Effective policy management is essential for maintaining compliance and operational efficiency within an organization. This guide provides detailed steps for approving, renewing, and updating policies.
Prerequisites
Admins, policy managers, and information security leads have access to create, approve, and update policies within Drata.
Approve a policy
Note: Personnel can only view an approved policy during their onboarding. The owner of the policy is the only one who can approve a policy.
Once a policy is approved, it cannot be deleted but can be archived.
Within the Policy Center, under the Approved On column, if you are the policy owner, select the green button labeled "Approve" to approve the policy. If there is no Approve button, you can verify who the policy owner is.
After selecting the button, you are prompted with a double confirmation modal. Verify the renewal date for this policy.
Current renewal date: Select a date to review or update if necessary for this policy.
Renew a policy
Renewing your policies can vary depending on the needs of your compliance program. Here are some options to consider when managing a policy that is up for renewal.
For frameworks that require a policy to be reviewed on a certain cadence:
Review the policy to ensure it is accurate and up to date.
Select the next renewal date for when a review is required.
Update the policy to save your changes and select that This is NOT a material change when prompted.
For frameworks that require a policy to be reviewed and acknowledged by your personnel on a certain cadence:
Review the policy to ensure it is accurate and up to date.
Select the next renewal date for when your personnel must acknowledge the policy.
To learn more about renewal date, go to Policy Renewal Date.
Update the policy to save your changes and select that This is a material change when prompted.
Receive approval from the policy owner.
Notify your personnel to acknowledge the policy (or policies) through Drata or your own methods.
Update a policy
To prepare for an audit, you need to have policies in place that are approved by management and accepted by your personnel annually. Once your first version of the policy is in place, you may need to make material changes and request personnel to re-accept them.
To edit a policy, select the edit icon () next to the desired policy.
Once you complete your edits, select Save changes. Then, select if this is a material change or not.
If you indicate that this is a material change, additional fields will appear in the modal. You can explain your changes and update your policy renewal date.
IMPORTANT: If you are opted in to send an email to personnel, this explanation will appear in the email.
The policy owner will be prompted to approve the policy version and will have the option to send an email notification to their personnel, informing them of the changes and instructing them to log into Drata to acknowledge the new version. The policy owner can also review and update the policy renewal date to align with your company's compliance goals.
For authored policies, if you indicate that this is NOT a material change, the last updated date for policies in My Drata reflects the non-material change date. For other policies, the last updated date in My Drata is now the last approved date of the policy.
Revert to previous versions
When editing or updating a policy, you may want to revert to your previous draft or start over using the latest version of a Drata policy template. Whether you’ve uploaded a file or used the policy builder template, you can revert to the latest Drata template policy or your most recent draft.
Note: Drata occasionally updates the policy templates. Drata will never modify your policies and you will always have the option to use the latest version of a policy template.