Skip to main content
All CollectionsPolicy Center
Essential Policy FAQs: Your Quick Guide
Essential Policy FAQs: Your Quick Guide

This quick guide answers your most common policy questions, helping you stay compliant and find the information you need quickly.

Updated this week

What is a Policy?

Simply put, a policy outlines the rules and expectations your organization has in place to ensure compliance and security. A control (or a DCF within Drata) is used to enforce the policy and ensure those rules are being followed.

The goal is to ensure that your policies are in place to enforce the controls to operate effectively.

How Do I Write a Policy?

In this Edit Your Policy help article, we provide a comprehensive breakdown on how to develop your policies. Below are some points to consider when building a policy:

  • Purpose and Scope: Explain why the policy exists and who or what it covers (e.g., employees, contractors, systems).

    • Example: "This policy defines data access rules for employees using company systems."

  • Policy Statements (Rules and Expectations):

    • List clear rules about what’s required or prohibited.

    • Use present tense to describe what’s currently expected (e.g., "All users must enable MFA.").

  • Roles and Responsibilities: State who is responsible for enforcing, implementing, and reviewing the policy.

    • Example: "The IT team handles user account creation and removal."

  • Exceptions: Identify situations where the policy doesn’t apply or when exceptions can be granted.

    • Example: "Temporary access may be given to third-party vendors with prior approval."

  • Review and Approval: Specify how often the policy is reviewed (e.g., annually) and who approves it.

Where Can I Find My Policies?

In the 'Policy Center' on the Drata platform, you can view and download your policies, build or upload a policy, and delete unapproved policy versions.

Do I Have Access to All Policies?

You only have access to the respective policies associated with your purchased or enabled Framework(s). Please contact your Account Manager if you’re discrepant with the Frameworks you have enabled.

Do You Need to Acknowledge Policies on an Annual Basis?

Employees should acknowledge policies annually, even if no major updates have been made. This practice reinforces the standards they must consistently uphold to maintain compliance. If you think this step might not be required, consult with your auditor to avoid potential issues during the audit.

Should All Our Employees Acknowledge ALL Our Policies?

With Drata’s updated functionality to create groups of employees, assigning different groups to different policies can ease the lift of getting employees to read and acknowledge policies as part of the onboarding process. However, many still prefer or see it as a best practice to have all employees acknowledge all policies.

In this Policy Acknowledge Grouping help article, we have listed out the groups of employees we recommend review and acknowledge specific policies. These are our recommendations, but you may determine that additional employees and/or different groups are also appropriate for said policies based on your company’s unique facts and circumstances.

What's the best way to approach policy reviews Drata?

Here are the general steps for conducting policy reviews in Drata:

  1. Navigate to the Policy Center in Drata.

  2. Review each policy to ensure it's still accurate and up-to-date.

  3. Update the renewal date, typically set for one year from the current date.

  4. Assign a policy owner who will approve the policy.

  5. Edit any necessary details in the Policy Builder, such as description or disclaimer.

  6. Save your changes and submit the policy for approval.

  7. The assigned owner should then review and approve the policy.

For more information on policy management, please leverage this help article: Approve and Publish your Policies.

Is It Possible to Consolidate Multiple Policies into a Single Document?

Policies can be consolidated into one document, but ensure each policy remains clear, comprehensive, and easy to reference for compliance purposes.

Are the Current Policies on Drata the Latest Policies?

Drata occasionally updates policy templates, but we will never modify your policies without your involvement. Additionally, we’ll always notify you in advance of any policy updates.

For your reference, you always have the option to use the latest version of a policy template. Once you approve a new version of a policy in your Policy Center, it will automatically be updated in your Trust Center. Any approved changes to a policy are seamlessly reflected in your Trust Center without the need for re-uploading.

Additionally, Drata updates controls and policies whenever major changes are made to relevant frameworks. However, it’s important for your organization to stay current with any necessary updates as well. You have the flexibility to modify your policies at any time.

For more information on policy management, please leverage this help article: Approve and Publish your Policies.

Additional Resources

Please refer to our Policy Center to access additional resources on policy management within Drata.

Working on building out your policies? Join our Policy Power Hour webinar on the 3rd Tuesday of each month to meet real time with our Compliance Advisors and get your questions answered.

Did this answer your question?