Getting Started with Policies

  • Updated

What are Policies? 

  • Security policies guide how your organization protects valuable information and tech assets from unauthorized access or harm by detailing the expected behavior (i.e. controls) of your organization.  They create a framework for keeping data confidential, accurate, and available, guarding against security threats and risks. 
Think of compliance frameworks, like SOC 2, as the overarching rulebook. Controls are the written rules for adhering to the framework. Policies are the written pages of instructions on how your company will mitigate security risk, ensure regulatory compliance, and protect important information like customer data.  

How Policies Help You Get Audit-ready

  • Auditors want to see how your organization adheres to the framework’s controls and how you’re doing that– security policies outline this information.  To be audit-ready, the policies necessary for the framework you’re pursuing must be approved (by the relevant authority at your company) and accepted by relevant employees. Vanta provides templates created and maintained by security experts to help you create all the policies you’ll need.  These templates are automatically reflected on your Policies page.  For example, we have 15 policy templates to help you get SOC 2 compliant. Many of these same policies are also required for other frameworks like ISO 27001. 

In Vanta, policies, controls, and tests all connect to help you get ready for your audit:

  • Controls represent the rules your organization needs to follow to manage and mitigate security risk
  • Policies are the written instructions for how your company is meeting these controls. 
  • Tests provide evidence of compliance and show whether a control is being adhered to

In Vanta, each policy is tied to two tests: (1) a test that checks whether the policy is approved and (2) a test that checks whether all relevant employees accept the policy. Certain Vanta controls will not be met until these two policy tests are passed (i.e., in OK status). For example, the SOC 2 control, “Continuity and Disaster Recovery plans established,” depends on your company having an approved Business Continuity and Disaster Recovery Plan, which your employees accept.  

1. Set up your policies in Vanta

Setting up your policies in Vanta involves drafting security policies that your company does not yet have in place and importing any existing policies you do have.

a. Draft policies with Vanta templates

Vanta provides out-of-the-box templates aligned to framework requirements and industry best practices to help you quickly create the necessary policies. Our Policy Builder tool, (available for all SOC 2 policies and ISO 27001:2022 policies) guides you through drafting policies using our templates and customizing Vanta’s policy template language to your unique business. If you’re pursuing other frameworks that are not yet supported in Policy Builder, we still provide all the policy templates you’ll need.

 

 

One person commonly takes the lead on drafting policies (often the Vanta admin). You need no specific background or expertise to start drafting your policies. However, before finalizing your policy, you may need to reach out to other stakeholders at your company to review and confirm specific policy content before you’re ready to finalize your draft. If you need additional help or information on this process, register here for an upcoming Policy Workshop, where we will guide you through creating, editing, and managing policies in Vanta. You’ll also have the opportunity to ask a Vanta policy expert questions.

You have everything you need to get started! Take our 60-second product tutorial on drafting policies with Vanta, and then go to Policies to begin your first policy (you can sort the list by our recommended order). On average, it took Vanta users 2-6 minutes to draft a policy using the policy builder! 

b. Import existing policies

If you have any existing policies, you can import these instead of using Vanta’s templates.  Go to Policies, select the policy that best matches the content of the policy you’re importing, and click Import.  You can either import a file from your computer or sync from a supported app (Google Drive, Confluence, SharePoint).  Alternatively, if you can’t find a policy in our list that matches your importing policy, you can use the Add a custom policy option.  We recommend the former option as it’s quicker to set up, but if you’re using the Add a Custom policy, refer to these instructions.

2. Approve Policies

Once your draft is complete, you’ll be prompted to submit the policy for approval for each policy you draft or import. First, you’ll be asked to select the approver of your policy. Approvers can be anyone at your company (including yourself) with Admin or Editor status in Vanta. Still, we recommend approvers be the person in charge of enforcing the policy who can answer questions about the policy (e.g., if your auditor has questions about the policy during the audit). Once submitted for approval, that individual will be notified via email to review the draft and confirm approval. Once approved, your latest policy version status will move from Pending Approval to Approved status on the Policies page. We recommend you draft and approve all policies required for your framework before proceeding to the next step.

3. Employee Acceptance

Have you finished drafting and approving all policies? It’s time to set your personnel up in the Personnel Hub and assign them tasks, including reviewing and accepting policies. To get started, follow the Getting started with Personnel Hub guide. Once you have employee tasks configured to review and accept policies, you can monitor the status of employee acceptance for each policy on the Policies page and click to see which personnel have/have not yet accepted.

Screenshot 2024-11-07 at 1.48.58 PM.png

What’s Next?

Each year, you’ll need to review and re-approve your policies. You’ll be notified via email when it’s time.  If there are material changes to your policy, we recommend you ask employees to re-accept them. When you create your new policy version, you’ll be asked to confirm whether the new policy version should be sent to employees for review and acceptance.  On the Policies page, you’ll see the status of your policies change from OK to Renew soon (when renewal is coming up in the next six weeks).  If you don’t renew in time, your policy status will change to Expired

A “material” policy change defines a new scope, includes a new control, or substantially changes the technology or processes used within the policy's scope (e.g., a new antivirus, change management process, or incident response plan).
For more information: