, and has been reviewed by the appropriate stakeholders satisfies the auditor. A manually written policy that is generic, outdated, or inaccurate does not — regardless of who wrote it. The quality of the content and the evidence of implementation are what matter, not the authoring tool.

Try it: Draft a policy from a framework requirement

Choose a framework requirement relevant to your organization (an ISO 27001 Annex A control, a NIST CSF subcategory, or a SOC 2 Trust Services Criterion). Write a contextualised prompt using the template above — include your organization's context, the specific framework requirement, and the output format. Review the draft Claude produces: does it address the framework requirement? Is the organizational context reflected? What needs to be added that Claude could not know? This exercise demonstrates the difference between generic AI policy output and contextualised, deployable drafts.

Knowledge checks

Check your understanding

1. What is the most important element to include in a policy drafting prompt to ensure Claude produces a deployable draft rather than a generic document?

Organizational context. Claude produces generic output from generic prompts. Including your organization's industry, size, regulatory environment, existing controls, specific risks, and the framework you are implementing transforms the output from a template into a draft that your compliance officer recognizes as relevant. The context is what makes the difference.

Extended Thinking — enable deeper reasoning

The Opus model — more capable than Sonnet

Organizational context. The difference between generic and deployable output is the context you provide — industry, size, regulatory environment, existing controls, specific risks, and the target framework.

2. Your quarterly board security report follows the same structure every quarter. How do you ensure Claude produces it in your format without re-specifying the structure each time?

Create a Skill that defines the board report format — sections, tone, formatting, and any standing context. The Skill applies automatically whenever you ask Claude to produce the quarterly report. You provide the updated metrics and notable incidents. Claude produces the narrative in your format. Verify and deliver.

Include the format in every prompt

Upload last quarter's report as a template each time

A Skill for the board report format. It persists, applies automatically, and ensures consistent structure every quarter without re-specification.

3. Claude produces a compliance gap analysis comparing your controls to ISO 27001. An auditor asks whether this analysis is sufficient for certification readiness. What is the correct answer?

Claude's gap analysis is a first-pass identification of controls that appear missing or inadequate based on the information provided. It is not an audit — it does not verify that documented controls are actually implemented, does not assess evidence of implementation, and does not evaluate operational effectiveness. Use it as the starting point for a thorough internal assessment, not as the assessment itself.

Yes — Claude knows ISO 27001 comprehensively

No — AI cannot perform compliance assessments

First-pass identification, not a complete assessment. Claude identifies apparent gaps from the information provided. Verification of implementation and operational effectiveness requires human assessment.

Key takeaways

Context transforms generic output into deployable drafts. Always include your organization’s details, the target framework, and specific requirements.

Skills standardize recurring documents. Board reports, policy templates, risk register entries — define the format once and apply it automatically.

Gap analysis is a starting point, not an audit. Claude identifies apparent gaps. Humans verify implementation and effectiveness.

Board reporting is a translation exercise. Claude translates SOC metrics into executive language. You verify the narrative matches the data.

← Claude Code & Automation for Security Teams Detection Engineering & Threat Intelligence →