How do I add and assess a policy?
Quick answer
Section titled “Quick answer”Open Compliance → Policies, click “New Policy”, choose the
framework (ISO 27001, BSI C5, or Custom), give it a title, and save.
Only the title plus the framework are required. Use the status field to
assess the maturity level — from Draft through Active and Review
to Archived. Optionally, record a reference ID (e.g. the control
number, such as A.5.1) and a category.
Prerequisites
Section titled “Prerequisites”Compliance is a Pro feature. Without a suitable tier, the API responds with 403.
Instructions
Section titled “Instructions”-
Open the “Policies” tab. In the Compliance module, switch to the Policies tab and click “New Policy”.
Screenshot pendingcompliance-richtlinie-01List of policies with the 'New Policy' buttonThe policy list with the button for creating a new one. -
Fill out the form. Enter at least the required fields:
- Framework —
ISO 27001,BSI C5, orCustom. - Title — the name of the policy (e.g. “Access control for administrative accounts”).
Optional but recommended: reference ID (the control/criterion number from the framework), category, description, and the status. Newly created policies start with the status Draft.
Screenshot pendingcompliance-richtlinie-02'New Policy' form with Framework, Title, Reference ID, Category, and StatusThe policy form. Framework and title are required. - Framework —
-
Save and assess. After saving, the policy appears in the list. Use the status field to document the maturity level over time: Draft → Active (in effect) → Review (up for review) → Archived (no longer valid).
Screenshot pendingcompliance-richtlinie-03Policy in the list with status 'Active' and its assigned frameworkThe saved policy with its framework and status.
Create a policy: POST to /api/v1/compliance/policies. framework and
title are required. Allowed framework values: iso27001, c5,
custom. Allowed status values: draft, active, review, archived
(default: draft).
curl -X POST https://demo.notory.io/api/v1/compliance/policies \ -H "Authorization: Bearer inv_dein_token" \ -H "Content-Type: application/json" \ -d '{ "framework": "iso27001", "reference_id": "A.5.15", "title": "Zugriffskontrolle für administrative Konten", "category": "Zugriffssteuerung", "description": "Administrative Zugänge werden per MFA und Vier-Augen-Prinzip abgesichert.", "status": "active" }'Response HTTP 201 Created:
{ "id": "018f7c2a-1b44-7e90-9a1c-2d3e4f5a6b70", "tenant_id": "3d9b0c12-4e5a-4f88-b1c7-2a9e6d4f0011", "framework": "iso27001", "reference_id": "A.5.15", "title": "Zugriffskontrolle für administrative Konten", "description": "Administrative Zugänge werden per MFA und Vier-Augen-Prinzip abgesichert.", "category": "Zugriffssteuerung", "status": "active", "created_at": "2026-07-08T09:20:00Z", "updated_at": "2026-07-08T09:20:00Z"}Progress the status later — e.g. from active to review — via PUT:
curl -X PUT https://demo.notory.io/api/v1/compliance/policies/018f7c2a-1b44-7e90-9a1c-2d3e4f5a6b70 \ -H "Authorization: Bearer inv_dein_token" \ -H "Content-Type: application/json" \ -d '{ "status": "review" }'Possible errors: 401 (token missing/invalid), 403 (no write access
or Compliance not in your tier), 404 (policy not found), 422
(validation — e.g. empty title or unknown framework).
What happens behind the scenes?
Section titled “What happens behind the scenes?”- Default values: Without input,
status = Draft(draft) applies. - Framework validation:
frameworkmust be one ofiso27001,c5, orcustom;statusone ofdraft,active,review,archived. Other values result in 422. - Reference ID as an anchor: The optional reference ID links the policy to the specific control number (ISO 27001) or criterion (BSI C5) — useful for audit traceability.
- Audit trail: Creator and editor are recorded with a timestamp.
- Tenant isolation: The policy belongs exclusively to your tenant.
Related topics
Section titled “Related topics”- What does the Compliance module cover?
- Assess and treat a risk
- Keep track of compliance status
- API introduction — authentication, base URL, error codes