Skip to main content

Governance intelligence for access, cloud, and SaaS. Now in early access

Nuxari
Compliance & Readiness

Policy center

Policy types, the policy lifecycle from draft to approved, approval workflow rules, how approved policies unlock control readiness, and review schedules.

Last updated: June 2026

What the policy center is

The policy center is where you create, manage, and maintain the information security policies required by SOC 2, ISO 27001, and other frameworks. Policies in Nuxari are not just documents — they are linked to controls. An approved policy provides evidence that a required governance activity has been formally authorized and communicated.

Policy types

Common policy types managed in the policy center include:

  • Information Security Policy
  • Access Control Policy
  • Acceptable Use Policy
  • Incident Response Policy
  • Business Continuity and Disaster Recovery Policy
  • Data Classification Policy
  • Vendor Management Policy
  • Cryptography and Key Management Policy
  • Change Management Policy
  • Remote Work and BYOD Policy

Policy lifecycle

Every policy in Nuxari moves through a defined lifecycle:

  • Draft. The policy is being written or revised. It has no compliance effect until approved.
  • In review. The policy has been submitted for approval and is awaiting a decision from an authorized approver.
  • Approved. The policy has been formally approved. It counts as evidence for linked controls, and can be included in audit packages.
  • Expired. The policy has passed its review date without renewal. Controls linked to expired policies enter a blocked state until the policy is renewed and re-approved.

Approval workflow

Policy approval in Nuxari follows a separation of duties rule:

  • The policy owner cannot approve their own policy. A different authorized person must review and approve.
  • Only Client Owners and Client Security Admins can approve policies.
  • Approvals are audited. The approval event records who approved, when, and for which policy version.
If the only authorized approver is also the policy owner, a second authorized user must be involved. Contact your Client Owner to resolve this.

How approved policies unlock control readiness

Controls in the library specify which policies must be approved before the control can reach a ready state. For example, the Access Control control requires the Access Control Policy to be in an approved state. If the policy is in draft or expired, the control shows a blocked state with a policy blocker. Approve or renew the policy to unblock it.

Policy review schedule

Most information security policies should be reviewed at least annually. Nuxari tracks each policy's next review date and notifies the policy owner when a review is approaching. Policies that pass their review date without renewal are automatically set to expired.

Related docs

Control library

How policies link to control statuses

Evidence collection

Policy documents as evidence

Compliance troubleshooting

Fix policy approval issues

Compliance roles

Who can approve policies

Was this page helpful?