Security Posture Best Practices

Understanding Policies

  • Updated

What is policy generation, who creates them, and why do we need them? 

  • Policy generation is creating and implementing rules related to information security for your organization. Policies touch on all business areas, so the creation process requires cross-team collaboration, requiring input from stakeholders from Operations to Engineering, HR, and Legal/Compliance. Policies:
    • Express the will and expectations of management 
    • Are needed for every security standard (ISO, SOC, HIPAA, PCI)
    • Formally establish controls & SLAs for building KPIs 
    • Act as a guideline for decision making
    • Are the foundation for consistency and repeatability as your organization grows
    • Increase employee engagement and promote transparency in the organization 


Vanta's approach 

  • Vanta provides templates for all the policies required or recommended for all supported Standards (SOC 2, ISO 27001, HIPAA, PCI, etc.), so you don't have to start from scratch. Policies are not one-size-fits-all, so we encourage customers to read through the templates and customize each procedure to their internal workflow. Templates are a starting point. The customization process should be done internally because you know your organization best and what rules your organization can commit to.


  • When writing your company's policies, the mentality should not be "what's required for SOC 2?" but instead be "what are the expectations of my organization to manage customer data securely and reduce security risks?" In other words, think more broadly about why you're writing these policies in the first place and keep in mind the greater goal: to be more secure than you are today. 


  • Auditors want to see that you have policies in place and that they are put into practice. We recommend reviewing our policy templates and comparing them with how you operate today. What improvements can be made that are achievable and will be accepted by your organization? Your policies can always be modified and must be reviewed annually under all compliance standards, i.e., they are not set in stone!


Improving your security policies & procedures is a continuous effort, especially for start-ups. Here are a few quick tips: 

  • Keep it simple! Clear, concise policies are critical to employee adherence 
  • Don't overcommit, and it's essential to do what you say you will do 
  • Review our Standards page to see how each policy maps to the standard code and why you need to have it in place for your audit

Was this article helpful?

Have more questions? Submit a request