What are Policies?
Security policies guide how your organization protects valuable information and tech assets from unauthorized access or harm by detailing the expected behavior (i.e. controls) of your organization. They create a framework for keeping data confidential, accurate, and available, guarding against security threats and risks.
Think of compliance frameworks, like SOC 2, as the overarching rulebook. Controls are the written rules for adhering to the framework. Policies are the written pages of instructions on how your company will mitigate security risk, ensure regulatory compliance, and protect important information like customer data. |
How Policies Help You Get Audit-ready
Auditors want to see how your organization adheres to the framework’s controls and how you’re doing that– security policies outline this information. To be audit-ready, the policies necessary for the framework you’re pursuing must be approved (by the relevant authority at your company) and accepted by relevant employees.
Vanta provides templates created and maintained by security experts to help you create all the policies you’ll need. Once approved, each policy becomes part of your compliance evidence. In Vanta, approved policy files act as documents that automatically satisfy the associated policy tests. These templates are automatically reflected on your Policies page. For example, we have 15 policy templates to help you get SOC 2 compliant. Many of these same policies are also required for other frameworks like ISO 27001.
In Vanta, policies, controls, and tests all connect to help you get ready for your audit:
Controls represent the rules your organization needs to follow to manage and mitigate security risk
Policies are the written instructions for how your company is meeting these controls.
Tests provide evidence of compliance and show whether a control is being adhered to. Some policy tests are document tests, which means the uploaded policy file itself serves as the evidence. These appear on both the Monitors (Tests) and Documents pages in Vanta.
In Vanta, each policy is tied to two tests: (1) a test that checks whether the policy is approved and (2) a test that checks whether all relevant employees accept the policy. Certain Vanta controls will not be met until these two policy tests are passed (i.e., in OK status). For example, the SOC 2 control, “Continuity and Disaster Recovery plans established,” depends on your company having an approved Business Continuity and Disaster Recovery Plan, which your employees accept.
1. Set up your policies in Vanta
Setting up your policies in Vanta involves drafting security policies that your company does not yet have in place and importing any existing policies you do have.
a. Draft policies with Vanta templates
Vanta provides out-of-the-box templates aligned to framework requirements and industry best practices to help you quickly create the necessary policies. Our Policy Builder tool, (available for all SOC 2 policies and ISO 27001:2022 policies) guides you through drafting policies using our templates and customizing Vanta’s policy template language to your unique business. If you’re pursuing other frameworks that are not yet supported in Policy Builder, we still provide all the policy templates you’ll need.
One person commonly takes the lead on drafting policies (often the Vanta admin). You need no specific background or expertise to start drafting your policies. However, before finalizing your policy, you may need to reach out to other stakeholders at your company to review and confirm specific policy content before you’re ready to finalize your draft. If you need additional help or information on this process, register here for an upcoming Policy Workshop, where we will guide you through creating, editing, and managing policies in Vanta. You’ll also have the opportunity to ask a Vanta policy expert questions.
You have everything you need to get started! Take our 60-second product tutorial on drafting policies with Vanta, and then go to Policies to begin your first policy (you can sort the list by our recommended order). On average, it took Vanta users 2-6 minutes to draft a policy using the policy builder! |
b. Import existing policies
If you have any existing policies, you can import these instead of using Vanta’s templates. Go to Policies, select the policy that best matches the content of the policy you’re importing, and click Import. You can either import a file from your computer or sync from a supported app (Google Drive, Confluence, SharePoint). Alternatively, if you can’t find a policy in our list that matches your importing policy, you can use the Add a custom policy option. We recommend the former option as it’s quicker to set up, but if you’re using the Add a Custom policy, refer to these instructions.
2. Approve Policies
Approving your policies in Vanta is an important step to confirm your organization’s compliance posture. If you import a policy into Vanta, you can also set historical approvers and approval dates to track the policy’s timeline. If Vanta AI is enabled for your account, Vanta can automatically extract this information for you making the process faster.
How to Approve Policies
Submit the policy for approval: After drafting or importing a policy, select Submit to begin approval.
Select the approver: Approvers can be anyone at your company (including yourself) with Admin or Editor status in Vanta. We recommend selecting the individual who enforces the policy and can answer questions during an audit.
Await approval: Once you submit the policy for approval, the approver is notified via email. They will review the draft and confirm approval in Vanta.
Check status: Once approved, your new policy version will move from Pending Approval to Approved on the Policies page. When a policy is approved, Vanta marks the related policy test as “OK” and the approved policy document becomes visible in both your Monitors and Documents views.
We recommend drafting and approving all policies required for your framework before moving on to the next step.
