Creating Policies with Policy Builder

  • Updated

Vanta’s Policy Builder is a policy creation and editing tool that helps you quickly create policies using Vanta’s policy templates and customize the content to your business.  In Policy Builder, you work on one policy section at a time and see a live preview of that section while editing.  You can jump between sections by clicking the section contents on the right or using the Next and Back buttons. 

Template tab

The Template tab asks questions about customizing placeholder text in the policy template to match your business guidelines and operations.  You’ll see the responses updated in your live preview on the right as you answer questions.  Once all questions for a section are responded to, the section is marked as complete. Once you complete all sections (some sections have no questions you need to answer), your policy draft is ready to submit for approval.

 

Custom tab

If you wish to edit a section’s contents further, click on the Custom tab and start making edits.  You'll see Section editing guidance above the Template/Custom tabs (for all policy sections except the first section).  Section editing guidance is available for SOC 2 and ISO 27001:2022. If you are pursuing either of these frameworks, you’ll see the relevant guidance, which provides information on what is required vs optional in each policy section for that framework and any related controls.  Section editing guidance aims to help you make edits to a section while ensuring your policy language still meets the requirements of the framework(s) you’re pursuing.  

 

Please note that once you start editing a section in Custom, the Template tab will be locked. You can reset your edits to revert to the original section contents and your answers in the Template tab.  

Review & finalize

Once all sections of your policy are complete, you’re ready to review and finalize your policy draft.  In this final step, you’ll have the option to preview your final policy. If you need to make any further changes, go to that section to make edits.  Next, confirm the approver of the policy and then submit the policy for approval.  If you’re working on a policy with multiple language versions, you’ll be prompted to work on your remaining language drafts before submitting them for approval.

 

FAQs

Why don’t I see Policy Builder for all of my policies?

  • Policy Builder is a new tool we are rolling out incrementally, policy by policy. We are starting with policies required for SOC 2, then will expand to ISO 27001 policies later in the year, and then to other frameworks.  

Why don’t I see section guidance for all the frameworks I’m pursuing?

  • After we launch Policy Builder for SOC 2 and ISO 27001 policies, we will expand to other frameworks and launch section editing guidance for them.  

Why do I see a different experience for creating policy drafts in other languages?

  • We are in the process of expanding Policy Builder to work across other language drafts. Currently, Policy Builder supports creating your English policy draft. If you’re working on a multi-language policy, after completing your English draft in Policy Builder, you will be taken to the editor to work on your other language drafts.  

What do “related controls” mean?

  • Related controls appear in the Section editing guidance. List any relevant Vanta controls that provide context on the framework requirements a given section helps satisfy or relates to. Associated controls are for educational purposes (to assist you with creating/editing policies) and do not reflect the controls mapped to your policy.  A control is mapped to a policy if the policy's associated approval test is mapped to the control. To view the controls that map to your policy, reference the “Related frameworks and controls” section on the policy detail page.  If you remove a Vanta control related to a particular policy section, this control will no longer appear in the Section editing guidance.  

What is the impact of editing a section that has required content for my framework?

  • Policies should reflect how your business operates and not be aspirational. As such, it’s expected that you may need to modify some of Vanta’s policy language.  “Section editing guidance” helps you understand what content in a given section is required vs optional, so you know if there are any implications of an edit you’re considering making.  If you do edit the content that is required for your framework, we recommend you check the related controls and speak with your auditor to see if you need to make any corresponding changes to the control description or mapped tests/documents.

I need to make customizations that Policy Builder doesn’t allow (e.g. add a new section, edit a section title).  How do I do this?

  • If there are customizations you need to make that aren’t supported in Policy Builder, you can make these in the editor tool by clicking “convert to policy editor” in the menu in the upper right corner of Policy Builder. Please note that you should complete all sections in Policy Builder before converting, as once converted, you cannot return to Policy Builder with your current draft.  

Can I go back to the old experience to edit my entire policy? 

  • Yes, clicking convert to policy editor in the menu in the upper right corner will allow you to edit your entire policy at once.  Once converted, you cannot return your current draft to Policy Builder.  You must delete your draft and/or start a new draft from scratch to use Policy Builder again.