Policies are formal documents that define your organization’s rules, procedures, and standards for information security and compliance. LowerPlane provides a complete policy management system that handles the entire lifecycle from drafting through employee acknowledgment.

Policy Lifecycle

Every policy in LowerPlane follows a structured lifecycle:
1

Draft

A policy is created from a template, written in the built-in editor, or uploaded as a document. At this stage, the policy is only visible to its author and administrators.
2

In Review

The policy is submitted for approval. Designated reviewers can comment, suggest changes, and either approve or reject the policy.
3

Approved

The policy has been approved by all required reviewers. It is ready to be published and distributed to employees.
4

Published

The policy is live and visible to employees through the Employee Portal. Acknowledgment requests can now be sent.
Policies can move backward in the lifecycle. A published policy that needs updates returns to Draft status for editing, then goes through the review and approval process again. LowerPlane tracks all version changes in the policy history.

Source Types

LowerPlane supports four ways to create and manage policies:

Built-in Editor

Write policies directly in LowerPlane’s rich text editor. The editor supports formatting, headers, lists, tables, and links. Policies created this way are stored natively and can be previewed and exported to PDF.

Uploaded Document

Upload an existing policy document in PDF or DOCX format. LowerPlane stores the file and tracks its metadata, version history, and approval status alongside native policies.

Linked Document

Link to a policy hosted externally on Google Drive, Dropbox, OneDrive, or any URL. LowerPlane tracks the link and manages the approval workflow and acknowledgment process while the document lives in your preferred platform.

From Template

Start from one of LowerPlane’s 15+ built-in templates. Templates are pre-written, pre-mapped to framework controls, and include all required sections. Customize the template to match your organization’s specifics.

Policy Statuses

StatusDescriptionVisible to EmployeesAcknowledgments
DraftBeing written or editedNoNo
In ReviewSubmitted for approval, awaiting reviewer actionNoNo
ApprovedApproved by all reviewers, ready to publishNoNo
PublishedLive and activeYesYes

What Policies Cover

LowerPlane’s policy templates span the full range of compliance requirements:
The foundational policy that establishes your organization’s commitment to information security. Required by all frameworks. Covers security objectives, roles and responsibilities, and high-level security principles.
Defines how access to systems, data, and facilities is managed. Covers user provisioning, authentication requirements, access reviews, and privilege escalation procedures.
Addresses data classification, handling, storage, and disposal. Includes encryption requirements, backup procedures, and privacy obligations under GDPR and HIPAA.
Establishes procedures for detecting, reporting, and responding to security incidents. Includes severity classifications, escalation procedures, and post-incident review processes.
Sets expectations for employee use of company systems, devices, and data. Covers internet usage, email, personal devices, and social media.
Defines how changes to systems, infrastructure, and applications are proposed, reviewed, tested, and deployed. Covers emergency change procedures and rollback plans.
Outlines how the organization maintains operations during disruptions. Covers disaster recovery, backup systems, recovery time objectives, and testing requirements.
Establishes how third-party vendors are evaluated, onboarded, monitored, and offboarded. Covers risk assessment requirements, contractual obligations, and ongoing review cycles.

Linking Policies to Controls

Policies support your compliance controls by providing documented procedures and rules. In LowerPlane:
  • Template-based policies are automatically linked to relevant controls across all applicable frameworks
  • Custom policies can be manually linked to controls from the policy or control detail views
  • A single policy can satisfy control requirements in multiple frameworks simultaneously
  • The compliance dashboard tracks policy coverage as part of your readiness score
Start with template-based policies to get automatic control mapping. You can customize templates extensively while preserving the pre-built control linkages.

Policy Versioning

LowerPlane maintains a complete version history for every policy:
  • Each save creates a new version entry
  • The approval workflow is tied to a specific version
  • Published policies show their current version number
  • Previous versions are accessible from the version history panel
  • Changes between versions can be compared side by side
When you update a published policy, it returns to Draft status and requires a new round of review and approval before being republished. This ensures all published policies have been properly vetted.

Next Steps

Creating Policies

Learn how to create policies from templates, the editor, or external sources.

Approval Workflow

Set up and manage policy approval workflows.

Acknowledgments

Send and track employee policy acknowledgments.