A policy only protects you if people can follow it. Themis applies CyBehave's behavioural approach to governance - generating your security policies and standards from a human-validated requirement library and writing them to be readable and understandable by everyone, from the board to the front line. Documents people actually comprehend drive real adoption - and behind the plain language sits full rigour: your frameworks harmonised, the most restrictive requirement selected with the evidence to show why, and every clause traced to its source.
The scales in action: every requirement weighed across your frameworks - the most restrictive wins, and the rationale is yours to show.
Themis is in early development. This page describes the product as it is being built. Check back regularly for updates as it takes shape.
Themis covers the full journey from framework selection to a governed, published document estate - a security charter, policies, standards by focus area, and a TOMs document - with the provenance, harmonisation rationale and lifecycle controls that make independent audit straightforward.
Answer an engaging onboarding wizard - your sector, geography, frameworks, audience and pragmatism level - and Themis drafts a complete, contextualised document set. Standards are created by focus area: network, cloud, applications, DevSecOps, identity and more.
Select NIST CSF, NCSC CAF, ISO 27001, PCI DSS and others together. Themis maps overlapping requirements, compares them as structured values, and selects the strictest - with a visible rationale showing which framework contributed what, and which won. Rank your primary framework and Themis anchors the wording and structure to it, without ever weakening an obligation.
Documents are created first and foremost to be readable and usable by your colleagues - simple and to the point, because that is what makes them effective. The same validated requirements are rendered at three registers - board, practitioner and all-staff - with a meaning check ensuring simplification never becomes weakening. Policy that people comprehend is policy that gets followed.
Themis never lets AI invent a requirement. Every entry in the library was extracted by AI, then approved by a named human reviewer against the source text. Every generated sentence traces to a validated requirement with clause-level provenance.
Branded DOCX output with full document control, classification markings and change history - and a linked XLSX register: one row per requirement with sources, crosswalk and harmonisation rationale. The compliance mapping matrix your auditor asks for, produced automatically.
Versioning with requirement-level diffs, approval workflows, publication as v1.0, review scheduling, attestation tracking, an exceptions register with justification and risk ownership, and an append-only audit trail across everything.
Most organisations answer to more than one authority - a primary framework, a contractual standard, sector regulation and national law all at once. Themis weighs them together, requirement by requirement, and resolves them into a single working set you can defend.
Requirements are compared as structured values - retention periods, review frequencies, authentication strength - and the strictest always prevails, whichever framework it came from.
Every resolved requirement carries its derivation: contributing frameworks and clauses, the values compared, the winner and why - shown in the app and exported in the XLSX register.
Rank your frameworks and Themis anchors wording and document structure to your primary - CSF-shaped documents for a CSF house - while stricter values from any framework still win.
Choose a less restrictive position where you have grounds, and Themis records it as a formal exception with justification, a risk owner and an expiry - never a silent weakening.
The requirements register doubles as a compliance mapping matrix - requirement to policy clause to every framework clause it satisfies - the artefact multi-framework audits demand.
Client security schedules and contractual requirements can join the weighing alongside formal frameworks, so your obligations to customers are harmonised with everything else.
Manage your whole policy suite - from charter to policy, through technical policies and standards, to TOMs - as one coherent, traceable estate. Each tier references the one above, and each requirement is carried consistently across tiers: when a requirement changes, everything that carries it is flagged together, so your documents can never quietly drift apart.
The board-level mandate: intent, scope, governance and accountable ownership. Short, authoritative, requirement-free.
The what and the why per domain, carrying harmonised requirements at principle level.
The exactly-what by focus area - network, cloud, DevSecOps and more - where the specific values live.
A GDPR Article 32 Technical and Organisational Measures document, generated from the same validated set - with a redacted variant safe to share with clients and processors.
The everyday loop is fast: choose the focus area you need, get a complete contextualised draft in minutes, refine it with an AI assistant or by hand, and publish v1.0 to your registry through a proper approval workflow.
Network, cloud, applications, DevSecOps, identity, supplier security and more - one standard per focus, drawn from your harmonised requirement set.
A complete draft in your context - your frameworks, your priority order, your audience register, your branding and classification.
Work with the AI assistant in plain conversation or edit manually. Every AI proposal is a governed change you approve - it can tailor and rephrase, but it can never invent a requirement.
Through your approval workflow and into the registry as v1.0 - an immutable, fully attributed snapshot, with attestation and review scheduling from day one.
The policy registry is the heart of Themis - the central registry where every document lives through its whole lifecycle: drafted, approved, published, reviewed, revised and retired in one governed place. It is the screen a CISO opens before an audit and an author opens every morning - every document across every tier, its status, owner, version, review date and attestation coverage.
Charter, policies, standards and TOMs shown as the connected estate they are - with overdue reviews and expiring exceptions surfaced before they become findings.
Import pre-Themis policy versions to establish full lineage - clearly badged as legacy, carried in the change history, and kept for audit continuity.
One-click export of the full document control index, plus requirement-level diffs between any two versions - the questions auditors ask, answered before they ask them.
A new regulation, framework version or client schedule lands? Assess it against your published estate to see where you already comply - and where the gaps and weaknesses are - before anyone asks.
Built the CyBehave way: language linting flags punitive, blame-laden phrasing and suggests just-culture alternatives, and requirements carry behavioural adoption tags - because a policy only protects you if real people can follow it, and auditors increasingly check exactly that.
Themis is a governance product, so it is governed like one - provenance on every clause, an evidence trail on every change, and strict separation between organisations.
Every requirement in every document traces to a human-validated library entry, its source framework, clause and validation record. Org-specific additions are clearly marked as yours - nothing masquerades as a framework obligation.
Every change - human or AI-assisted - is recorded in an append-only, cryptographically chained audit log, with approvals, e-signatures and attestations alongside. AI-proposed changes are always attributed and always accepted by a person.
Each organisation's documents, tailoring, exceptions and history are isolated per tenant. The shared, validated requirement library is common to all - your governance decisions are yours alone.
Data is encrypted in transit and at rest, and you can export or delete your organisation's data on request. Intellectual property is respected throughout - licensed framework text is never republished, and gated frameworks unlock only against your own licence attestation.
More to come as the product develops. Check back regularly.