Advisory & Data Protection
Security policies written for your organisation — aligned to ISO 27001, PCI DSS and NIST, and short enough that people actually read them.
Policies are where security intent becomes something you can enforce, audit and prove. Yet most policy sets are either downloaded templates nobody follows or hundred-page documents nobody reads. Blackfoot's security policy development service produces something different: a tailored set of policies, uniquely created for your business, that fits how your organisation actually works.
Good policies define what you protect, the threats you're protecting against, and the rules and controls that manage the risk in pursuit of your strategic objectives. Written well, they become the foundation of your compliance evidence — the first thing an ISO 27001 auditor, PCI QSA or customer due-diligence questionnaire asks for. Written badly, they become a liability you're measured against and fail.
We work closely with your organisation to understand business needs and existing frameworks before drafting anything. Our consultants bring experience across ISO 27001, PCI DSS, NIST and related standards, so each policy maps cleanly to the requirements you're accountable for — one policy set serving all your obligations rather than parallel documents per framework. That mapping pays off at every audit that follows, when evidence requests become lookups instead of investigations.
Whether you need a full policy suite built from scratch or a critical review and refresh of what you have, the result is the same: clear guidelines, sensible procedures and defined responsibilities that protect the confidentiality, integrity and availability of your information — in language your staff can follow without a translator. We also support rollout, helping you communicate the changes so policies land as working documents rather than an intranet announcement nobody opens.
Policies also decay: organisations change, standards update, and last year's rules quietly stop matching reality. Our Managed GRC subscriptions track policy review cycles in the Clarity portal, so ownership and review dates are managed rather than remembered.
Policies written for your organisation, its systems and its risks — not a find-and-replace template pack.
Each policy aligned to the standards you answer to — ISO 27001, PCI DSS, NIST — so one document set serves audits and certifications.
Plain-English drafting your staff can understand and act on, because a policy nobody reads protects nobody.
Build a complete policy framework from scratch, or review and strengthen the documents you already have.
Policies structured to serve as compliance evidence, with clear ownership, scope and review provisions built in.
Keep the set current through Managed GRC on Clarity, with review dates, owners and versions tracked rather than forgotten.
We identify your specific business needs, obligations and existing security frameworks through collaborative working sessions.
Requirements from ISO 27001, PCI DSS, NIST and your contracts are consolidated into a single policy architecture with no duplication.
Our consultants draft each policy in clear language, iterating with your stakeholders until the rules are both compliant and workable.
We support sign-off, staff communication and rollout, so policies land as working documents rather than shelf-ware.
Review cycles, owners and updates can be tracked in the Clarity portal through a Managed GRC subscription, keeping the set audit-ready.
Straight answers to what prospective clients ask us most.
It depends on your size, sector and the frameworks you answer to, but a core set typically covers information security, acceptable use, access control, incident response, data protection and supplier security. We define the right list for you during scoping rather than selling a fixed bundle.
Yes. Often the fastest win is a critical review: we assess your current set against your actual obligations, flag gaps and conflicts, and strengthen what's worth keeping. You only rewrite what genuinely needs it.
Both standards expect documented policies covering specific control areas, and auditors check them early. We map each policy to the clauses and requirements it satisfies, so evidence gathering at audit time is a lookup rather than a scramble.
At least annually, and after significant change — new systems, restructures, new regulations or incidents. Most certification schemes expect documented review cycles; tracking them in Clarity through a Managed GRC subscription keeps that discipline automatic.
Get a fixed-scope quote, usually the same working day.