What is a Policy?

A policy is a governing document describing what an organization does to ensure security and compliance. It outlines responsibilities and general procedures meant to implement and maintain specific security and compliance controls. An organization will generally outline specific procedures in separate procedure documents.

How to Create a new Policy

• In the Secureframe dashboard, select Policies in the left side bar menu
• then click Create Policy at the top right
• Add Policy Name and Policy Owner
• Paste in your policy text or Upload policy directly as a PDF. (Note: If you upload a PDF and leave the existing Text, personnel will have a tab and be able to see both Text and PDF.)
  • If pasting in a policy: Use the built-in toolbar to adjust formatting, and the provided tokens from the menu on the side to auto-fill information such as Company Name, Date Modified, etc
  • If uploading a policy directly as a PDF: Click the "Upload Policy" box from within a policy and select a PDF file. You may upload multiple PDF files if needed. To remove an uploaded PDF, click on the X next to the PDF file you previously uploaded. You may add additional free text along with the PDF file if desired, but also have the option to leave it blank.
• Click Save if it needs to be reviewed, or click Save and publish if it's completed and ready for acknowledgement.

Note: If a policy is in draft and has no owner, any Admin can assign themselves as the owner and then publish it. Once a policy has an owner, only that policy owner can save and publish it. Click here to learn how.

How to edit an existing Policy

• Locate the policy you'd like to edit from the list and click the three-dots icon to the right of that policy.
• Click Edit Policy in the top right corner.
• From here make any updates to the Title, Body, or features located on the right side panel.
• Policy Groups – Located in the bottom right corner, select any groups that apply. This allows you to assign specific policies to a defined group of people. For example, a Change Management policy may only apply to your Development group rather than All Employees. (Note: If you have not created any groups yet, please see our Groups article for step-by-step instructions.)
• If applicable, you can also Upload a PDF directly to the existing policy. (Note: If you upload a PDF and leave the existing Text, personnel will have a tab and be able to see both Text and PDF.)
• Click Save if it needs to be reviewed, or click Save and publish if it's completed and ready for acknowledgement.
• Note: Only policy owners can publish the policy. Click here to learn how.

Policy Writing Assistance using with Comply AI

Where: Policies → Open any policy → AI button in the editor toolbar

The policy editor includes a built-in AI writing assistant. Select any text and choose from a menu of AI-powered actions to improve your policy content instantly.

• Click Edit Policy in the top right corner.
• Click AI in the tool bar, or highlight a section of text and click AI to summarize, improve writing, change tone and more.

Additional Policy Features

• Pre-built Tokens to autofill your company's information such as company name, date modified, policy owner, and security email, etc.
• PDF Upload feature if you already have your own policies created.
• Require employee Acceptance for those important documents related to your compliance obligations
• Policy Groups will allow you to assign specific policies to a set group of people. Ex, A Change Management policy may only go to your Development Group rather than All Employees.
• High Priority Vendors token is used in policies like the Business Continuity and Disaster Recovery Plan to display a list of your high-priority vendors {{high_priority_vendor_list}}
• Additional Policy features include options like Backup Frequency, Minimum Retention Period and more

Frequently Asked Questions

Who can publish a policy in Secureframe?

• If a policy is in draft and does not yet have an owner, any Admin can assign themselves as the owner, make edits if needed, and then publish it.
• Once a policy has an owner, however, only the assigned policy owner may publish it. If you need a policy published but are not the owner, you’ll need to either reassign ownership to yourself or request that the current owner publish it.

What happens if I upload a PDF to an existing Policy that already has text?

• If you upload a PDF and leave the existing Text, personnel will have a tab and be able to see both Text and PDF. If you prefer the user to only see the PDF in this scenario, then delete all the text and leave only the PDF.
• Accepting the policy applies to both the text and PDF versions, even if both are displayed.

If I were to make policy changes half way through the year, Is there a way to force users re-read and accept policies?

• No, not at this time, but this is an active Feature Request.
• Currently, employees are only required to read and accept policies on an annual basis. If you make additional changes those users will not be forced to review and acknowledge until the next year.  

How can I update the values/variables of the tokens in policies?

• The token values are automatically pulled from the Company Settings > Company Details page. To update them, navigate to this page and modify the relevant fields, such as company name, security email, and other company details. The changes will be reflected in the policies where these tokens are used.

I already have policies in another platform, can I link these policies to Secureframe via HTML?

• We do not currently support HTML linking for Policies.
• If you do not wish to utilize our pre-built policies, you can upload a PDF of your own in the Create Policy section located here. 

All my acknowledgment tests are passing, as they should since everyone has accepted them according to them, but the tests themselves show up as "none" for accepted?

• This is typically because the "require employee acceptance" button is NOT selected
  while publishing the policies
• Head to the Policy, click Edit, check the box, then save
• Once you check that box in policy, the data will backfill correctly to the test.

Where can I set the {{backup_frequency}} token used in the Business Continuity and Disaster Recovery Plan?

The {{backup_frequency}} token is populated from the “Backup frequency” field in the Options section of your Business Continuity and Disaster Recovery Plan (BCDRP).

To set this value:

1. Go to your Policy page.
2. Select your Business Continuity and Disaster Recovery Plan policy.
3. Scroll to the Options section below the policy body.
4. Use the dropdown next to Backup frequency to select your desired value (e.g., Monthly, Weekly, etc.).

Once saved, the {{backup_frequency}} token will dynamically populate in the policy wherever it’s used.

What is an employee handbook in Secureframe?

• An employee handbook in Secureframe is typically a collection of published policies that define company expectations, workplace conduct, and security requirements. Rather than being a single document, the handbook is often made up of multiple individual policies that employees acknowledge inside the platform.

Do I need a separate “employee handbook” document?

Not necessarily. Many companies use Secureframe policies instead of a traditional handbook PDF by publishing individual policies and assigning them to employees for acknowledgment. This approach makes it easier to:

• Keep content up to date

• Track acknowledgments

• Show auditors proof that employees reviewed required policies

Some companies still upload a handbook PDF, while others fully manage handbook content through individual policies.