Overview
The Policy Review and Update Process is the formal, documented method for reviewing, approving, and updating organizational policies to ensure they remain accurate, approved, and communicated. It ensures information used internally and externally is reliable and current, supporting SOC 2 CC2.1 and CC2.2 requirements.
Step-by-Step Process
Identify policies due for review
The Security Lead reviews the policy inventory to identify policies scheduled for annual review or triggered by regulatory, business, or control changes. Policies requiring updates are logged with review due dates. The output is a confirmed list of policies in scope for the review cycle.
Role: Security Lead
Assign policy reviewers
The Security Lead assigns each policy to an appropriate reviewer, such as IT, HR, or Legal, based on subject matter ownership. Assignments are documented with clear deadlines. The output is an ownership record for each policy review.
Role: Security Lead
Review policy content
Assigned reviewers assess policies for accuracy, relevance, and alignment with current operations and SOC 2 requirements. Reviewers document required changes or confirm no changes are needed. The output is a completed review record with comments.
Role: Policy Owner
Update policy documents
The Policy Owner updates policy language, version numbers, and review dates as needed. All changes are made using tracked revisions or version history. The output is an updated draft policy ready for approval.
Role: Policy Owner
Approve updated policies
The Security Lead reviews updated policies for completeness and compliance alignment. Formal approval is recorded via electronic sign-off or tool-based approval. The output is an approved policy with a recorded approval date.
Role: Security Lead
Publish and communicate policies
Approved policies are published to the official policy repository and communicated to relevant personnel. Notifications are sent via email, Slack, or LMS as applicable. The output is a published policy with evidence of communication.
Role: Security Lead
Retain evidence and track next review
All review, approval, and communication evidence is retained in the compliance tool or document repository. The next review date is scheduled. The output is a complete evidence trail supporting the review cycle.
Role: Security Lead
What You Need Before Starting
- Current policy inventory with last review dates
- Access to compliance tools (Drata or Vanta)
- Access to policy repository (Confluence)
- SOC 2 criteria CC2.1 and CC2.2 requirements
Evidence Your Auditor Expects
- Dated policy documents showing version number and last reviewed date
- Screenshot of policy approval record with approver name and timestamp
- Change history or redline showing updates made during the review
- Screenshot or export showing policy publication date in Confluence
- Email or tool-based notification log showing policy communication date
How This Looks In Your Tools
Drata
Log in to Drata and navigate to Policies > Policy Center. Review the “Review Due” column to identify policies requiring review and click into each policy record.
Within the policy record, select Edit Policy to upload a revised document or confirm no changes. Use the Request Approval button to route the policy to the Security Lead, and ensure the approval status updates to Approved with a visible timestamp.
After approval, confirm the policy status is Published and download the audit log from the policy record showing review date, approver, and version for evidence retention.
Vanta
Log in to Vanta and go to Compliance > Policies. Filter policies by Review Due or Status to identify those needing annual review.
Open each policy, select Edit or Upload New Version, and update the review date and version number. Use the Approvals section to request and record Security Lead approval, ensuring the approval timestamp is visible.
Verify the policy status shows Active and download the policy history or approval screenshot from the policy page for audit evidence.
Confluence
Navigate to the Policies space in Confluence and use the Page Properties Report or labels to identify policies due for review. Open the policy page and select Edit to make updates.
Update the “Last Reviewed” date and version section at the top of the page, then publish the page. Use the Page History menu to confirm changes and timestamps.
Notify stakeholders using Share > Email or Slack integration, and retain screenshots of the updated page and page history as evidence.
Common Audit Findings
- Policies not reviewed annually
- This occurs when review dates are not tracked or reminders are missed. Prevent this by using automated review reminders in Drata or Vanta and maintaining a review calendar owned by the Security Lead.
- Missing approval evidence
- Auditors flag policies without documented approval timestamps. Ensure all approvals are captured within the compliance tool or documented via electronic sign-off.
- Outdated policy content
- Policies may not reflect current operations or controls. Require reviewers to explicitly confirm operational alignment during each review cycle.
- No evidence of policy communication
- Auditors expect proof that policies were shared with employees. Retain notification logs, email screenshots, or LMS acknowledgements after publication.