Overview
Security Policy Communication is the process of formally distributing approved security policies to all relevant personnel and confirming their awareness. It ensures employees and contractors receive, can access, and acknowledge security expectations in alignment with SOC 2 CC2.1.
Step-by-Step Process
Confirm policy approval
The Security Lead verifies that the security policy has been formally approved and is the current version. This includes checking the approval date, version number, and approver listed on the document. The output is a finalized, approved security policy ready for distribution.
Role: Security Lead
Identify target audience
The Security Lead defines which users must receive the policy, such as all employees and long-term contractors. This is typically based on the HR employee roster or identity management system. The output is a documented list or statement of the intended audience.
Role: Security Lead
Publish policy in knowledge repository
The Security Lead uploads or updates the approved policy in the company’s official knowledge management tool. The policy must be placed in a clearly labeled security or compliance section accessible to all required users. The output is a live, accessible policy page or document.
Role: Security Lead
Notify users of policy availability
The Security Lead sends a formal communication announcing the policy and where it can be accessed. This is typically done via company-wide email, chat announcement, or intranet post. The output is a dated notification message referencing the policy location.
Role: Security Lead
Collect acknowledgements
Where feasible, the Security Lead collects employee acknowledgements through an embedded acknowledgment, form, or HR system. For small teams, read receipts or confirmation responses may be used. The output is a record showing who acknowledged the policy and when.
Role: Security Lead
Review annually
At least annually, the Security Lead reviews the policy and repeats the communication process if changes are made or to reaffirm awareness. This review is documented with a date and reviewer name. The output is an annual review record supporting SOC 2 compliance.
Role: Security Lead
What You Need Before Starting
- Approved and current version of the security policy document
- Access to company knowledge management tool (Confluence, Notion, or SharePoint)
- Employee or contractor user list from HR or identity system
- Company communication channel access (email or chat)
Evidence Your Auditor Expects
- Security policy document showing version number and approval date
- Screenshot of the published policy page with visible URL and last updated date
- Copy or screenshot of the policy announcement email or post with timestamp
- Acknowledgement report or responses showing user names and dates
- Annual policy review record dated within the audit period
How This Looks In Your Tools
Confluence
Navigate to Space Settings → Content and confirm the Security or Compliance space exists. Click Create → Page, upload or paste the approved security policy, and add version and approval date at the top of the page.
Once published, click Share → Copy link and send the link via company email or Slack. To capture acknowledgement, add the Confluence “Task List” or “Page Properties” macro and require users to check off or comment to confirm they have read the policy.
Notion
Open the Compliance or Security workspace and click New Page. Upload the security policy or create a policy page, ensuring the approval date and version are clearly displayed at the top.
Click Share → Copy link and distribute the link via email or chat. To track acknowledgements, insert a linked database or checkbox property labeled “Policy Acknowledged” and record user names and dates.
SharePoint
Go to SharePoint → Sites → Compliance or Security site, then select Documents → Upload to add the approved policy. Use the Details pane to confirm the modified date and version history are enabled.
Select the document → Copy link and send it via Outlook or Teams. If acknowledgements are required, use Microsoft Forms linked in the document or request read confirmations via Outlook and retain the response log.
Common Audit Findings
- Policy not formally communicated
- This occurs when policies are stored but no evidence shows users were notified. Prevent this by always sending a dated announcement and retaining a copy or screenshot.
- Outdated policy version shared
- Auditors often find older versions posted in knowledge tools. Prevent this by confirming version numbers and removing or archiving superseded policies.
- No acknowledgement evidence
- Organizations sometimes rely on informal sharing without proof of awareness. Use checklists, forms, or response logs to show who acknowledged and when.
- Limited user access to policy
- This happens when permissions restrict employees from viewing the policy. Periodically test access using a standard employee account to ensure visibility.