Hi @HarshC303096983 !!

Recommended approach for a new Policy and Compliance implementation

1. Define scope and objectives

• Identify initial regulations/frameworks in scope

• Decide which business units or entities to include first

• Start small and expand later

2. Set up Entity and Profile structure (critical foundation)

• Create entity types (enterprise, subsidiary, business unit, etc.)

• Create organizational, business unit, and IT/application profiles

• Profiles determine policy applicability and compliance reporting

3. Configure Policy Management

• Define policy types and categories

• Set up policy lifecycle states and ownership

• Create clear policy statements that define intent, not controls

4. Define Controls early

• Create control objectives and controls (manual/automated)

• Map policy statements to controls

• Associate controls to applicable profiles

5. Create Authority Documents

• Load regulations, laws, and standards as authority documents

• Map authority documents to controls (not directly to policies)

6. Align Risks at a high level

• Define a basic risk taxonomy

• Create high-level risks

• Map controls to risks

7. Enable assessments later

• Configure control assessments and policy attestations

• Enable reporting once data and ownership are stable

Key relationships to establish early

• Profiles → Policies

• Policies → Policy Statements

• Policy Statements → Controls

• Controls → Profiles

• Controls → Risks

• Controls → Authority Documents

Mark this as Helpful if it clarifies the issue.
Accept the solution if this answers your question.

Regards,
Vaishnavi
Associate Technical Consultant