Comply Documentation

Policy management and ISO 27001:2022 ISMS with full compliance tracking

What is Comply?

Comply is your centralized hub for policies, procedures, and compliance documentation. It provides version control, workflow management, and comprehensive ISO 27001:2022 Information Security Management System (ISMS) support with full Statement of Applicability tracking.

Key Features

ISO 27001 ISMS Module

  • ISMS Scope Definition: Define your organization's ISMS boundary and objectives
  • Statement of Applicability: All 93 ISO 27001:2022 controls with applicability and implementation tracking
  • Control Implementation: Track implementation status, justifications, and notes for each control
  • Documentation Management: Link to external systems for risk management, asset management, BCDR, incident response, change management, and supplier management
  • Compliance Dashboard: Real-time metrics showing scope status, applicable controls, and implementation progress

Policy Management

  • Rich Text Editor: Create and edit policies with TipTap editor
  • Version Control: Track changes and maintain policy history
  • Workflow Management: Draft → Review → Approval → Active states
  • Policy Categories: Organize by ISO, QMS, HR, IT, etc.
  • Atlas Integration: Policies searchable via Atlas chatbot
  • NextUp Integration: Create action items from policy reviews

Setting Up ISO 27001 ISMS

  1. Enable ISMS: Go to Settings → Admin → Enable the ISO 27001 ISMS Module toggle
  2. Define Scope: Click ISMS in sidebar → Define your organization's ISMS scope including objectives, boundaries, interested parties, and assets
  3. Configure Statement of Applicability: Review all 93 ISO 27001:2022 controls and mark each as "applicable" or "not applicable" with justifications
  4. Track Implementation: For applicable controls, update implementation status (planned, in progress, implemented) and add implementation notes
  5. Link Documentation: Add URLs and notes for key ISMS processes (risk management, asset management, BCDR, etc.)
  6. Monitor Dashboard: View real-time compliance metrics on the main Comply dashboard

Creating a Policy

  1. Click "New Policy" in Comply dashboard
  2. Enter policy title and select category
  3. Write policy content using rich text editor
  4. Set policy status (Draft, Review, Approved, Active)
  5. Assign reviewers if needed
  6. Save and publish when ready

Policy Workflow

Comply supports a structured approval workflow for policy management:

Workflow States

  • Draft: Initial policy creation and editing. Only the creator can edit.
  • In Review: Policy submitted to assigned reviewers for approval
  • Active: Approved by all reviewers, published and searchable via Atlas

Review Process

  1. Submit for Review: Creator assigns reviewers and submits policy
  2. Reviewers Take Action: Each reviewer can:
    • Approve: Accept the policy. When ALL reviewers approve, policy becomes Active
    • Request Changes: Send back to Draft with feedback. Creator can edit and resubmit
    • Reject: Send back to Draft. Creator can edit and resubmit if desired
  3. Resubmission: If rejected or changes requested, creator can:
    • Edit the policy content
    • Reassign reviewers if needed
    • Submit again for review

Status Badges

Draft policies show additional badges to indicate feedback:

  • Rejected (Red): Policy was rejected by a reviewer. Can be edited and resubmitted or left as-is
  • Changes Requested (Orange): Policy needs revisions. Should be edited and resubmitted
  • No Badge: New draft, hasn't been submitted for review yet

Security & Permissions

Comply uses database-level Row Level Security (RLS) to protect your organization's policies:

What You Can Do

  • View: All policies within your organization
  • Create: New policies in your organization
  • Edit: Policies you created, or policies you're assigned to review
  • Delete: Only your own draft policies (not policies in review or active)
  • Assign Reviewers: Anyone in your organization can be assigned as a reviewer

Data Protection

  • You can only see policies from your own organization
  • Other organizations cannot access your policies
  • Security is enforced at the database level, not just the UI
  • All policy changes are tracked with timestamps and user information

Best Practices

ISMS Management

  • Review and update your ISMS scope annually or when organizational changes occur
  • Document detailed justifications for "not applicable" controls for auditor review
  • Keep implementation notes current with actual security practices
  • Link ISMS documentation to your actual risk register and asset inventory systems
  • Use the dashboard metrics to track progress toward full implementation
  • Align your security policies in Comply with the controls marked as "implemented" in your SoA

Policy Management

  • Use clear, descriptive policy titles
  • Keep policies concise and actionable
  • Review and update policies annually
  • Use categories consistently across policies
  • Include effective dates and version numbers
  • Link related policies together