Skip to main content

Creating Custom Policies

S
Written by Shannon DeLange
Updated today

Creating a custom policy in Vanta allows organizations to document practices, procedures, or requirements that aren't fully addressed by standard templates or frameworks. While Vanta offers a comprehensive set of prebuilt policies mapped to frameworks like SOC 2, ISO 27001, and HIPAA, your company might have unique workflows, tools, or regulatory obligations that require more tailored guidance. Custom policies help formalize internal standards, support customer or contractual commitments, and demonstrate maturity in data ethics, AI governance, or region-specific privacy. They also allow teams to align documentation with how they operate, ensuring policies are both audit-ready and practically applicable.

Creating Custom Policies

  • From the left-hand navigation panel, select Compliance and then Policies

  • From the top right-hand corner, select + Add policy

  • Add a policy title and policy description

  • Select Create

Screenshot_2023-04-25_at_11.18.51_AM.png
Screenshot_2023-04-25_at_11.21.14_AM.png
  • When submitting for approval, choose the approver or approve the policy yourself if you have admin permissions.

Screenshot_2023-04-25_at_11.21.14_AM.png
  • Approve the employee assignment. The listed employee groups will be asked to accept this policy when it is approved.

    • Note: These are all the Employee Groups with a task set that has "Select All" checked in the Policy Acceptance category for Ongoing Tasks

Screenshot_2023-04-25_at_11.23.58_AM.png

Mapping Custom Policies to Tests

Two new policy tests will be created for each custom policy. These tests will monitor whether these custom policies are revised and approved annually and whether all relevant employees accept each approved version. All new tests appear on the Tests page under the Policies category.

Mapping Custom Policies to Controls

  • Open the desired custom policy

  • From the policy, select the Controls tab

  • Select Add control

Screenshot 2025-03-03 at 4.13.26 PM.png
  • From here, you can search for specific controls and select Add

Screenshot 2025-02-06 at 11.35.41 AM.png
  • If you would like to remove a custom-mapped control from the policy, you can select the control and click Remove

Screenshot 2025-02-06 at 11.37.00 AM.png

AI Suggested Control Mapping

  • If you are using Vanta's default template stack or bringing in your custom policies, you can use Vanta AI to help you map security controls back to the policy.

  • Click on the policy you would like to edit.

  • The controls listed here are the default controls mapped to the policy; they can be removed by clicking the X.

Screenshot 2025-04-15 at 4.35.25 PM.png
  • If you would like to add additional controls, select the Map control

  • Choose from any of the controls within your Vanta instance, or add in controls suggested by AI.

  • Vanta AI will generate control suggestions that can be added to the policy.

    • Please note this may take a few moments

  • Based on suggestions, you can map these controls to the policy.

Screenshot 2025-04-15 at 4.37.08 PM.png
  • Select the check mark to map the control to your policy, or the X to reject the suggestion.

Screenshot 2025-04-15 at 4.42.09 PM.png

Deactivate Unused Policy Tests

Once your custom policies have been imported and mapped to relevant controls, you must deactivate any unused policy tests corresponding to Vanta policy templates you are not using.

  • For example, if you’re pursuing SOC 2, you will automatically see Vanta policy templates on your Policies page.

  • To remove these policy templates from your Policies page and unmap them from the related controls, you must deactivate the corresponding tests associated with them. If you do not deactivate these tests, your controls will continue to show as needing attention.

  • On the Tests page, find the policy tests corresponding to the Vanta policy templates you do not plan to use. You can do this by searching the name of the policy and finding the test that indicates “Company has an approved <policy name>.”

  • Click the policy test.

  • Select the three-dots menu to the right of the name of the test.

  • Select Deactivate.

Screenshot 2025-03-03 at 4.21.57 PM.png
  • Repeat this for any policy templates you do not plan to use. Once the policy test is deactivated, this policy template will no longer appear on your Policies page, and the test will be removed from your controls.

    • You can always reverse this action by going into your deactivated tests and clicking reactivate monitoring on the test you want to reactivate.

Screenshot 2025-03-03 at 4.24.15 PM.png

Deleting Custom Policies

To delete the policy draft,

  • Click the three-dots menu within the Draft section and select Delete from the dropdown.

To delete the whole policy,

  • Click the three-dots menu in the upper right corner and select Delete policy from the dropdown.

    • Note: A custom policy cannot be deleted until after its Draft is created.