Policy Management
Complete guide to policy lifecycle: version control, approval workflows, employee attestations, conflict detection, and due-review tracking
📑 Quick Navigation
Policy Management Overview
Effective policy management is a cornerstone of SOC 2, ISO 27001, HIPAA, and GDPR compliance. Our Policy Management module provides enterprise-grade tools for creating, approving, distributing, and tracking organizational policies.
📋 Compliance Requirements Addressed
- • CC6.3 - Separation of duties for policy approval
- • CC6.6 - Policy attestation & acknowledgment
- • CC7.4 - Policy change management
- • A.5.1 - Policies for information security
- • A.5.2 - Review of policies
- • A.7.2 - Information security awareness
Key Features
Draft → Under Review → Approved → Active → Archived
Multi-approver support with separation of duties
Track who has read and acknowledged each policy
Track all changes with semantic versioning (1.0.0 → 1.1.0)
Automatic detection of policy contradictions
Automated reminders for annual/quarterly reviews
Policy Lifecycle Workflow
Every policy follows a standardized lifecycle that ensures proper review, approval, and distribution:
Initial policy creation. Only visible to the author and admins. Edit freely until ready for review.
Submitted for approval. Designated approvers can review and vote. Policy is locked from editing.
All approvers have approved. Ready for activation. Can be rolled back if issues found.
Published and in effect. Employees can view and attest. Subject to due-review schedule.
Policy retired or superseded. Retained for audit history (never deleted). Read-only access.
Creating & Managing Policies
Step 1: Navigate to Policy Library
- Go to Compliance Hub → Policies
- Or navigate directly to
/compliance/policies - Click "Create New Policy"
Step 2: Fill Required Fields
| Field | Description | Example |
|---|---|---|
| Title* | Policy name | Information Security Policy |
| Policy Type* | Category classification | PRIVACY, SECURITY, HR, LEGAL, COMPLIANCE, OPERATIONAL |
| Description* | Brief summary of policy purpose | Establishes baseline security controls... |
| Content* | Full policy text (Markdown supported) | Rich text with sections, bullet points |
| Review Frequency* | How often policy should be reviewed | ANNUAL, BIANNUAL, QUARTERLY, MONTHLY |
| Requires Attestation | Whether employees must acknowledge | Yes/No toggle |
| Department Owner | Responsible department | IT, Legal, HR, Finance |
| Related Controls | Link to SOC 2/ISO controls | CC6.3, A.5.1 |
Step 3: Assign Approvers
Before submitting for review, assign one or more approvers:
- Single Approver: Policy owner or department head
- Dual Approval: Author + Legal/Compliance (recommended for SOC 2)
- Committee Approval: Multiple stakeholders for high-impact policies
💡 Pro Tip: Separation of Duties
For SOC 2 CC6.3 compliance, the policy author cannot be the sole approver. Always assign at least one additional approver who is not the author.
Approval Workflows
Our approval workflow ensures proper governance with full audit trail:
Submitting for Review
- Open your draft policy
- Click "Submit for Review"
- Confirm approvers are assigned
- Policy status changes to
UNDER_REVIEW - All approvers receive email notification
Approver Actions
Policy meets requirements. If all approvers approve, status changes to APPROVED.
Policy has issues. Returns to DRAFT status. Must provide rejection reason.
Activating an Approved Policy
- Navigate to the approved policy
- Click "Activate Policy"
- Policy is now visible to all organization members
- If attestation required, employees receive notification
📧 Automatic Notifications
The system automatically sends emails when:
- • Policy submitted for review (to approvers)
- • Policy approved/rejected (to author)
- • Policy activated (to organization members if attestation required)
- • Policy due for review (to policy owner)
Employee Attestations
Policy attestations prove employees have read and acknowledged company policies - a critical requirement for SOC 2 CC6.6 and ISO 27001 A.7.2.
