Policy Library
Policy & AuthorityThe Policy Library is the central repository for all security policies. Each policy follows a structured lifecycle from Draft through Published, with full version control, document management, and strategic alignment.
The Policy Library connects to Policy Requests for formal submissions, Content Digestion for control extraction, Enforcement for compliance monitoring, and Security Direction for strategy linking.
Policy list view
Navigate to Policy Lifecycle to access the Policy Library. The list view displays a PolicyStatsBar at the top with counts by status, giving you a quick overview of your policy portfolio.
The list supports the following controls:
- View mode toggle — Switch between list and card views
- Status filter — Filter by lifecycle status (Draft, Published, etc.)
- Category filter — Filter by policy category
- Strategy filter — Filter by linked strategy
Two creation paths are available from the list view: New Request opens the formal request workflow for policy changes, and New Policy creates a policy directly in Draft status.
Policy categories
| Category | Description |
|---|---|
| Security | General information security policies |
| Privacy | Data privacy and protection policies |
| HR | Human resources security policies |
| IT | Information technology operational policies |
| Compliance | Regulatory and compliance policies |
| Safety | Physical and personnel safety policies |
| Code of Conduct | Employee behavior and ethics policies |
| Data Protection | Data handling, classification, and retention policies |
| Access Control | Identity, authentication, and authorization policies |
| Incident Response | Incident detection, response, and recovery policies |
| Other | Policies that do not fit standard categories |
Creating a policy
Navigate to the Policy Library
Open Policy Lifecycle and click New Policy to create a policy directly.
Fill in the policy form
| Field | Required | Description |
|---|---|---|
| Name | Yes | A descriptive name for the policy |
| Description | No | Summary of the policy’s purpose and scope |
| Category | Yes | Select from the categories listed above |
| File upload | No | Upload the policy document (PDF, DOCX) |
| AI assistance | No | Toggle to enable AI-assisted drafting |
Save the policy
Click Save to create the policy. It is created with DRAFT status and appears in the Policy Library.
Lifecycle statuses
| Status | Description |
|---|---|
| DRAFT | Initial creation state. The policy is editable and not visible to the organization. |
| INITIATED | A request has been submitted to move this policy through the review process. |
| UNDER_REVIEW | The policy is currently being reviewed by assigned approvers. |
| APPROVED | The policy has been approved but is not yet published to the organization. |
| PUBLISHED | The policy is active and enforceable. Enforcement monitoring is available. |
| RETIRED | The policy is no longer active. It remains in the library for historical reference. |
Policy detail page
Each policy has a 10-tab detail view that provides comprehensive management capabilities.
- Instruction — Guidance for working with this policy, including review procedures and handling notes.
- Overview — Summary information, metadata, linked strategy, and referenced standards.
- Policy Document — The actual policy content with version tracking and document hash verification.
- Reviews — Review history and scheduled review cycles for the policy.
- RACI Matrix — Responsible, Accountable, Consulted, and Informed assignments for the policy.
- Content Digestion — AI-powered control extraction from the policy document. See Content Digestion for details.
- Controls — Mapped controls and their implementation status. See Control Mapping for details.
- Enforcement — Compliance monitoring for published policies. See Enforcement for details.
- Issues — Linked compliance incidents and issues identified against this policy.
- History — Complete audit trail of all actions taken on this policy via PolicyActivity records.
Version control
Policies track a documentVersion and documentHash for integrity verification. Each time the policy document is updated, a new version entry is created. The document hash allows you to verify that the published document has not been altered since approval.
Strategy and standards linking
Policies can be linked to a Strategy from Security Direction to show alignment between policy decisions and organizational security goals. Policies can also reference external standard IDs for framework alignment (e.g., ISO 27001 controls, NIST CSF categories), connecting your internal policies to recognized security frameworks.
Permissions
| Permission | Description |
|---|---|
policy:manage | Create, edit, and manage policies in the library |
policy:read | View policies and their details |