Skip to main content

Policies & Procedures

The Policies module manages your organization's security and compliance policies through their full lifecycle — from initial drafting through review, ratification, publication, and employee acknowledgment. Each policy tracks its review cadence, version history, framework control mappings, and acknowledgment status across your workforce.

Overview

Access from Compliance → Policies in the sidebar. The page has six tabs: Table, Upcoming Reviews, Roadmap, Policy Status, Acknowledgments, and Review Settings.

Policies table showing stat cards (Total 12, Ratified 0, In Review 1, Draft 1, Not Started 0, Needs Update 1, Suggested 0, Overdue Reviews 0), filter bar, and policy table with document name, policy type, location, owner, status, next review date, and product columns

Summary Statistics

The top bar shows live counts by lifecycle status:

  • Total — All policies in your library
  • Ratified — Approved by leadership, pending publication
  • In Review — Under stakeholder review
  • Draft — Being written or revised
  • Not Started — Acknowledged but drafting hasn't begun
  • Needs Update — Published but flagged for revision
  • Suggested — Recommended by the platform but not yet started
  • Overdue Reviews — Past their scheduled review date

Click any stat card to filter the table.

Table View

The default table shows all policies with sortable columns:

  • Document Name — Policy title (click to open sidecar)
  • Policy Type — Category with color-coded badge
  • Document Location — External URL to the canonical policy document
  • Owner — Assigned policy owner (inline editable)
  • Status — Lifecycle status with color-coded badge (inline editable)
  • Next Review Date — When the policy is next due for review (color-coded: red if overdue, amber if within 30 days)
  • Product — Org-wide or product-scoped

Use the filter bar to search by text, filter by policy type, status, owner, or product.

Upcoming Reviews

Upcoming Reviews tab showing stat cards (Total Ratified 9, Overdue 0, Within 30 Days 0, Within 90 Days 2) and a review schedule table sorted by next review date

The Upcoming Reviews tab surfaces policies due for review, sorted by review date. The top bar shows:

  • Total Ratified — Policies currently in published/ratified status
  • Overdue — Reviews past their deadline
  • Within 30 Days — Reviews coming up in the next month
  • Within 90 Days — Reviews coming up in the next quarter

Review dates are color-coded by urgency. This view helps you plan review cycles and prevent policies from falling overdue.

Roadmap

Roadmap tab showing a Gantt-style timeline grouped by policy type (Information Security Program, Compliance Program, Incident Response Program, Business Continuity) with status badges and monthly columns from May 2026 to April 2027

The Roadmap tab provides a Gantt-style timeline view of all policies grouped by type. Each row shows the policy name, current status badge, and a timeline bar spanning its review period. This gives a visual overview of your policy calendar and helps identify gaps or overlapping review windows.

Policy Status

Policy Status Kanban board with six columns (Suggested 0, Not Started 0, Draft 1, In Review 1, Ratified 0, Published 9) showing policy cards with owner and type badge

The Policy Status tab is a Kanban board showing policies in six lifecycle columns: Suggested, Not Started, Draft, In Review, Ratified, and Published. Each card shows the policy name, owner, and policy type badge. Drag cards between columns to change status.

Acknowledgments

Acknowledgments tab showing stat cards (Total Sent 19, Acknowledged 14, Pending 5, Expired 0), search and filter bar, Export CSV button, and acknowledgment table with recipient name/email, policy, type, status (Done/Pending), sent date, and acknowledged date

The Acknowledgments tab tracks employee policy acknowledgments across all policies. The top bar shows:

  • Total Sent — Total acknowledgment requests sent
  • Acknowledged — Completed acknowledgments
  • Pending — Outstanding acknowledgments awaiting employee action
  • Expired — Acknowledgments past their expiration

Filter by recipient name/email, acknowledgment type (Internal or External), or specific policy. Click Export CSV to download the full acknowledgment report.

Each row shows the recipient (name and email), linked policy, type (Internal for platform users, External for non-platform recipients), status (Done or Pending), sent date with sender name, and acknowledged date.

Review Settings

The Review Settings tab configures default review behavior for your policy program, including default review cadence and reminder settings.

Working with Policies

Click any policy row to open the detail sidecar with six tabs.

Details Tab

Policy sidecar Details tab showing Policy Information (policy type, status, document location URL, product scope), Ownership and Review (owner, next review date, review cadence Annual, approval steps)

Policy Information:

  • Policy Type — Information Security Program, Compliance Program, Incident Response Program, or Business Continuity
  • Status — Current lifecycle status dropdown
  • Location — External URL to the canonical document (e.g., Google Docs, SharePoint, Confluence)
  • Product — Organization-wide or scoped to a specific product

Ownership & Review:

  • Owner — Person responsible for this policy
  • Next Review Date — When the policy is next due for review (auto-calculated from review cadence)
  • Review Cadence — How often the policy should be reviewed: Monthly, Quarterly, Semi-Annual, or Annual
  • Approval Steps — Free text describing the approval workflow (e.g., "Legal review, CISO sign-off, Board approval")

Document Tab

Document tab showing rich text editor with formatting toolbar (headings, bold, italic, underline, strikethrough, links, lists, code blocks, tables), Import and AI Review buttons, word count, and file attachments area with drag-and-drop upload

The rich text editor for writing and editing the policy document. The toolbar includes:

  • Formatting — Headings, bold, italic, underline, strikethrough, highlight
  • Structure — Bullet lists, numbered lists, blockquotes, horizontal rules
  • Content — Links, code blocks, tables
  • Actions — Undo/redo, Import, AI Review
  • View — Search, outline view, fullscreen editing

Import uploads an existing document (DOCX, TXT) and converts it to the editor format. AI Review sends the policy content to Claude for a compliance review — the AI checks for completeness, suggests improvements, and flags gaps based on your compliance frameworks.

