Policy Management

Create, version, and publish security policies directly in zGovern. Policies are versioned, shareable via the Trust Center, and automatically matched to questionnaire answers.

Policy Lifecycle

Policies in zGovern move through a three-stage lifecycle:

DRAFT ACTIVE ARCHIVED
Status Description Visible to
DRAFT Policy is being written or reviewed. Not yet approved for distribution. ADMIN users only
ACTIVE Policy is approved and in force. Included in audit exports and Trust Center. All authenticated users + Trust Center (if public)
ARCHIVED Superseded by a newer version. Retained for historical audit evidence. ADMIN and AUDITOR only (audit history)

Policy Fields

Field Type Description
title string Policy name (e.g., "Access Control Policy")
content rich text Full policy body. Supports markdown-style formatting rendered in the UI.
version integer Auto-incremented on each publish. Starts at 1 and increases with every new publish action.
status DRAFT / ACTIVE / ARCHIVED Current lifecycle stage
publishedAt datetime (nullable) Timestamp when the policy was last transitioned to ACTIVE. null for DRAFT policies.

Built-in Policy Templates

zGovern seeds three production-ready policy templates on first startup. You can use these as-is or customise them to match your organisation's specific requirements:

🔑

Access Control Policy

Covers user provisioning, least privilege, MFA requirements, access reviews, and offboarding procedures.

ACTIVE v1
🚨

Incident Response Policy

Defines incident severity levels, escalation paths, communication templates, post-mortem requirements, and regulatory notification timelines.

ACTIVE v1

Risk Assessment Policy

Specifies the risk assessment methodology, scoring criteria, review frequency, and risk acceptance thresholds used organisation-wide.

ACTIVE v1

How to Create and Publish a Policy

  1. Navigate to Policy Management

    Click Policy Management in the sidebar. You'll see the list of existing policies with their status and version.

  2. Click "New Policy"

    Enter a title and begin writing the policy content in the rich-text editor. The editor supports headings, bullet lists, numbered lists, and inline code.

  3. Save as Draft

    Click Save Draft. The policy is created with status DRAFT and version 1. It is not yet visible to non-admin users.

  4. Review and approve

    Share the draft with your legal, compliance, or management team for review. Use the comment thread on the policy page to document review feedback.

  5. Publish the policy

    Click Publish to transition the policy to ACTIVE. publishedAt is set to now. The policy is immediately:

    • Visible to all authenticated users in the Policies page
    • Included in the Audit Bundle export (policies.txt)
    • Shown in the Trust Center (if enabled)
    • Available for automatic matching to questionnaire questions

Version History

Every time you publish an updated version of an existing policy, the following occurs:

  1. The current ACTIVE version is moved to ARCHIVED status
  2. A new record is created with the updated content and incremented version number
  3. The new record is immediately published as ACTIVE

All historical versions are retained in the database and visible in the policy's version history panel. Auditors can view any previous version to verify what was in force at a specific point in time — this is critical for annual audits.

GET /api/policies — response showing version history
{
  "success": true,
  "data": [
    {
      "id": "clxp1a2bc0003lg3a",
      "title": "Access Control Policy",
      "version": 3,
      "status": "ACTIVE",
      "publishedAt": "2026-03-01T09:00:00.000Z"
    },
    {
      "id": "clxp1a2bc0002lg3a",
      "title": "Access Control Policy",
      "version": 2,
      "status": "ARCHIVED",
      "publishedAt": "2025-09-15T14:30:00.000Z"
    }
  ]
}

Policy Export

All ACTIVE policies are included in the Audit Bundle as policies.txt — a formatted plain-text file suitable for inclusion in audit evidence packages. The export includes:

  • Policy title, version, and published date
  • Full policy content
  • A separator between each policy

Download via the Export Audit Bundle button in the Audit Workspace or via GET /api/export/audit-bundle.

Questionnaire Integration

When you use the Questionnaire auto-answer engine, the system searches the content of all ACTIVE policies for relevant information. For example, a question like "Do you have an access control policy?" will match against the Access Control Policy and pull its key sentences into the suggested answer.

The matching is keyword-based with a confidence score (0–100%). Higher-scoring matches from well-written, comprehensive policies will result in better auto-answers.

💡
Write policies with questionnaire answers in mind Include specific, verifiable statements in your policies (e.g., "Multi-factor authentication is required for all user accounts with access to production systems"). These map directly to common security questionnaire questions and improve auto-answer confidence scores significantly.