Enabling Attestations
- When creating/editing a policy, toggle "Requires Attestation" to ON
- When policy is activated, employees see attestation prompt
- Employee must read policy and click "I Acknowledge"
- Timestamp and user ID recorded in audit log
Tracking Attestation Progress
View attestation metrics from the policy detail page:
- Total Employees: Organization member count
- Attested: Users who have acknowledged
- Pending: Users who have not yet acknowledged
- Attestation Rate: Percentage complete
📊 Audit Export
Export attestation records for SOC 2 auditors:Policy Detail → Attestations Tab → Export CSV
Attestation Data Recorded
- User ID & Email: Who attested
- Timestamp: When they attested (UTC)
- Policy Version: Which version they acknowledged
- Comments: Optional notes from employee
Version Control
Track all policy changes with semantic versioning. Every edit creates a new version record.
Version Numbering
Breaking changes, new policy scope, significant rewrites
New sections, additional requirements, expanded scope
Typo fixes, clarifications, formatting changes
Viewing Version History
- Open the policy detail page
- Click the "Version History" tab
- View all previous versions with timestamps
- Click any version to view the historical content
- Compare versions side-by-side (diff view)
🔒 Immutable History
Version history is immutable for audit compliance. Previous versions cannot be deleted or modified. This ensures a complete audit trail for regulators and SOC 2 auditors.
Conflict Detection
Our conflict detection algorithm identifies contradictions between policies to prevent compliance gaps.
How It Works
The system analyzes policies for:
- Regulatory Reference Overlaps: Same GDPR/SOC 2 control cited differently
- Contradictory Statements: e.g., "Retention: 7 years" vs "Retention: 3 years"
- Scope Conflicts: Same department with conflicting requirements
- Version Conflicts: Multiple active versions of similar policies
Viewing Conflicts
- Navigate to Compliance Hub → Policies → Conflicts
- Or use the API:
GET /api/compliance/policies/conflicts - Review flagged policy pairs
- Click to view conflict details
- Resolve by editing one or both policies
⚠️ Conflict Resolution
Conflicts should be resolved before activating policies. Unresolved conflicts create compliance gaps that may be flagged during SOC 2 audits.
Due-Review Tracking
ISO 27001 A.5.2 and SOC 2 CC7.4 require regular policy reviews. Our system automates tracking and reminders.
Review Frequencies
| Frequency | Use Case | Reminder |
|---|---|---|
| ANNUAL | Most policies (default) | 30 days before due date |
| BIANNUAL | Security-critical policies | 30 days before due date |
| QUARTERLY | Rapidly changing areas (AI, cloud) | 14 days before due date |
| MONTHLY | High-risk operational procedures | 7 days before due date |
Viewing Due Reviews
- Navigate to Compliance Hub → Policies → Due for Review
- Or use the API:
GET /api/compliance/policies/due-review - View policies grouped by urgency (overdue, due this week, due this month)
- Click policy to start review process
📧 Automated Reminders
The system sends automated email reminders to policy owners when reviews are due. A daily cron job runs at 9:00 AM UTC to check for upcoming reviews and send notifications.
❓ Frequently Asked Questions
Q: Can I delete a policy?
A: Policies cannot be permanently deleted for audit compliance. Instead, archive the policy by changing its status to ARCHIVED. This preserves the audit trail while removing it from active use.
Q: What happens when I update an active policy?
A: Editing an active policy creates a new draft version. The original remains active until the new version goes through the approval workflow. This ensures policies are never in an undefined state.
Q: Do attestations reset when a policy is updated?
A: For MAJOR version changes (1.0.0 → 2.0.0), yes - employees must re-attest. For MINOR/PATCH changes, existing attestations remain valid unless you specifically require re-attestation.
Q: Can I link policies to SOC 2 or ISO 27001 controls?
A: Yes! Use the "Related Controls" field when creating/editing a policy. Enter control IDs like CC6.3, A.5.1, etc. These are included in compliance package exports.
Q: How do I export policies for auditors?
A: Use the compliance package export: Compliance Hub → Export → Include Policies. This generates a ZIP file with all active policies, version history, approval records, and attestation logs in auditor-friendly format.
Q: Who can create and edit policies?
A: Users with Owner, Admin, orMember roles can create policies. Only the policy author, Owners, and Admins can edit policies. Viewers can only read active policies.