Attachments — Upload supporting files (PDF, DOCX, TXT, JSON, PNG, JPG, CSV, XLSX — max 25 MB) as reference materials for this policy.

The word count displays at the bottom of the editor.

Controls Tab

Controls tab showing Supporting Controls section with Link Control button, Suggest Framework Controls AI button, and Framework Mappings section with SOC 2 (3 linked controls with status badges), HIPAA (1 linked control), ISO27001 and ISO 42001 sections with Link Control buttons

Supporting Controls: Link recurring activities that support this policy. Click + Link Control to search and attach existing recurring controls.

Suggest Framework Controls: Click to run AI-powered matching. The system analyzes the policy name and content to recommend relevant framework controls.

Framework Mappings: View and manage which framework controls this policy supports, grouped by framework. Each linked control shows its ID, title, and implementation status badge. Click + Link Control under any framework to search and attach controls.

Approvals Tab

Approvals tab showing Review Comments section with comment input, Revision Notes section with note input and Add Note button, and Required Tasks section with task input

Review Comments: A threaded comment system for policy review discussions. Add comments, reply to threads, and mark comments as resolved. The comment count and "Show resolved" toggle help track review progress.

Revision Notes: Add notes about planned revisions, audit feedback, or change requests. Each note is timestamped and attributed to its author.

Required Tasks: Create and track tasks associated with this policy review — action items for the policy owner or reviewers to complete before the policy can advance.

Acknowledgments Tab

View and manage acknowledgment status for this specific policy. Send acknowledgment requests to internal users or external recipients (via email). Track who has acknowledged and who is pending. Resend reminders for outstanding acknowledgments.

History Tab

  • Version History — Track policy versions with diff comparison between versions
  • Audit History — Changelog of all field modifications, status changes, and review actions

Creating Policies

Click + New Policy to create a new policy. Fill in the document name (required), policy type, and owner. The policy opens in the sidecar in Draft status, ready for content authoring in the Document tab.

AI-Suggested Policies

When you enroll in a compliance framework, the platform may suggest policies that are commonly required. Suggested policies appear in the Suggested status and can be started with a click — the system pre-fills the policy name and type based on framework requirements.

Policy Lifecycle

SUGGESTED → NOT_STARTED → DRAFT → IN_REVIEW → RATIFIED → PUBLISHED
                            │                                  │
                            └←←←←←← NEEDS_UPDATE ←←←←←←←←←←←←┘
StatusDescription
SuggestedRecommended by the platform based on framework requirements
Not StartedAcknowledged but drafting hasn't begun
DraftBeing written or revised
In ReviewSent for stakeholder review
RatifiedApproved by leadership, pending publication
PublishedLive and available to employees
Needs UpdatePublished but flagged for revision (returns to Draft)
Review OverduePast its scheduled review date

Policy Types

TypeUse For
Information Security ProgramCore infosec policies (access control, encryption, data classification, acceptable use)
Compliance ProgramFramework-specific compliance policies (HIPAA privacy, risk management)
Incident Response ProgramIR plans and response procedures
Business ContinuityBC/DR plans and recovery procedures

Review Cadence

CadenceFrequency
MonthlyEvery month
QuarterlyEvery 3 months
Semi-AnnualEvery 6 months
AnnualOnce per year

When a policy's review date arrives, its status flags as Review Overdue until reviewed and re-ratified. The Upcoming Reviews tab surfaces policies approaching their review date.

Employee Acknowledgment

Published policies can require employee acknowledgment:

  1. Send acknowledgments from the policy's Acknowledgments tab — select internal users or enter external email addresses
  2. Internal recipients see pending acknowledgments in the Employee Portal under the Policies module
  3. External recipients receive an email with a magic link to acknowledge
  4. Track completion in the Acknowledgments page tab — filter by status, policy, or recipient type
  5. Export the full acknowledgment report as CSV for audit evidence

Acknowledgments have an expiration window. Expired acknowledgments are tracked separately and may need to be re-sent.

AI Features

AI Review

In the Document tab, click AI Review to have Claude analyze the policy content. The AI evaluates the policy against your enrolled compliance frameworks and provides feedback on completeness, clarity, and potential gaps.

Framework Control Suggestions

In the Controls tab, click Suggest Framework Controls to discover which controls across enrolled frameworks this policy helps satisfy.

Import & Export

Import

Click Import in the Document tab to upload an existing policy document (DOCX, TXT). The content is converted and loaded into the rich text editor.

Export

Policies can be exported from the rich text editor or downloaded as their original uploaded attachment format.