Create a policy

  • Release version: Australia
  • Updated March 12, 2026
  • 3 minutes to read

    • A policy defines an internal practice that processes must follow. Policies are defined as policies, procedures, standards, plans, checklists, frameworks, and templates.

    Before you begin

    Role required: sn_compliance.admin or sn_compliance.manager

    Users with Compliance user (sn_compliance.user) role can also create policies.

    Procedure

    1. Navigate to All > Policy and Compliance > Policies and Procedures > Policies.
    2. Click New.
    3. On the form, fill in the fields.
      Table 1. Policy
      Field Description
      Name The name of the policy.
      Type

      List of options:

      • Policy
      • Procedure
      • Standard
      • Plan
      • Checklist
      • Framework
      • Template
      Owning Group Group that owns the policy.
      Owner User that owns the policy.
      Compliance Score Percentage The compliance score percentage assigned to this policy.
      Parent The policy containing this policy. If you create a control objective from within a policy, this field is automatically filled.
      Policy categories Click the lock icon and select one or more categories for filtering policies. For example, select Vulnerability Response to view policies associated with that application.
      State The state is a read-only field. Possible choices are:
      • Draft In this state, all compliance users can modify the policy and control objectives. All compliance users can click Request review button. Enter a message in the Request review pop-up and click Request , which sets the state to Review.
      • Review In this state, the owner, owning group, and reviewers can modify the policy and control objectives. The owner, owning group, and reviewers move the policy back to Draft, by clicking Back to draft, as well.

        Reviewers cannot request approval for a policy. However, the owner of the policy with sn_compliance.user, which is the minimum required role, and users with compliance manager role can request approval for a policy.

      • Awaiting approval In this state, the policy and control objectives are read- only for all. Approvers can approve the policy by updating the approval state in the Approvals Related List on the policy form, or by viewing My Approvals. If the policy is approved, the policy goes to the Published state. Otherwise, it goes back to the Review state.
      • Published In this state, the policy and control objectives are read-only for all. Admins can click Retire which sets the state of the policy to Retired
      • Retired In this state, the policy is read-only for all.
      Valid from Specifies the date and time when the policy becomes effective.
      Valid to Specifies the date and time until which the policy remains valid.
      Note:

      By default, when a policy expires, it doesn't automatically trigger a new approval process. Instead, it remains in the Publishedstate until the specified number of days (configured in the Policy and Compliance > Administration > Properties page) have passed.

      After this period, the policy transitions to either the Review state (if reviewers are assigned) or the Draft state (if no reviewers are assigned).

      The field specifying the number of days is labeled: Number of days after reaching a policy 'Valid to' date in which the expired policy will automatically move from its Published state back to a Draft/Review state.
      Approvers The users you want to be included in the approval process.
      Reviewers Select the users you want to be included in the review process.
      Description A general description of the policy.
      Policy text A detailed description of the policy.
      Knowledge Base
      Knowledge base The knowledge base article related to this policy.
      KB article The KB article number and link where the policy is published.
      Article template The article template to use for the publication of this policy.
      Acknowledgement Setup
      Audience Select the default audience responsible for acknowledging this policy.
      Reference Material URL Click the lock icon to add the URL for any needed reference materials, such as certification or training materials.
      Allow users to decline policy Select this check box to give users the option of declining policy acknowledgements.
      Allow users to request exception Select this check box to give users the option of requesting exceptions for policy acknowledgements.
      Exception Setup
      Maximum exception duration (days) Enter the maximum number of days for which a policy exception can be requested for a given policy.
    4. Continue with one of the following options.
      • To save and submit the policy, click Submit.
      • To mark the policy ready for review, click Request review .

    What to do next

    If you are implementing the Policy and Compliance Management software, return to the Policy and Compliance Management setup checklist and proceed to the next step.