About
Good security policies should not be a paid consulting project.
Most small businesses know what they should do. What they lack is the wording, in their country's terms, that turns practice into a signed document. That is the whole job of this library.
The standards we track
Written to the frameworks, not around them.
Every template names the clause or control it satisfies, so a reviewer can trace it. We keep two separate libraries because Australia and New Zealand answer to different guidance and different privacy law.
When a framework updates, the affected templates are revised and the review date is bumped. The mapping lives inside each document, not in a marketing claim.
Every guide is produced with a clean-room method: research is gathered per country, each claim is tagged verified or inferred against a named source, and nothing crosses the Tasman without being re-checked against the other country's law. Read how it works: the Australian methodology guide · the New Zealand methodology guide.
Annex A control set and management clauses.
The ACSC mitigation strategies and maturity model.
The NZ Information Security Manual and the NCSC Critical Controls (CERT NZ merged into the NCSC in July 2025).
Privacy Act 1988 and the Privacy Act 2020.
How the templates are built
Three rules we hold ourselves to.
Plain enough to sign
If a general manager cannot read it and understand what they are approving, it is not finished.
Specific enough to pass
Every claim maps to a clause. An auditor can follow the reference straight to the section that meets it.
Kept current
Each template carries a review date and is revised when the framework it maps to changes.
These templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. For anything high stakes, have a qualified adviser review your final policies before you rely on them.
Pick your country and start.
Two libraries, 22 templates each, written for where your business is registered.