Policy Manual

The Policy Manual is essentially your operating manual for the framework your company is targeting such as SOC 2, HIPAA, ISO 27001, GDPR, etc. It consists of policies that outline the various domains or functions that are required to operate such as what needs to be done for asset management, incident response or a privacy management.

One way to think of your Policy Manual is that policies and controls are the what of your security management operation. Compliance requirements and risks are the why. Procedures and Automations are the how.

The Policy Manual is linked to your controls and procedures so you can see your entire security management program in one view and filter to see more specific details.


Clicking the "Policy Manual" in the GRC dropdown shows your latest approved policy manual, in all its glory.


What if Comply says "No approved ISMS"?

When you click the ISMS tab, you're always shown the latest approved version of your ISMS. If you've never approved any control, this page will be blank. Head over to the "Controls" tab to review your controls and approve them to start building up your policy manual.

Next Up

Dive into your Controls to edit and approve the content of your ISMS.