Vanta’s Policy Builder is a policy creation and editing tool that helps you quickly create policies using Vanta’s policy templates and customize the content to your business. In Policy Builder, you work on one policy section at a time and see a live preview on the right-hand side that updates as you go. You can jump between sections by clicking the section contents on the right or using the Next and Back buttons.
Use the Policy Builder starter guide to walk through this process, step-by-step!
Begin the Policy Draft
On the left-hand side, you’ll be prompted to answer questions to customize the placeholder text in the policy template to match your business guidelines and operations. As you answer questions, the live preview on the right will update. Once all questions for a section are responded to, the section is marked as complete. Many sections are complete by default, as no customization is required. Once you complete all sections, your policy draft is ready to submit for approval.
Editing Content
Sometimes, you must modify a section’s content to tailor it to your business. If you wish, click the edit icon and start making edits. Editing guidance is provided for each section (except for the first section) for SOC 2 and ISO 27001:2022. If you are pursuing either of these frameworks, you’ll see the relevant guidance, which indicates what is required vs optional in a given section of the policy for that framework and any related controls. Some policy sections include optional content reflecting security best practices that are not required for the framework you’re pursuing and thus can be deleted. Many sections include no optional content, meaning the entire section is required for your framework, although you can still modify specific verbiage as long as it still meets the guidance for what is needed. This guidance is provided to help you ensure your policy still meets the requirements of the framework(s) you’re pursuing while customizing the policy content.
Please note that once you start editing a section, you will no longer be able to change your responses to the questions for that section. However, you can discard your edits to revert to the original section content and then update your responses.
Review & Finalize
Once all sections of your policy are complete, you’re ready to review and finalize your policy draft. In this final step, you’ll have the option to preview your final policy. If you need to make any further changes, go to that section to make edits. Next, confirm the policy approver and then submit the policy for approval. If you’re working on a policy with multiple language versions, you’ll be prompted to work on your remaining language drafts before submitting them for approval.
FAQs
Why don’t I see Policy Builder for all of my policies?
- Policy Builder is a new tool we are rolling out incrementally. It is enabled today for all SOC 2 policies. Later in the year, we will expand to ISO 27001 policies and then to other frameworks. For policies that do not have Policy Builder enabled, you can use the existing editor tool to create them.
- If you are working on a SOC 2 policy and still don’t see Policy Builder, it’s likely because you had an existing draft before we launched Policy Builder. To access Policy Builder, delete your draft and start over. Similarly, if you have an Approved policy and wish to use Policy Builder to create your new version, choose the option Create new policy when starting a new version.
Why do I see a different experience for creating policy drafts in other languages?
- We are in the process of expanding Policy Builder to work across other language drafts. Currently, Policy Builder supports creating your English policy draft. If you’re working on a multi-language policy, after completing your English draft in Policy Builder, you will be taken to the editor to work on your other language drafts.
What do “related controls” mean?
- Related controls appear in Editing guidance. The Vanta controls listed here provide context on the framework requirements a given section helps satisfy or relates to. Related controls are for educational purposes (to assist you with creating/editing policies) and do not reflect the controls mapped to your policy. To view the controls that map to your policy, reference the “Related frameworks and controls” section on the policy detail page. A control is mapped to a policy if the policy's associated approval test is mapped to the control. If you remove a Vanta control related to a particular policy section, this control will no longer appear in the Editing guidance.
What is the impact of editing a section that has required content for my framework?
- Policies should reflect how your business operates and not be aspirational. As such, it’s expected that you may need to modify some of Vanta’s policy language. Editing guidance helps you understand what content in a given section is required vs optional, so you know if there are any implications of an edit you’re considering making. If you do edit content that is required for your framework, we recommend you check the related controls and speak with your auditor to see if you need to make any corresponding changes to the control description or mapped tests/documents.
I need to make customizations that Policy Builder doesn’t allow (e.g. add a new section, edit a section title). How do I do this?
- If there are customizations you need to make that aren’t supported in Policy Builder, you can make these in the editor tool by clicking convert to policy editor in the menu within Policy Builder. Please note that you should complete all sections in Policy Builder before converting, as once converted, you cannot return to Policy Builder with your current draft.
Can I go back to the old experience to edit my entire policy?
- Yes, clicking convert to policy editor in the menu will allow you to edit your entire policy at once. Once converted, you cannot revert your current draft to Policy Builder. You must delete your draft and/or start a new draft from scratch to use Policy Builder again.
Why don’t I see Editing guidance for all the frameworks I’m pursuing?
- After we launch Policy Builder for SOC 2 and ISO 27001 policies, we will expand to other frameworks and include editing guidance for them.