devguard

Policies

Your organization's policies define how work gets done and ensure everyone follows the same standards. Use this section to create, edit and update policies so they stay compliant with the frameworks you enabled.

Overview

Policies are the centerpiece of your organization's compliance program. They define how work gets done, ensure everyone follows the same standards, and provide documented evidence for auditors and regulators. By serving as both operational guidance and formal compliance documentation, policies bridge the gap between everyday activities and regulatory requirements.

Policies are tightly integrated with frameworks and controls, allowing you to maintain alignment with compliance requirements and industry best practices. They not only guide internal operations but also act as proof to auditors, customers, and partners that your organization takes governance and security seriously.

Policies are structured into categories, each containing one or more policies. Within a policy, you can define sections, map them to controls, manage versions, and ensure accountability through approvals. Policies can be updated iteratively and improved over time, but every change is tracked to maintain transparency and accountability. A report can be generated at any time to export a policy into a properly formatted PDF.


Categories

Policies are organized into categories to group related policies together (e.g., Information Security Management, User-level policies, Business-related policies). Categories act as high-level containers, making it easier to manage large sets of policies and keep them aligned with governance areas.

For example, you might have a category dedicated to IT Operations, which houses policies such as Change Management and Access Control. Another category, such as Business-related policies, can include HR or Finance policies. This ensures policies are easy to locate and manage in larger organizations.

FieldDescription
NameThe title of the category (required).

Categories can contain multiple policies and are often used to organize them by domain, function, or compliance framework. The flexibility allows you to structure policies in a way that mirrors your organizational reality while still maintaining a standardized system for oversight.


Policies

Each policy lives inside a category. A policy defines standards, procedures, and practices that guide the organization. Policies can be drafted, published, updated, and versioned over time. They provide both a set of instructions for day-to-day work and a compliance artifact that can be reviewed during audits.

Policies exist in different states, such as Draft or Published. Draft policies are in progress and can be freely updated, while published policies are locked and treated as official. This separation allows for iterative editing while still maintaining compliance discipline for finalized documents.

FieldDescription
TitleThe name of the policy (required).
SlugUnique identifier for the policy, used in linking and reporting (required).
ApproverA role responsible for formally approving the policy (required).

Policies can evolve over time to reflect organizational changes, regulatory updates, or lessons learned. By tying them to approvers and versioning, you ensure that every published policy has clear ownership and accountability.


Sections

A policy consists of sections, such as Introduction, Purpose, Scope, or Methodology. Sections give policies a structured layout that makes them easier to read and maintain. Instead of being static documents, sections are interactive and editable building blocks.

  • Sections can be added before or after an existing section, providing flexibility when reorganizing content.
  • Sections can be nested to create hierarchical structures, useful for breaking down larger documents into smaller, well-defined pieces. For instance, a section on Security Operations might contain nested sub-sections for Monitoring, Incident Response, and Escalation Procedures.
  • Controls from adopted frameworks can be mapped to each section. It's up to the user how many sections to add, giving freedom to create lightweight policies or highly detailed ones.

Sections are managed with a rich content editor that supports both formatting and structured linking.

The editor enables:

  • The "/" command, which allows adding formatted content such as headings, bullet lists, tables, or even specialized elements like policy sections and columns. This makes it easy to create polished documents without leaving the platform.
  • The ":" command, which links to existing items in Collections. Because these are linked references, if the data source is updated, the change is automatically reflected in all policies where it's used. This ensures consistency across all documentation without requiring manual updates.

Control Mapping

Each section of a policy can be mapped to one or more controls from any adopted framework. This ensures that your policies directly contribute to compliance coverage and serve as living evidence of your adherence to standards.

When mapping controls, you also define a coverage assessment, which helps evaluate the degree to which the policy satisfies compliance requirements:

  • Full Coverage means the section fully addresses the control.
  • Partial Coverage indicates that the control is only partially satisfied, requiring additional measures.
  • No Coverage reflects a gap that needs to be addressed.
  • Unknown can be used when the coverage is unclear or pending review.

Control mappings create a direct link between high-level regulatory requirements and operational guidance. This makes policies not just documents for employees, but also tools for auditors and compliance officers to verify organizational readiness.


Versioning

Policies are versioned automatically. Each update creates a new version, allowing your organization to keep a transparent record of changes over time.

Versioning provides several advantages:

  • A complete history of changes is maintained, giving insight into how policies evolved.
  • You can compare versions in a diff view, highlighting added, removed, or updated sections. This makes audit preparation more efficient, as you can demonstrate exactly what changed and why.
  • PDF reports can be generated from current or historical versions, ensuring you always have a legally valid snapshot for compliance reviews.

Each version is labeled with semantic versioning (e.g., v1.1.0, v1.3.0) and includes metadata such as the author, approver, and timestamps. This ensures full accountability and auditability of your policy lifecycle.


Approving

Policies require formal approval by the assigned Approver role (e.g., CEO, COO, or other leadership). Approval ensures that policies are not just drafted but also officially endorsed at the right level of responsibility.

Once a policy is approved, the version is locked. This makes it immutable, serving as the authoritative standard until a new version is created. Only by creating and approving a new version can policies be changed, ensuring both flexibility and compliance integrity.


Generate Report

At any time, you can generate a PDF report of a policy. The report includes:

  • The policy title and version
  • All sections with formatted content
  • Control mappings and coverage status
  • Metadata (approver, author, dates, etc.)

Reports are especially useful during external audits or board reviews, where a polished, consistent format is critical. By including metadata and control mappings, reports not only document the policy itself but also show how it ties into your compliance framework.

The ability to generate PDF reports from past versions means you can demonstrate historical compliance as well, proving not just current readiness but also a track record of continuous governance.

How is this guide?

On this page