Skip to content

How do I add and assess a policy?

Requires Pro

Open Compliance → Policies, click “New Policy”, choose the framework (ISO 27001, BSI C5, or Custom), give it a title, and save. Only the title plus the framework are required. Use the status field to assess the maturity level — from Draft through Active and Review to Archived. Optionally, record a reference ID (e.g. the control number, such as A.5.1) and a category.

Compliance is a Pro feature. Without a suitable tier, the API responds with 403.

  1. Open the “Policies” tab. In the Compliance module, switch to the Policies tab and click “New Policy”.

    The policy list with the button for creating a new one.
  2. Fill out the form. Enter at least the required fields:

    • FrameworkISO 27001, BSI C5, or Custom.
    • Title — the name of the policy (e.g. “Access control for administrative accounts”).

    Optional but recommended: reference ID (the control/criterion number from the framework), category, description, and the status. Newly created policies start with the status Draft.

    The policy form. Framework and title are required.
  3. Save and assess. After saving, the policy appears in the list. Use the status field to document the maturity level over time: DraftActive (in effect) → Review (up for review) → Archived (no longer valid).

    The saved policy with its framework and status.
  • Default values: Without input, status = Draft (draft) applies.
  • Framework validation: framework must be one of iso27001, c5, or custom; status one of draft, active, review, archived. Other values result in 422.
  • Reference ID as an anchor: The optional reference ID links the policy to the specific control number (ISO 27001) or criterion (BSI C5) — useful for audit traceability.
  • Audit trail: Creator and editor are recorded with a timestamp.
  • Tenant isolation: The policy belongs exclusively to your tenant.