What are Policies?
Security policies guide how your organization protects valuable information and tech assets from unauthorized access or harm by detailing the expected behavior (i.e. controls) of your organization. They create a framework for keeping data confidential, accurate, and available, guarding against security threats and risks.
Think of compliance frameworks, like SOC 2, as the overarching rulebook. Controls are the written rules for adhering to the framework. Policies are the written pages of instructions on how your company will mitigate security risk, ensure regulatory compliance, and protect important information like customer data. |
How Policies Help You Get Audit-ready
Auditors want to see how your organization adheres to the framework’s controls and how you’re doing that– security policies outline this information. To be audit-ready, the policies necessary for the framework you’re pursuing must be approved (by the relevant authority at your company) and accepted by relevant employees. Vanta provides templates created and maintained by security experts to help you create all the policies you’ll need. These templates are automatically reflected on your Policies page. For example, we have 15 policy templates to help you get SOC 2 compliant. Many of these same policies are also required for other frameworks like ISO 27001.
In Vanta, policies, controls, and tests all connect to help you get ready for your audit:
Controls represent the rules your organization needs to follow to manage and mitigate security risk
Policies are the written instructions for how your company is meeting these controls.
Tests provide evidence of compliance and show whether a control is being adhered to
In Vanta, each policy is tied to two tests: (1) a test that checks whether the policy is approved and (2) a test that checks whether all relevant employees accept the policy. Certain Vanta controls will not be met until these two policy tests are passed (i.e., in OK status). For example, the SOC 2 control, “Continuity and Disaster Recovery plans established,” depends on your company having an approved Business Continuity and Disaster Recovery Plan, which your employees accept.
1. Set up your policies in Vanta
Setting up your policies in Vanta involves drafting security policies that your company does not yet have in place and importing any existing policies you do have.
a. Draft policies with Vanta templates
Vanta provides out-of-the-box templates aligned to framework requirements and industry best practices to help you quickly create the necessary policies. Our Policy Builder tool, (available for all SOC 2 policies and ISO 27001:2022 policies) guides you through drafting policies using our templates and customizing Vanta’s policy template language to your unique business. If you’re pursuing other frameworks that are not yet supported in Policy Builder, we still provide all the policy templates you’ll need.
One person commonly takes the lead on drafting policies (often the Vanta admin). You need no specific background or expertise to start drafting your policies. However, before finalizing your policy, you may need to reach out to other stakeholders at your company to review and confirm specific policy content before you’re ready to finalize your draft. If you need additional help or information on this process, register here for an upcoming Policy Workshop, where we will guide you through creating, editing, and managing policies in Vanta. You’ll also have the opportunity to ask a Vanta policy expert questions.
You have everything you need to get started! Take our 60-second product tutorial on drafting policies with Vanta, and then go to Policies to begin your first policy (you can sort the list by our recommended order). On average, it took Vanta users 2-6 minutes to draft a policy using the policy builder! |
b. Import existing policies
If you have any existing policies, you can import these instead of using Vanta’s templates. Go to Policies, select the policy that best matches the content of the policy you’re importing, and click Import. You can either import a file from your computer or sync from a supported app (Google Drive, Confluence, SharePoint). Alternatively, if you can’t find a policy in our list that matches your importing policy, you can use the Add a custom policy option. We recommend the former option as it’s quicker to set up, but if you’re using the Add a Custom policy, refer to these instructions.
2. Approve Policies
Approving your policies in Vanta is an important step to confirm your organization’s compliance posture. If you import a policy into Vanta, you can also set historical approvers and approval dates to track the policy’s timeline. If Vanta AI is enabled for your account, Vanta can automatically extract this information for you making the process faster.
How to Approve Policies
Submit the policy for approval: After drafting or importing a policy, select Submit to begin approval.
Select the approver: Approvers can be anyone at your company (including yourself) with Admin or Editor status in Vanta. We recommend selecting the individual who enforces the policy and can answer questions during an audit.
Await approval: Once you submit the policy for approval, the approver is notified via email. They will review the draft and confirm approval in Vanta.
Check status: Once approved, your new policy version will move from Pending Approval to Approved on the Policies page.
We recommend drafting and approving all policies required for your framework before moving on to the next step.
Multiple Approvals for Growth, Scale, and Enterprise Customers
You can designate multiple approvers for each policy.
Assign up to five steps of approval, with each step allowing up to three approvers.
This lets you involve key team members in the process, ensuring thorough review and sign-off before finalizing a policy.
3. Employee Acceptance
Steps for Employees to Accept Policies
Employees are required to accept assigned policies as part of their security tasks. The process is straightforward:
Login to Vanta using your company credentials.
Navigate to the My Security Tasks section located in the left-side menu.
Policies requiring acceptance will be listed in this section.
Review and accept the policies one by one.
Alternatively, you can directly visit the designated onboarding page provided by your company, where policies and other onboarding tasks are listed for your review and acceptance. Notifications about required tasks will be sent via email or Slack, based on your company’s notification settings.
Once you have you finished drafting and approving all policies, it’s time to set your personnel up in the Personnel Hub and assign them tasks; including reviewing and accepting policies. To get started, follow the Getting started with Personnel Hub guide. Once you have employee tasks configured to review and accept policies, you can monitor the status of employee acceptance for each policy on the Policies page and click to see which personnel have/have not yet accepted.
Notification and Reminder Management for Admins
Administrators play a key role in ensuring employees complete the policy acceptance process. The following actions can be implemented:
Enable Notifications: Turn on employee notifications in the Vanta settings. Notifications will automatically remind employees about pending security tasks, including policy acceptance, based on the reminder cadence set (e.g., weekly reminders). To manually remind a specific user, navigate to their profile on the People page and click on Remind.
Manual Access to Policies: As an alternative to automatic notifications, employees can be directed to the onboarding page to complete their tasks manually.
Customizing Policy Assignments to Groups
Vanta allows admins to assign policies to specific groups:
Configure onboarding group settings to determine which employees need to accept each policy.
Customize group-specific settings or default all policies to be accepted by all group members. This flexibility helps organizations efficiently manage diverse teams.
Troubleshooting Common Issues
Here are solutions to common challenges faced during policy acceptance workflows:
Inconsistent Task Status: If tasks like "Accept security policies" revert to incomplete, it might be due to the system not recognizing the acceptance state correctly. Ensure employees revisit the onboarding page to complete and save tasks.
Checklist Configuration Issues: If employees cannot see or accept certain policies, it could be due to checklist settings. Approve the policy and navigate to the checklist section to enable policies for the desired employee group.
Differentiating Agreements: Policy acceptance in Vanta does not replace the need for signed employee agreements, as these documents address different compliance controls.What’s Next?
Each year, you’ll need to review and re-approve your policies. You’ll be notified via email when it’s time. If there are material changes to your policy, we recommend you ask employees to re-accept them. When you create your new policy version, you’ll be asked to confirm whether the new policy version should be sent to employees for review and acceptance. On the Policies page, you’ll see the status of your policies change from OK to Renew soon (when renewal is coming up in the next six weeks). If you don’t renew in time, your policy status will change to Expired.
If policies are updated and need to be reaccepted, follow these steps:
During policy updates, select the option Yes, ask employees to reaccept this policy.
Vanta will automatically prompt employees to reaccept the updated policy based on your notification cadence.
If this option was not selected, reapprove the policy with the option enabled to ensure compliance.
Additional resources:
Vanta Academy: Creating & Managing Policies
Vanta Academy: Employee Onboarding
Live Training: Policy Writing Workshop