A policy statement is an objective, direction, or standard that acts as guidance for company interactions and operations. Policy statements can be categorized, classified, and related to policies.

1. Navigate to Policy and Compliance > Policy Statements.
2. Click New.
3. Fill in the fields on the form, as appropriate.

   Table 1. Policy Statement

   Field	Description
   Name*	The name of the policy statement.
   Source	A non-editable field with the source of the policy. For example, if the statement is from the UCF import, the source is UCF.
   Source ID	The unique identification number used by the source to catalog this authority document.
   Reference	A unique numerical identifier.
   Parent	The policy containing the policy statement. Multiple policies can reference the same policy statement. If you create a policy statement from within a policy, this field is automatically filled.
   Compliance Score Percentage	The compliance score percentage calculated for this policy statement, Scores 80 and higher are indicated in green. Scores 80 to 50 are in yellow and below 50 are indicated in red.
   Active	A policy is marked active if it is not in the Draft or Retired state.
   Creates controls automatically	Check box indicating that controls are automatically created from the policy statement. Note: Select this option if the policy statement can also serve as the control.
   Category	List of options: Acquisition or sale of facilities, technology, and services Audits and risk management Compliance and Governance Manual of Style Human Resources management Leadership and high level objectives Monitoring and measurement Operational management Physical and environmental protection Privacy protection for information and data Records management System hardening through configuration management Systems continuity Systems design, build, and implementation Technical security Third Party and supply chain oversight Root Deprecated
   Classification	List of options: Preventive Corrective Detective
   Type	List of options: Acquisition/Sale of Assets or Services Actionable Reports or Measurements Audits and Risk Management Behavior Business Processes Communicate Configuration Data and Information Management Duplicate Establish Roles Establish/Maintain Documentation Human Resources Management Investigate IT Impact Zone Log Management Maintenance Monitor and Evaluate Occurrences Physical and Environmental Protection Process or Activity Records Management Systems Continuity Systems Design, Build, and Implementation Technical Security Testing Training
   Attestation	List of options. GRC Attestation is chosen by default Note: If the user changes the control attestation, the related policy statement attestation type is changed also.
   Issue group rule	The group rule assigned to this policy statement.
   Description	Description of the policy statement.

4. Click Submit.
   The policy statement is created and all related lists are visible.

   • A control is created for every policy statement when a policy is associated with a profile.
   • The control attributes default to the same attributes as the related policy statement.