Multiple Approvals for Growth, Scale, and Enterprise Customers
You can designate multiple approvers for each policy.
Assign up to five steps of approval, with each step allowing up to three approvers.
This lets you involve key team members in the process, ensuring thorough review and sign-off before finalizing a policy.
3. Employee Acceptance
Steps for Employees to Accept Policies
Employees are required to accept assigned policies as part of their security tasks. The process is straightforward:
Login to Vanta using your company credentials.
Navigate to the My Security Tasks section located in the left-side menu.
Policies requiring acceptance will be listed in this section.
Review and accept the policies one by one.
Once employees accept a policy, Vanta automatically updates the related policy acceptance test to “OK.” This ensures that both your document evidence (the approved policy file) and your test evidence (employee acceptance) are complete for audit readiness.
Alternatively, you can directly visit the designated onboarding page provided by your company, where policies and other onboarding tasks are listed for your review and acceptance. Notifications about required tasks will be sent via email or Slack, based on your company’s notification settings.
Once you have you finished drafting and approving all policies, it’s time to set your personnel up in the Personnel Hub and assign them tasks; including reviewing and accepting policies. To get started, follow the Getting started with Personnel Hub guide. Once you have employee tasks configured to review and accept policies, you can monitor the status of employee acceptance for each policy on the Policies page and click to see which personnel have/have not yet accepted. New employees added to your Identity Provider (IDP) are immediately eligible to accept policies in Vanta, even before their official start date. This ensures that all hires are onboarded and compliant from their first day at work. For seamless operations, ensure that new employees have early access to Vanta through the IDP.
Notification and Reminder Management for Admins
Administrators play a key role in ensuring employees complete the policy acceptance process. The following actions can be implemented:
Enable Notifications: Turn on employee notifications in the Vanta settings. Notifications will automatically remind employees about pending security tasks, including policy acceptance, based on the reminder cadence set (e.g., weekly reminders). To manually remind a specific user, navigate to their profile on the People page and click on Remind.
Manual Access to Policies: As an alternative to automatic notifications, employees can be directed to the onboarding page to complete their tasks manually.
Customizing Policy Assignments to Groups
Vanta allows admins to assign policies to specific groups:
Configure onboarding group settings to determine which employees need to accept each policy.
Customize group-specific settings or default all policies to be accepted by all group members. This flexibility helps organizations efficiently manage diverse teams.
Troubleshooting Common Issues
Here are solutions to common challenges faced during policy acceptance workflows:
Inconsistent Task Status: If tasks like "Accept security policies" revert to incomplete, it might be due to the system not recognizing the acceptance state correctly. Ensure employees revisit the onboarding page to complete and save tasks.
Checklist Configuration Issues: If employees cannot see or accept certain policies, it could be due to checklist settings. Approve the policy and navigate to the checklist section to enable policies for the desired employee group.
Differentiating Agreements: Policy acceptance in Vanta does not replace the need for signed employee agreements, as these documents address different compliance controls.What’s Next?
Technical Notification Issues: If your organization received notifications regarding policy reacceptance due to technical issues (e.g., affecting policies from specific timelines such as July to August 2024), these serve as proactive communication. As long as the majority of users have accepted the policies, no further action is required. Policies created and accepted during the specified timeframe remain valid and compliant.
Each year, you’ll need to review and re-approve your policies. You’ll be notified via email when it’s time. If there are material changes to your policy, we recommend you ask employees to re-accept them. When you create your new policy version, you’ll be asked to confirm whether the new policy version should be sent to employees for review and acceptance. On the Policies page, you’ll see the status of your policies change from OK to Renew soon (when renewal is coming up in the next six weeks). If you don’t renew in time, your policy status will change to Expired. For better alignment, you can update all policies at once and request users to reaccept them, ensuring that all policies will be due for renewal concurrently on the same date the following year. This approach facilitates an annual scheduled reacceptance process.
If policies are updated and need to be reaccepted, follow these steps:
During policy updates, select the option Yes, ask employees to reaccept this policy.
Vanta will automatically prompt employees to reaccept the updated policy based on your notification cadence.
If this option was not selected, reapprove the policy with the option enabled to ensure compliance. The effective date of a policy in Vanta marks when it officially goes into effect for your organization. However, users can accept the policy at any point within the designated onboarding SLA to remain compliant. If there are uncertainties about specific compliance periods, it is recommended to consult directly with your auditor for tailored guidance.
Additional resources:
Vanta Academy: Creating & Managing Policies
Vanta Academy: Employee Onboarding
Live Training: Policy Writing Workshop