To prepare for an audit, you need to have several management-approved policies acknowledged by your employees. Many companies also want to add additional policies to Drata for centralized management. While Drata's Policy Center includes several policy templates, you may prefer to use your own. You can replace Drata’s policies with your custom policies.
Important: Replacing a template automatically updates control mappings to your custom policy. If not replaced, controls may be unready and tests may fail since they will continue to reference the previous Drata policy.
BEFORE DIVING IN
Admins, information security leads, and workspace managers will have access to create, approve, and update policies within Drata.
You cannot be using an external policy manager like BambooHR or Confluence. If using an external policy manager, you will see an Import External Policy button rather than a Create Custom Policy button.
Create and replace a Drata policy with a custom policy
Navigate to the Policy Center page and select Create Custom Policy.
Provide Policy Details:
Policy Source: Choose either to upload a file or create a policy directly within Drata. (Upload Policy or Author Policy in Drata)
Upload policy: Select and upload a file from your computer (up to 25MB).
Note for PDF files:
If there is a title, the filename becomes the title.
If there is no title within the PDF, the filename does not change.
Author policy in Drata: After filling out the rest of the details in the drawer, when you continue, you will be able to use Drata’s built-in editor to draft and edit your new policy. Refer to Draft your custom policy section to learn more.
Details: Enter policy details such as name, description, and owner of the policy.
Personnel groups: You must also choose who must acknowledge this policy.
Replace Drata policies (optional): Select the Drata template to replace with your custom policy to ensure tests and controls are mapped correctly.
⚠️ Warning: If you don't replace the Drata template and instead just add a custom policy as a separate document, the system will not redirect mappings to your custom policy which may cause controls to become misaligned and unready causing tests to fail.
After selecting Select policies, a modal will appear where you can select the policies to replace.
If a selected policy is also associated with Service Level Agreement (SLA) settings, the modal will also include SLA settings for you to configure. After entering your SLA settings, continue.
If one of the policies selected requires affirmation of the policy content, a modal with an affirmation checkbox is displayed. You’ll need to affirm the policy content before continuing.
After you’re done filling out the required fields, select Create.
Next steps: Author Policy in Drata
Note: If you selected Upload policy as the policy source, the file is uploaded and created without further action needed.
If you chose to Author Policy in Drata, you’ll be directed to Drata’s built-in editor to draft and finalize the policy. You can also have the ability to upload a custom policy file as well.
Once you're done, enter the policy renewal date on the right hand side before submitting the policy.
Renewal date are crucial for automated tests and tasks to help keep you on track with compliance goals. Many frameworks require annual review/approval of policies, so select a date that meets your compliance needs.
Approve custom policy
Approving a policy allows the personnel you marked in-scope to acknowledge the policy.
Once you create your policy, you’ll find it in Policy Center.
The policy owner will need to approve the policy before it takes effect. Learn more at Policy approval, renewal, and updates.
Additional resources