Policies

Policies are formal documents that describe your organization's security commitments. This guide explains how policies work in ForgeComply.

What Is a Policy?

A policy is a documented statement of how your organization handles a specific security domain. Policies explain what you commit to doing.

Examples:

Access Control Policy
Incident Response Policy
Data Classification Policy
Acceptable Use Policy
Change Management Policy

Policies are distinct from:

Controls — Specific requirements you evaluate
Evidence — Proof that controls are operating

The relationship:

Policies describe intent → Controls verify implementation → Evidence proves operation

Why Policies Matter

Auditor Expectations

Auditors expect documented policies for major security domains. Undocumented practices are a red flag.

Organizational Clarity

Policies ensure everyone knows the rules. They reduce ambiguity and support consistent behavior.

Compliance Requirements

Both SOC 2 and ISO 27001 require documented policies covering key security areas.

Evidence Foundation

Policies provide the baseline against which evidence is evaluated.

Policy Structure

ForgeComply policies include:

Policy title
Version number
Effective date
Owner/approver
Review schedule

Purpose

Why this policy exists.

Scope

Who and what the policy applies to.

Policy Statements

Specific commitments your organization makes.

Roles and Responsibilities

Who is accountable for what.

Review and Updates

How and when the policy is reviewed.

The Policies Page

Navigate to Policies in the sidebar to manage your policies.

Policy List

Each policy shows:

Policy name
Domain (security area)
Status (Draft / Approved)
Last updated
Linked controls count

Actions

View/edit policy content
Approve policies
Download as document
Link to controls

Generating Policies

ForgeComply generates policies based on your organization's profile and control responses.

How Generation Works

Organization profile — Company name, industry, size
Control responses — What you've implemented
Framework requirements — SOC 2 or ISO 27001 expectations
Policy templates — Professional structure and language

ForgeComply combines these to produce relevant, specific policies.

When to Generate

Generate policies:

After completing related controls
When starting a new security domain
When implementation significantly changes

Generation Does Not Mean Complete

Generated policies are drafts. You should:

Review for accuracy
Adjust to match your actual practices
Get appropriate approval
Update the status to "Approved"

Policy Status

Draft

The policy has been generated but not approved.

Can be edited
Not considered final
Auditors may see as work-in-progress

Approved

The policy has been reviewed and approved.

Represents official organizational commitment
Linked to controls for completeness
Ready for auditor review

Important: Only approve policies that accurately reflect your practices. Don't approve aspirational policies.

One Policy, Many Controls

Policies are domain-based, not control-based. One policy typically covers multiple related controls.

Example: An Access Control Policy might cover:

AC-01: MFA Enforcement
AC-02: Password Requirements
AC-03: Access Reviews
AC-04: Least Privilege

When you link a policy to a control, you're connecting that control to the relevant domain policy.

Editing Policies

Making Changes

Click on any policy to view
Edit content as needed
Changes are saved automatically

What to Edit

Company-specific details
Implementation specifics
Role names and titles
Frequency and timing details
Scope clarifications

What Not to Edit

Avoid removing:

Core security commitments
Required elements for your framework
Structure that auditors expect

Approving Policies

When to Approve

Approve a policy when:

Content accurately reflects your practices
Appropriate stakeholder has reviewed
You're ready to commit to the statements

Who Should Approve

Typically:

Security lead
CISO
CTO
Other designated authority

How to Approve

Review the policy content
Click Approve on the policy card
Status changes to "Approved"

Changing After Approval

You can edit approved policies, but:

Consider version implications
Update effective date if significant changes
Re-approve if necessary

Policy Updates During Guided Setup

If you're using Guided Setup and complete controls in a domain:

Guided Setup may prompt policy generation
Generate the policy for that domain
Review and adjust as needed
Continue with controls

You don't need to approve immediately — focus on getting through controls first, then return to finalize policies.

Linking Policies to Controls

Why Link?

Demonstrates controls have documented backing
Shows organizational maturity
Required for control completeness

How to Link

From a control:

Open the control detail
Find the Policy section
Select the relevant policy

From a policy:

Open the policy
View linked controls
Add additional control links if needed

Unlinked Controls

Controls without linked policies show as incomplete. This affects control status.

Policy Best Practices

Be Accurate

Policies should reflect what you actually do, not what you wish you did.

Be Specific

"Access reviews occur quarterly" is better than "Access is reviewed periodically."

Be Realistic

Don't commit to things you can't sustain.

Review Regularly

Policies should be reviewed annually at minimum.

Update When Things Change

If implementation changes, update the policy.

Policies in Reports

When you generate reports:

Approved policies are included in the Control Matrix
Policy coverage is summarized in the Audit Readiness Report
Draft policies may be noted as incomplete

Reports capture policy status at generation time.

Frequently Asked Questions

Does AI write my policies?

AI assists with generation based on your profile and responses. You review, edit, and approve. The final policy is yours.

Can auditors see draft policies?

Auditors see what's in reports. Draft policies may appear as incomplete coverage.

What if I don't have a policy for something?

Generate one, or acknowledge the gap. Don't fake it.

How often should policies be updated?

At minimum annually, or when significant changes occur.

Can I import existing policies?

Currently, policies are generated within ForgeComply. You can copy content from existing policies into the editor.

Next Steps

Controls Documentation — Working with controls
Evidence Documentation — Supporting your policies with evidence
Reports & Auditor Access — How policies appear in reports

What Is a Policy?​

Why Policies Matter​

Auditor Expectations​

Organizational Clarity​

Compliance Requirements​

Evidence Foundation​

Policy Structure​

Header​

Purpose​

Scope​

Policy Statements​

Roles and Responsibilities​

Review and Updates​

The Policies Page​

Policy List​

Actions​

Generating Policies​

How Generation Works​

When to Generate​

Generation Does Not Mean Complete​

Policy Status​

Draft​

Approved​

One Policy, Many Controls​

Editing Policies​

Making Changes​

What to Edit​

What Not to Edit​

Approving Policies​

When to Approve​

Who Should Approve​

How to Approve​

Changing After Approval​

Policy Updates During Guided Setup​

Linking Policies to Controls​

Why Link?​

How to Link​

Unlinked Controls​

Policy Best Practices​

Be Accurate​

Be Specific​

Be Realistic​

Review Regularly​

Update When Things Change​

Policies in Reports​

Frequently Asked Questions​

Does AI write my policies?​

Can auditors see draft policies?​

What if I don't have a policy for something?​

How often should policies be updated?​

Can I import existing policies?​

Next Steps​