Generate your set of information security policies and upload to the Drata Policy Centre to manage sign-off workflows
OVERVIEW
The documented policies and procedures covers ~30 (30%) of your key control activities. Our policy automation solution lets you select the pre-built components and input details that apply to your company, to generate a set of 21 key policies and procedures to satisfy these 30+ controls. These policies are then finalised, uploaded to the Drata Policy Centre, and approved to finalise this section.
PART 1: POLICY AUTOMATION WORKFLOW
Our policy automation workflow collects information about your key systems and company information, your compliance requirements, internal responsibilities, and ways of operating. You can select components that fit your preferences, and generate your set of information security and compliance policies. This also combines the System Description automation from the previous step, which populates the draft SOC 2 report ready for issuance upon completion of the audit.
Steps to generate your policies
Please note: In order to save your progress and continue later, you must use the 'Access Later' option in the tool.
Step 1: Start in our Policy and System Description Automation (Access code: t8gKSNVxjD)
Note: Steps 2 to 5 may have been completed in the previous step for generating the System Description.
- Step 2: Populate your company details and select the standards we are reporting on.
- Note: Drata Playbook, select SOC 2 Trust Services Criteria + Security, Availability and Confidentiality.
- Step 3: Select the processes and systems in scope and add the details accurately. These will influence the design of the description as well as the details populated.
- Note: Ensure Security and Compliance Monitoring Software is selected, with "Drata" populated as the name of the software. This will scope the right controls for the report.
- Step 4: Complete the remaining details about your company, systems and processes. These details can all be adjusted in the output report.
- Step 5: Your report is generated and you can download it. We recommend you review and update it before confirming to us it's ready to form part of the final report.
Step 6: You will progress to the policy automation section, starting with responsibilities. You can select pre-defined titles or add your own. These will be the roles you assign to be responsible for each of the policies.
Step 7: Complete the six sections to generate the set of 15 policies. Take note of any warning messages that are listed after each policy section, to ensure the policies meet your compliance requirements.
Step 8: Upon completion of each section, you will be able to review and download your policy kit, ready to add your branding, upload to the Drata Policy Centre, and finalise.
PART 2: FINALISE THE POLICIES
The output of the policy automation workflow is your tailored set of policies in a Word document that you can apply your branding and logo to, review, and finalise. The steps to finalise the policy are outlined in the policy kit that is generated.
Please note: the risk matrix Drata generates may be different from our Policy Tree matrix. Confirm which matrix you would like to use for consistency.
PART 3: UPLOAD TO DRATA POLICY CENTRE
Once finalised, the policies should be uploaded into Drata's Policy Centre. The mapping of the policy names to Drata's policy placeholders is noted in the policy kit.
PART 4: ASSIGN OWNER(S), SIGN OFFS AND APPROVE
Assign the policy owners in Drata. Configure whether the policy is signed off by employees. Record approval of the policy by the policy owner.