Author once, distribute, track acknowledgement, tie every policy to controls across ISMS, BCMS, DSMS and AIMS. Acknowledgement as readiness, not paperwork.
The challenge
A policy gets drafted for the certification, approved in a meeting, and emailed round as a PDF. Six months later there are three versions in circulation, nobody is sure which one is in force, and the acknowledgement evidence is a half-remembered Slack thread. The document still exists. Whether anyone follows it, or has even read the current version, is anyone's guess.
A policy is supposed to be a control, not a file. It should connect to the ISO 27001 requirement it implements, carry its own review date, and prove who has acknowledged which version. When that link is missing, an auditor asking for the evidence behind a control sends the whole team digging through drives. When it is there, the policy and its proof are the same object, and a stale one surfaces before the audit instead of during it.
Benefits at a glance
A library of professionally written templates covers ISO 27001 Annex A, ISO 22301, GDPR, BSI Grundschutz and ISO 42001. Templates open in a rich-text editor and are linked to the controls they implement, so editing a clause updates the control automatically.
Every revision is saved with timestamp, author and change summary. KaitoSec keeps the full history so auditors can see exactly what was in force at any point, without email chains, shared drives or PDF graveyards.
Distribute policies to teams or the whole organisation and track who has acknowledged each version. Reminders chase outstanding confirmations automatically and the audit trail records each acknowledgement, making policy adoption provable rather than assumed.
How it works
Configure multi-stage approval flows for policy changes: draft, review, legal sign-off, publish. KaitoSec routes documents to the right approvers, notifies stakeholders at each stage and records the chain of approval as evidence.
Each policy is linked to the ISO 27001 controls, NIS2 measures, Grundschutz safeguards, ISO 22301 clauses or ISO 42001 requirements it implements. When an auditor asks for the evidence behind a control, the policy is one click away.
Set review cycles per policy and let KaitoSec notify owners before expiry. Overdue reviews surface on the compliance dashboard, so outdated policies never make it through to the next audit unnoticed.
Supported frameworks
KaitoSec