Create a policy using the Compliance Workspace

  • Release version: Australia
  • Updated March 12, 2026
  • 4 minutes to read

    • A policy defines an internal practice that processes must follow. You can define policies using the Compliance Workspace as policies, procedures, standards, plans, checklists, frameworks, and templates.

    Before you begin

    Role required: sn_compliance_ws.corporate_compliance_analyst or sn_compliance_ws.corporate_compliance_manager

    Procedure

    1. Navigate to Workspaces > Compliance Workspace.
    2. On the Home page, from the Create list on top right, select Policy.
    3. On the form, fill in the fields.
      Table 1. Create New Policy form
      Field Description
      Name The name of the policy.
      Type

      List of options:

      • Policy
      • Procedure
      • Standard
      • Plan
      • Checklist
      • Framework
      • Template
      Parent The policy containing this policy. If you create a control objective from within a policy, this field is automatically filled.
      Policy categories Select the lock icon and select one or more categories for filtering policies. For example, select Vulnerability Response to view policies associated with that application.
      Description A general description of the policy.
      Policy text A detailed description of the policy.
      State The state is a read-only field. Possible choices are:
      • Draft In this state, all compliance users can modify the policy and control objectives. All compliance users can select Request review button. Enter a message in the Request review pop-up and select Request , which sets the state to Review.
      • Review In this state, the owner, owning group, and reviewers can modify the policy and control objectives. The owner, owning group, and reviewers select Request approval, starting the workflow by sending approvals to the users in the Approvers list. The owner, owning group, and reviewers move the policy back to Draft, by selecting Back to draft, as well.
      • Awaiting approval In this state, the policy and control objectives are read-only for all. Approvers can approve the policy by updating the approval state in the Approvals related list of the policy form, or by viewing My Approvals. If the policy is approved, the policy goes to the Published state. If the policy is rejected, then it goes back to the Draft state.
      • Published In this state, the policy and control objectives are read-only for all. Admins can select Retire which sets the state of the policy to Retired
      • Retired In this state, the policy is read-only for all.
      Compliance Score Percentage The compliance score percentage assigned to this policy.
      Assignment
      Owning Group Group that owns the policy.
      Approvers The users you want to be included in the approval process.
      Approval method Approval method for dynamic approval configuration. Available options are:
      • Manually select approvers
      • Use approval rules
      Approvers Approvers to be selected for the policy.
      Reviewers Select the users that you want to be included in the review process.
      Contributors Contributors selected for the policy.
      Schedule
      Valid from The date and time for which the policy becomes valid.
      Valid to The date and time for which the policy is no longer valid.
      Knowledge Base
      Policy template The article template to use for the publication of this policy.
      Policy knowledge base The knowledge base article related to this policy.
      Published policy The KB article number and link where the policy is published.
      Acknowledgement setup
      Audience Select the default audience responsible for acknowledging this policy.
      Reference Material URL Select the lock icon to add the URL for any needed reference materials, such as certification or training materials.
      Allow users to decline policy Select this check box to give users the option of declining policy acknowledgements.
      Allow users to request exception Select this check box to give users the option of requesting exceptions for policy acknowledgements.
      Exception Setup
      Maximum exception duration (days) Enter the maximum number of days for which a policy exception can be requested for a given policy.
    4. Select Save.
      In the reporting overview page of the policy, you can see the description of the policy, its state, and its status of overall compliance, entities, control objectives, and control. It also gives you the tracking information of policy acknowlegements, policy exceptions, and issues. The non-compliant entities widget also lists all the non-compliant reliant entities, each with its compliance score. For more information, see Manage compliance of a policy from the overview page
    5. Select any of the related lists to provide more information for the policy.
    6. From the Overview page, select the Issues tab.
      You can add existing one or more related issues to the policy that you created. By mapping the existing issues to the policy, you can reduce the count of open issues.
      1. Select the Add button.
      2. Select a related issue or issues from the Issues pop-up.
      3. Select Add.
        The selected issues are added to the policy as related issues and an m2m relationship is created between the policy and the issues in the Issue to Document [sn_grc_m2m_issue_document] table. You can also create an issue for the policy by selecting the New button, which takes you to the Create New Issue form.
      4. To remove an issue that is mapped to the policy, select the issue and select Remove.
        The remove action only removes the mapping or the association between the policy and the issue in the m2m table and doesn’t delete the issue record.
        Note:
        The UI action buttons such as New, Add, Remove aren’t available if the policy is in Draft or Retired state. A policy in draft state is considered inactive and becomes active when it moves to Review state.
    7. To mark the policy ready for review, select Request review .