Policy documentation is the foundation of every compliance framework. Whether you're pursuing ISO 27001 certification or maintaining GDPR compliance, your auditor will eventually ask to see your policies. And they won't accept generic templates downloaded from the internet.
The problem is that writing these policies takes time. A lot of time. Most compliance teams spend days or even weeks drafting, reviewing, and finalizing such policy documents. They start with generic templates, then spend hours customizing them to reflect their actual practices. And teams often end up copying text from ChatGPT and then worrying about whether or not it actually meets framework requirements. They update one policy, then forget to update three others that reference the same information.
Today, we're announcing KAIA Policy Co-Pilot, a new feature within the Kertos platform that changes how European companies approach policy documentation. Policy Co-Pilot uses your company context to generate complete, framework-aligned policy drafts in minutes which you can review, edit, and approve. The result is documentation that reflects your actual practices, meets compliance requirements, and stays consistent as your company evolves.
Why Policy Writing Has Been Broken
If you've ever been responsible for compliance documentation, you know the pain. You sit down to write an Access Control Policy for ISO 27001. You search online for examples. You find a template that looks professional, but it references practices your company doesn't follow. It mentions physical access controls for server rooms you don't have because your infrastructure runs entirely on AWS or describes approval workflows that don't match your actual processes.
So you start editing. You remove the irrelevant sections and add details about your actual systems. You cross-reference the ISO 27001 standard to make sure you're covering all required elements. Three hours later, you have a draft. But you're not confident it's complete. You send it to a consultant for review, adding another €500 in costs and two weeks to your timeline.
Now multiply this by the 15 to 25 policies a typical ISO 27001 implementation requires. Add GDPR policies on top of that. Factor in the updates needed every time you change your tech stack, hire a new Data Protection Officer, or modify your security practices. The hours add up quickly.
This is why so many companies end up with outdated policies that don't reflect the actual status quo. They copy generic templates and lack the time to customize them properly. Documentation quickly drifts out of sync with actual practices because updating policies is perceived as a low priority compared to shipping new product features, but then, all of the sudden, the audit season arrives, and teams scramble to close the gaps.
How Policy Co-Pilot Solves This
KAIA Policy Co-Pilot takes a fundamentally different approach. Instead of starting with generic templates, it starts with a complete picture of your company. The system analyzes your company context, including your size, industry, tech stack, and assigned roles like your DPO and CISO. It then generates policy drafts that actually reflect how your company operates.
When KAIA creates an Access Control Policy for a 50 person SaaS company using AWS, Okta, and GitHub, the policy references those specific systems. It describes access workflows that make sense for cloud infrastructure. It includes the review frequencies and approval processes appropriate for your company size. The result is a baseline that requires refinement rather than a template that requires rebuilding from scratch.
The entire process happens directly within the Kertos platform. You navigate to the Policies section, select your framework, and choose which policies to generate. KAIA produces complete drafts in minutes. You review them in the embedded editor, make adjustments, and set the status to approved. No file downloads. No back and forth with drafts and revisions. No version confusion. No copy-paste chaos.
What Makes This Different From Generic Templates
Generic templates assume a generic company. They include every possible control element because they don't know which ones apply to you. They use vague language because they can't reference your specific tools and processes and require extensive customization because they weren't written for your specific situation.
Policy Co-Pilot generates documentation tailored to your context from the start. The more complete your company profile, the more precise your policies become. If you specify that you use Google Workspace for email and collaboration, your Acceptable Use Policy will reference Google Workspace rather than mentioning abstract "email systems." If you indicate that you're a financial services company, your policies will reflect the additional requirements that come with that industry.
This context awareness extends to framework requirements as well. Every policy is mapped to its relevant framework, whether ISO 27001, GDPR, or both. When a policy applies to multiple frameworks, KAIA uses the ISO 27001 version as the baseline and automatically adds GDPR-specific clauses. This keeps your documentation synchronized and eliminates the confusion that comes from maintaining separate policy sets for different certifications.
You Stay in Control
Policy Co-Pilot generates drafts. It doesn't make decisions for you. Every policy it creates is fully editable through the embedded editor. You can modify language, add sections, remove elements that don't apply, and incorporate references to other documents. All changes are tracked in version history, so you always know what was modified and when.
Each policy includes metadata fields for owner, reviewer, and last updated date. You assign a single owner who is accountable for the policy's accuracy and a reviewer who validates changes before approval. This structure ensures clear accountability and creates the audit trail that certifiers expect to see.
If you prefer to draft policies manually, you can disable Policy Co-Pilot entirely under Settings. The feature is there to accelerate your work, not to replace your team's judgment. Final validation should always be done by someone who understands your business and your compliance requirements.
Staying Current When Your Company Changes
Policies aren't static documents. They need to evolve as your company evolves. When you hire a new Data Protection Officer, your GDPR documentation should reflect that change. When you adopt a new SaaS tool, your security policies should address how that tool is governed. When you expand into a new market, your practices may need to adapt.
This is where most policy management breaks down. Companies update their systems and processes but forget to update their documentation. Months later, an auditor reviews such policies and finds descriptions of tools which are no longer in use or references to employees who left the company years ago.
Policy Co-Pilot addresses this with context-aware updates. When you modify your company context within Kertos, whether adding a new system, changing a key role, or updating your industry classification, KAIA identifies the policies affected by that change. It prompts you to review those policies and offers to regenerate or update them to stay consistent. You're never left wondering which documents need attention.
The Technical Details
KAIA generates policies using expert-trained prompts aligned with ISO 27001 and GDPR requirements. The system understands the control objectives behind each framework and produces documentation that addresses those objectives within your specific context.
Setting up is straightforward. Go to Settings, then Company Context. Fill in details about your company size, industry, tech stack, and relevant roles. Assign your DPO for GDPR and CISO for ISO 27001. Save your changes. From there, navigate to Policies, select Create with KAIA, choose your framework, and let the system generate your drafts.
The current release supports ISO 27001 and GDPR frameworks. KAIA produces the core policy set required for each certification, giving you a complete baseline to work from. As we continue developing the feature, we'll expand framework coverage to include NIS2, DORA, and the EU AI Act.
What This Means for Your Compliance Timeline
Time savings are significant. What previously took days now takes minutes for initial draft generation. What previously required expensive consultant reviews now comes with compliant baselines built in. What previously demanded constant vigilance to keep documentation current now happens through automated prompts and updates.
For a typical ISO 27001 implementation, policy documentation represents 20 to 30 hours of work. With Policy Co-Pilot, that drops to 3 to 5 hours of review and refinement. The time you save goes back into the work that actually matters: implementing controls, training your team, and building a security culture that goes beyond checkboxes.
This fits into Kertos' broader mission of transforming compliance from burden to a competitive advantage. We've already helped thousands of European companies achieve certification in weeks rather than months. Policy Co-Pilot is another step toward that goal, removing friction from one of the most tedious parts of the compliance journey.
Getting Started
Policy Co-Pilot is available now for all Kertos customers. If you're already using the platform, complete your company context and start generating policies today. If you're evaluating Kertos for your upcoming ISO 27001 or GDPR project, schedule a demo to see Policy Co-Pilot in action.
Compliance documentation shouldn't be the bottleneck in your certification timeline. With KAIA Policy Co-Pilot, it won't be.
