Creating Policies with Policy Builder

  • Updated

Vanta’s Policy Builder is a policy creation and editing tool that helps you quickly create policies using Vanta’s policy templates and customize the content to your business.  In Policy Builder, you work on one policy section at a time and see a live preview on the right-hand side that updates as you go.  You can jump between sections by clicking the section contents on the right or using the Next and Back buttons.

Use the Policy Builder starter guide to walk through this process, step-by-step!

Begin the Policy Draft

  • From the left-hand navigation panel, select the policy you would like to create
  • On the left-hand side, you’ll be prompted to answer questions to customize the placeholder text in the policy template to match your business guidelines and operations.  As you answer questions, the live preview on the right will update
  • Once all questions for a section are responded to, the section is marked as complete. Many sections are complete by default, as no customization is required. Some sections include guidance to Review and edit section to ensure the content is applicable/customized to your business.  Once you complete all sections, your policy draft is ready to submit for approval.

Screenshot 2024-11-07 at 4.46.50 PM.png

Editing Content

  • You may need to modify a section’s content to suit your business. Click the edit icon to start making edits.
  • Editing guidance is provided for each section (except for the first section) for SOC 2 and ISO 27001:2022-related policies. Editing guidance indicates what is required vs. optional in a given policy section for that framework and any related controls.
  • Some policy sections include optional content reflecting security best practices that are not required for the framework you’re pursuing and can be deleted.
  • Many sections include no optional content, meaning the entire section is required for your framework. However, you can still modify specific verbiage as long as it still meets the requirements of the framework.
  • This guidance is provided to help you ensure your policy still meets the requirements of the framework(s) you’re pursuing while customizing the policy content.   

Screenshot 2024-11-07 at 3.18.31 PM.png

 

Review & Finalize

  • Once all sections of your policy are complete, you’re ready to review and finalize your policy draft.
  • In this final step, you’ll have the option to preview your final policy. If you need to make any further changes, go to that section to make edits.
  • Next, confirm the policy approver and then submit the policy for approval. If you’re working on a policy with multiple language versions, you’ll be prompted to work on your remaining language drafts before submitting them for approval.

FAQs

Why do I see a different experience for creating policy drafts in other languages?

  • We are in the process of expanding Policy Builder to work across other language drafts. Currently, Policy Builder supports creating your English policy draft. If you’re working on a multi-language policy, after completing your English draft in Policy Builder, you will be taken to the editor to work on your other language drafts.  

What do “related controls” mean?

  • Related controls appear in Editing guidance. The Vanta controls listed here provide context on the framework requirements a given section helps satisfy or relates to. Related controls are for educational purposes (to assist you with creating/editing policies) and do not reflect the controls mapped to your policy. To view the controls that map to your policy, reference the “Related frameworks and controls” section on the policy detail page. A control is mapped to a policy if the policy's associated approval test is mapped to the control. If you remove a Vanta control related to a particular policy section, this control will no longer appear in the Editing guidance.

What is the impact of editing a section that has required content for my framework?

  • Policies should reflect how your business operates and not be aspirational. As such, it’s expected that you may need to modify some of Vanta’s policy language. Editing guidance helps you understand what content in a given section is required vs optional, so you know if there are any implications of an edit you’re considering making.  If you do edit the content that is required for your framework, we recommend you check the related controls and speak with your auditor to see if you need to make any corresponding changes to the control description or mapped tests/documents.

I need to make customizations that Policy Builder doesn’t allow (e.g. add a new section). How do I do this?

  • If you need to make customizations that aren’t supported in Policy Builder, you can do so in the editor tool by clicking "convert to policy editor" in the menu within Policy Builder. Please note that you should complete all sections in Policy Builder before converting, as once converted, you cannot return to Policy Builder with your current draft.  

Can I go back to the old experience to edit my entire policy? 

  • Yes, clicking convert to policy editor in the menu will allow you to edit your entire policy at once.  Once converted, you cannot revert your current draft to Policy Builder.  You must delete your draft and/or start a new draft from scratch to use Policy Builder again.

Why don’t I see Editing guidance for all the frameworks I’m pursuing?

  • After we launch Policy Builder for SOC 2 and ISO 27001 policies, we will expand to other frameworks and include editing guidance for them.