States of policy approval and publishing

Policies are part of a strict approval process to ensure compliance and to reduce exposure to risk. Publishing a policy is automatically incorporated in the approval process.

The image depicts the approval process flow that is shown at the top of each policy record.

Table 1. Policy approval states
State Description
Draft All policies start in Draft state. In this stage, all compliance users can modify the policy and policy statements.
Review The owner, owning group, and reviewers can modify the policy and policy statements and send it on to the next state.
Awaiting Approval The policy is read only in this state. Approved policies move forward to the Published state. Unapproved policies move back to Review. If no approvers are identified on the policy form, the state is skipped and published without an approval.
Published Approved policies are automatically published to a template-defined KB. Once a policy is published, it remains in a read-only state. The Valid to field on the policy form defines how long the policy is valid. When a policy is no longer valid, it is automatically sent back to Draft state.

When a policy reaches the end of the Review state and is Approved for publishing, it is automatically published to the GRC knowledge base (as defined in the Policy and Compliance > Administration > Properties. The article template field on the policy form defines the style of the published policy.

Retired The KB article is removed when a policy is put into a Retired state.