Claude Skill · Open Source

Policy Document Writer

A reusable Claude skill that generates professional, audit-ready security and compliance policy documents as formatted .docx files. Covers the full document lifecycle from intake questions through structured output with cover pages, tables of contents, headers, footers, and version control.

Type
Claude Skill (SKILL.md)
Works With
Claude Code & Cowork
Output
.docx (Word)
Domain
GRC / Compliance
↓ Download SKILL.md
Setup
How to use this skill
Drop the file into your Claude skills folder. When you ask Claude to write a policy, it will gather requirements through intake questions, then generate a complete .docx document.
mkdir -p .claude/skills/policy-writer cp SKILL.md .claude/skills/policy-writer/SKILL.md

Once installed, say something like "write an access control policy" or "create a data classification policy" and Claude will walk you through the process. It asks about scope, roles, stakeholders, review cadence, and exception handling before generating anything.

Output
What the skill produces
📄

Cover Page

Company logo, policy title, publication date, and version number. Separate section with no header or footer. Page break after.

📑

Linked Table of Contents

Clickable TOC entries that navigate to each section heading. Covers all 12 sections and subsections. Page break after.

📝

12-Section Structure

Purpose, Scope, Roles & Responsibilities, Terms, Objectives, Policy Language (with subsections), Conclusion, Review, Exceptions, Supporting Docs, Policy Info, Version Control.

🛡

Headers & Footers

Header with logo, policy title, and creation date. Footer with classification label and page numbers. Cover page excluded.

🔢

Metadata Tables

Policy Information table with owner, manager, approver, review frequency, and next review date. Version Control table tracking all revisions.

Active Voice Throughout

Every sentence uses active voice. Requirements use "must" for mandatory, "should" for recommended. No passive constructions, no filler phrases.

Intake
What the skill asks before writing
The skill gathers these inputs from the user before generating any content. This ensures each policy is tailored to the organization rather than generic.
Required inputs

Policy Topic (what the policy covers), Scope (who it applies to), Roles and Responsibilities (which teams and what they own), Policy Language Sections (the specific rules and requirements), Executive Stakeholders (owner, manager, approver), Review Cadence, Exception Process, Supporting Documentation, Company Logo, Classification Label, and Policy ID.

Why intake matters

Generic policy templates fail audits because they do not reflect how the organization actually operates. By gathering scope, roles, and exception processes upfront, the skill produces a document that is specific to the organization and ready for stakeholder review without significant rework.

Structure
Standardized 12-section format
Every policy follows this exact section order. The consistency across policies is what makes them auditable and navigable during compliance assessments.
Coverage
Supported policy types
The skill includes typical subsection templates for common policy domains. These serve as starting points that are customized based on user input.
Change Management Access Control Data Classification Incident Response Risk Management Acceptable Use Business Continuity Vendor / Third-Party Risk Human Resources Security Information Security
Formatting
Document specifications
Page layout

US Letter (8.5" x 11"), 1-inch margins, Arial font throughout. Body text at 12pt, Heading 1 at 16pt, Heading 2 at 14pt. Cover page is a separate section with no header or footer.

Headers & footers

Header: company logo (left), policy title (center), creation date (right). Footer: classification label such as "Internal" or "Confidential" (left), page number (right). Both include a thin separator line.

Tables

Policy Information and Version Control tables use light blue header shading (#D5E8F0), thin gray borders, and comfortable cell padding. Labels are bold in the left column.

↓ Download SKILL.md
Full Content
SKILL.md (232 lines)
The complete skill file rendered below. Use the download button to save the raw markdown.
Policy Document Writer

This skill creates professional, publication-ready security and compliance policy documents as .docx files. The output follows a standardized structure derived from real-world policy programs and is designed to meet audit and compliance requirements (SOC 2, ISO 27001, HIPAA, PCI DSS, etc.).

Before Writing: Gather Requirements

Policy documents are unique to each organization. Before generating anything, gather the following from the user through conversation.

Required Inputs
  1. Policy Topic: What is this policy about?
  2. Scope: Who and what does this policy apply to?
  3. Roles and Responsibilities: Which teams or roles need to be defined?
  4. Policy Language Sections: What specific requirements or rules does this policy enforce?
  5. Executive Stakeholders: Document Owner, Manager, and Approver (name and title)
  6. Review Cadence: How often is this policy reviewed? (Default: annually)
  7. Exception Process: How does the organization handle exceptions?
  8. Supporting Documentation: Related policies, procedures, or standards
  9. Company Logo: Image file for the header
  10. Classification Label: Header classification (e.g., "Internal", "Confidential")
  11. Policy ID: Numbering scheme (e.g., "POLICY-01")
Document Structure

Every policy follows this exact section order. Do not skip or reorder sections. The consistency across policies is what makes them auditable and navigable.

Cover Page (logo, title, date, version) with page break. Table of Contents (linked, auto-generated) with page break. Then sections 1 through 12: Purpose, Scope, Roles and Responsibilities, Terms and Definitions, Objectives, Policy Language (with numbered subsections), Conclusion, Policy Review and Updates, Exceptions, Supporting Documentation, Policy Information table, Version Control table.

Writing Style

Active voice always. "The Security Team reviews change requests" not "Change requests are reviewed by the Security Team."

Direct requirements. Use "must" for mandatory items, "should" for strong recommendations, "may" for optional actions. Never use "shall" or "might."

Short paragraphs. Two to four sentences maximum. Each paragraph makes one point. No filler phrases, no jargon without definition, consistent present tense.

Document Formatting (.docx)

US Letter, 1-inch margins, Arial throughout. Body 12pt, Heading 1 at 16pt bold, Heading 2 at 14pt bold. Cover page is a separate section with no header/footer.

Header: Logo (left), policy title (center), creation date (right). Footer: Classification label (left), page number (right). Page breaks after cover page and after table of contents.

Tables: Light blue header shading (#D5E8F0), thin gray borders (#CCCCCC), bold labels. Policy Information as two-column table, Version Control as four-column table.

Common Policy Types

The skill includes typical subsection templates for: Change Management, Access Control, Data Classification, Incident Response, Risk Management, Acceptable Use, Business Continuity, Vendor/Third-Party Risk, Human Resources Security, and Information Security. Each lists the standard Policy Language subsections as starting points.

↓ Download SKILL.md