All Collections
Policies
Custom Policies
Custom Policies

How to create a custom policy by uploading or authoring in Drata

Ashley Hyman avatar
Written by Ashley Hyman
Updated over a week ago

In order to prepare for an audit, there are a number of policies you will need to have in place, approved by management, and acknowledged by your employees. However, many companies want to add other policies to Drata so that they can manage all policies in one place.

BEFORE DIVING IN

Those with the Account Administrator, Information Security Lead, or Workspace Manager roles will have access to create, approve and update policies within Drata.

HERE'S HOW

In the 'Policy Center' click the blue 'Create Custom Policy' button. There are 2 ways to create a policy:

  1. Upload policy - This option lets you select a file from your computer.

    • Files can be up to 25MB.

    • The filename is displayed if the PDF does not have a title.

    • The title is displayed if there is a title within the PDF.

  2. Author policy in Drata - This option lets you use the built-in editor to draft and edit your new policy.

On click of ‘Create’, you'll be directed to the policy editor where you can create your custom policy. Once you're done, be sure to enter the policy renewal date on the right hand side before you ‘Submit Policy.’

NOTE: You’ll generally need to maintain policies the same way you created them. The exception is if you author a policy using Drata, you can switch to uploading a file for a future version.

You can also replace templated policies with a custom policy if it covers the same topics.

You'll notice that there is a custom renewal date on each policy you create. Automated tests and tasks use this date to help keep you on track with your compliance program goals. Keep in mind that many frameworks require review/approval of policies on an annual basis, so be sure to select a date that meets your compliance program needs.

Finalizing custom policies:

Here’s how to get a custom policy approved so people can acknowledge it:

  1. Once you create your policy, you’ll find it in Policy Center.

  2. The policy owner will need to approve the policy before it takes effect.

  3. After they approve the policy, the personnel you marked in-scope when you created the policy will be able to acknowledge it.

Did this answer your question?