What are Policies? 

• Security policies guide how your organization protects valuable information and tech assets from unauthorized access or harm by detailing the expected behavior (i.e. controls) of your organization.  They create a framework for keeping data confidential, accurate, and available, guarding against security threats and risks. 

How Policies Help You Get Audit-ready

• Auditors want to see how your organization adheres to the framework’s controls and how you’re doing that– security policies outline this information.  To be audit-ready, the policies necessary for the framework you’re pursuing must be approved (by the relevant authority at your company) and accepted by relevant employees. Vanta provides templates created and maintained by security experts to help you create all the policies you’ll need.  These templates are automatically reflected on your Policies page.  For example, we have 15 policy templates to help you get SOC 2 compliant. Many of these same policies are also required for other frameworks like ISO 27001. 

In Vanta, policies, controls, and tests all connect to help you get ready for your audit:

• Controls represent the rules your organization needs to follow to manage and mitigate security risk
• Policies are the written instructions for how your company is meeting these controls. 
• Tests provide evidence of compliance and show whether a control is being adhered to

In Vanta, each policy is tied to two tests: (1) a test that checks whether the policy is approved and (2) a test that checks whether all relevant employees accept the policy. Certain Vanta controls will not be met until these two policy tests are passed (i.e., in OK status). For example, the SOC 2 control, “Continuity and Disaster Recovery plans established,” depends on your company having an approved Business Continuity and Disaster Recovery Plan, which your employees accept.  

1. Set up your policies in Vanta

Setting up your policies in Vanta involves drafting security policies that your company does not yet have in place and importing any existing policies you do have.

a. Draft policies with Vanta templates

Vanta provides out-of-the-box templates aligned to framework requirements and industry best practices to help you quickly create the necessary policies. Our Policy Builder tool, (available for all SOC 2 policies and ISO 27001:2022 policies) guides you through drafting policies using our templates and customizing Vanta’s policy template language to your unique business. If you’re pursuing other frameworks that are not yet supported in Policy Builder, we still provide all the policy templates you’ll need.

One person commonly takes the lead on drafting policies (often the Vanta admin). You need no specific background or expertise to start drafting your policies. However, before finalizing your policy, you may need to reach out to other stakeholders at your company to review and confirm specific policy content before you’re ready to finalize your draft. If you need additional help or information on this process, register here for an upcoming Policy Workshop, where we will guide you through creating, editing, and managing policies in Vanta. You’ll also have the opportunity to ask a Vanta policy expert questions.

b. Import existing policies

If you have any existing policies, you can import these instead of using Vanta’s templates.  Go to Policies, select the policy that best matches the content of the policy you’re importing, and click Import.  You can either import a file from your computer or sync from a supported app (Google Drive, Confluence, SharePoint).  Alternatively, if you can’t find a policy in our list that matches your importing policy, you can use the Add a custom policy option.  We recommend the former option as it’s quicker to set up, but if you’re using the Add a Custom policy, refer to these instructions.

2. Approve Policies

Approving your policies in Vanta is an important step to confirm your organization’s compliance posture. If you import a policy into Vanta, you can also set historical approvers and approval dates to track the policy’s timeline. If Vanta AI is enabled for your account, Vanta can automatically extract this information for you making the process faster.

How to Approve Policies

• Submit the policy for approval: After drafting or importing a policy, select Submit to begin the approval process.
• Select the approver: Approvers can be anyone at your company (including yourself) with Admin or Editor status in Vanta. We recommend selecting the individual who enforces the policy and can answer questions during an audit.
• Await approval: Once you submit the policy for approval, the approver is notified via email. They will review the draft and confirm approval in Vanta.
• Check status: Once approved, your new policy version will move from Pending Approval to Approved on the Policies page.

We recommend drafting and approving all policies required for your framework before moving on to the next step.

Multiple Approvals for Growth, Scale, and Enterprise Customers

• You can designate multiple approvers for each policy.
• Assign up to five steps of approval, with each step allowing up to three approvers.
• This lets you involve key team members in the process, ensuring thorough review and sign-off before finalizing a policy.

3. Employee Acceptance

Have you finished drafting and approving all policies? It’s time to set your personnel up in the Personnel Hub and assign them tasks, including reviewing and accepting policies. To get started, follow the Getting started with Personnel Hub guide. Once you have employee tasks configured to review and accept policies, you can monitor the status of employee acceptance for each policy on the Policies page and click to see which personnel have/have not yet accepted.

What’s Next?

Each year, you’ll need to review and re-approve your policies. You’ll be notified via email when it’s time.  If there are material changes to your policy, we recommend you ask employees to re-accept them. When you create your new policy version, you’ll be asked to confirm whether the new policy version should be sent to employees for review and acceptance.  On the Policies page, you’ll see the status of your policies change from OK to Renew soon (when renewal is coming up in the next six weeks).  If you don’t renew in time, your policy status will change to Expired. 

• Vanta Academy: Creating & Managing Policies
• Vanta Academy: Employee Onboarding
• Live Training: Policy Writing Workshop

Updated March 24, 2025 19:52