Skip to main content
All CollectionsCompliance
Policy Acknowledge Grouping
Policy Acknowledge Grouping
Ethan Heller avatar
Written by Ethan Heller
Updated over a week ago

Employees must be made aware of their responsibilities as they relate to information security. Regardless of which compliance framework your organization is working towards, you will end up with additional policies that will not be relevant to all employees.

With Drata’s updated functionality to create groups of employees, assigning different groups to different policies can ease the lift of getting employees to read and acknowledge policies as part of the onboarding process. However, many still prefer or see it as a best practice to have all employees acknowledge all policies.

Below, guidance is provided on how to use the grouping functionality while ensuring you cover what is needed for the framework you are pursuing.

However, your auditor will ultimately determine what they deem necessary so we suggest that you review with your company’s auditor as well.

Complete List of Policies and Acknowledge:

The table below contains all of the policies provided by Drata, as well as our recommendations around who should be acknowledging these policies.

Within the “Policy” column, we have listed out the policies you will need to have in place before your audit and in the “Acknowledged By” column, we have listed out the groups of employees we recommend review and acknowledge the specific policy. These are our recommendations, but you may determine that additional employees and/or different groups are also appropriate for said policies based on your company’s unique facts and circumstances.

Policy

Acknowledged By

Acceptable Use Policy

Everyone

Asset Management Policy

Engineering/IT/Security

Backup Policy

Engineering/IT/Security

Business Continuity Policy

Executives, Engineering/IT/Security

Change Management Policy

Engineering/IT/Security

Code of Conduct

Everyone

Data Classification Policy

Everyone

Data Retention Policy

Engineering/IT/Security

Data Protection Policy

Everyone

Disaster Recovery Plan

Executives, Engineering/IT/Security

Encryption Policy

Engineering/IT/Security

Global Network Firewall Policy (UK Cyber Essentials)

Engineering/IT/Security

Incident Response Plan

Executives, Engineering/IT/Security

Information Governance Policy (CCM)

Everyone

Information Security Policy

Everyone

Password Policy

Everyone

Personal Data Management Policy (CCPA/CPRA)

Everyone (recommended), OR

Departments who may receive and/or respond to privacy requests, such as Engineering/IT/Security/Sales/Marketing

Physical Security Policy

Everyone

Responsible Disclosure Policy

Everyone

Risk Assessment Policy

Executives and employees responsible for performing the risk assessment

Shared Responsibility Policy (CCM)

Engineering/IT/Security

Software Development Lifecycle Policy

Engineering/IT/Security

System Access Control Policy

Engineering/IT/Security

Vendor Management Policy

Employees responsible for vendor management

Vulnerability Management Policy

Engineering/IT/Security

Information Security Management System (ISMS) Plan

None

Breach Notification Policy (HIPAA)

Everyone

Business Associate Policy (HIPAA)

Everyone

Privacy, Use, and Disclosure Policy (HIPAA)

Everyone

Maintenance Management Policy (NIST)

Engineering/IT/Security

System and Information Integrity Policy (NIST)

Engineering/IT/Security

System and Services Acquisition Policy (NIST)

Engineering/IT/Security

System Security Planning Policy (NIST)

Engineering/IT/Security

Did this answer your question?