Policies are one of the primary types of evidence you’ll use to demonstrate that your organization’s controls are operational. You may already have many of these in place, and that’s great! If you do have existing policies, it is advised to compare them with our auditor-reviewed templates. You may want to borrow some of our language or suggested sections. That said, if you are missing a few policies, or if your organization hasn’t put any formal policies into place yet, Strike Graph offers a library of templates for you to use.
Accessing Templates
Strike Graph templates can be accessed from the “View Resources” button available in each control and evidence description.
Clicking that button will automatically search our Help Center for templates and other articles related to the control or evidence you are at in the platform.
Note: Once in the Help Center, you can also search for other templates and articles that you’re interested in, using the search bar at the top of any page. This can save you some time, as you don’t need to go back to the platform and re-enter the resource center for every question you have.
Using the Templates
There are a few things to keep in mind when utilizing Strike Graph’s templates to create your policies.
First, the language we’re offering in our templates is meant to be a generic starting point. If it works for you as-is, great! You should feel comfortable changing the language as much as needed so that it matches your actual business practices. It is also fine to remove any sections of the policy templates that don’t apply to your organization. For SOC 2, there aren’t specific requirements for the content of your policies, but rather the requirement is that you can prove that your organization follows your policies as they are stated. Many policies will call out where text is required, such as for HIPAA or PCI.
Next, remember that auditors look for proof that your organization is able to adhere to the policies and processes you created. Whether you stick closely to the templated language or customize heavily, be sure that your organization can commit to, and abide by, the policy you are creating. It’s better to have a less stringent policy that you can realistically execute, rather than stringent expectations that you cannot meet. For example: your termination policy. Having a policy stating that access is revoked within 24 hours of termination may be ideal, but if your team is unlikely to be able to execute within that 24-hour window, you should extend the window to realistically reflect the time your team needs to revoke access.
Finally, prior to publishing the policy to your organization (or uploading it to your Strike Graph evidence repository, ensure that all colored text and the guidance information in red, above the document title, have been removed. You may also want to apply a document classification (as defined by your Classification Policy to the header or footer of your document). For some frameworks, like ISO 27001, it is helpful to add a document inventory number or code to the document.
If you need a template and cannot find it in our library, reach out to your CSM! They can point you in the right direction, whether that’s a broader policy that contains the language you need, a template that might have a different name than you expect, or if it’s one of the few policies we don’t yet have a template for, your CSM may be able to provide some guidance for where to find language you can use when drafting your policy.