The Policy Management module in Venvera provides a centralised library for your organisation's compliance policies. You can auto-generate framework-specific policies, create custom policies with document uploads, and manage each policy through a formal lifecycle. This article covers the regulatory context, documents every feature, and explains the full policy lifecycle workflow.
Regulatory Context
Multiple regulatory frameworks require formal, documented policies:
| Framework | Requirement | Detail |
|---|---|---|
| DORA Art. 9(4) | ICT Security Policies | Financial entities must establish ICT security policies including procedures and protocols, approved by the management body, to ensure the security and functioning of all ICT systems and tools. |
| NIS2 Art. 21(2)(a) | Risk Analysis Policies | Essential and important entities must adopt policies on risk analysis and information system security as part of their cybersecurity risk-management measures. |
| ISO 27001 Clause 5.2 | ISMS Policy | Top management must establish an information security policy appropriate to the purpose of the organisation, providing a framework for setting objectives. |
| GDPR Art. 24 | Data Protection Policies | Controllers must implement appropriate technical and organisational measures, including data protection policies, to demonstrate GDPR compliance. |
Policy Dashboard
Navigate to Policies in the sidebar. The page shows a header with action buttons, summary stat cards, framework filter tabs, and the policy list.
Summary Stat Cards
| Card | Description |
|---|---|
| Total | All policies across all frameworks |
| Draft | Policies in draft status (not yet submitted for review) |
| In Review | Policies submitted for review and awaiting approval |
| Approved | Policies formally approved and in effect |
Framework Filter Tabs
A row of filter tabs at the top lets you filter policies by framework: All, DORA, NIS2, ISO 27001, GDPR. Each tab shows the count of policies in that framework. A coloured dot beside each framework name provides quick visual identification (blue for DORA, purple for NIS2, cyan for ISO 27001, amber for GDPR).
Auto-Generating Policies
Venvera can auto-generate a standard set of compliance policies for each supported framework. This saves significant effort compared to writing each policy from scratch.
Click the Generate Policies button in the page header. A dropdown menu appears with four framework options: DORA, NIS2, ISO 27001, GDPR.
Click the framework you want to generate policies for. The system creates all required policies for that framework. A progress indicator shows while generation is in progress.
A success message reports how many policies were created, how many already existed (skipped), and how many were skipped because they are covered by another framework (e.g., "3 covered by DORA"). Policies are created in Draft status so you can review and customise them before approval.
What Policies Are Generated
Each framework generates a tailored set of policies. Examples include:
- DORA: ICT Security Policy, ICT Risk Management Policy, Incident Response Policy, Business Continuity Policy, ICT Third-Party Risk Policy, ICT Change Management Policy, and more.
- NIS2: Risk Analysis and Information Security Policy, Incident Handling Policy, Supply Chain Security Policy, Cryptography Policy, and more.
- ISO 27001: ISMS Policy, Access Control Policy, Asset Management Policy, Information Classification Policy, and more.
- GDPR: Data Protection Policy, Privacy Notice, Data Breach Response Policy, Data Retention Policy, Data Subject Rights Policy, and more.
Creating a Custom Policy
For policies not covered by the auto-generation templates, create a custom policy:
Click the Custom Policy button in the header. An inline form appears.
Type the policy title (e.g., "Data Classification Policy"). This field is required.
Click the upload area or drag and drop a file. Supported file types: PDF, DOC, DOCX, XLSX, XLS, CSV, TXT, PNG, JPEG. Maximum file size: 25 MB. The file preview shows the filename, size, and a type icon.
Click Create Policy. The policy is created in Draft status. If a file was attached, it is uploaded as the first document for this policy.
Policy Lifecycle
Every policy follows a four-stage lifecycle. Status transitions are performed via buttons that appear when you expand a policy card:
| Status | Badge | Available Actions | Who Can Perform |
|---|---|---|---|
| Draft | Grey | "Submit for Review" button | Any team member with policy access |
| In Review | Amber | "Approve" button and "Return to Draft" button | Reviewers and policy owners |
| Approved | Green | "Archive" button; approval date is displayed | Policy owners and administrators |
| Archived | Grey/muted | No further transitions; retained for audit history | Read-only for all users |
Document Management
Each policy can have multiple documents attached. Expand a policy card (click the eye/chevron icon) to see the Documents section:
- Upload: Click the Upload button to add a new document. Supported types: PDF, DOC, DOCX, XLSX, XLS, CSV, TXT, PNG, JPEG. Max size: 25 MB per file.
- Download: Click the download icon next to any document to retrieve it.
- Delete: Click the trash icon to remove a document (with confirmation).
Each document entry shows the filename, file size, file type icon (PDF, DOCX, XLSX, CSV, IMG, FILE), and the upload date. For auto-generated policies, a "Download .docx" button in the action bar downloads the generated policy content as a formatted Word document.
Supported File Types
| Type | Extensions | Icon |
|---|---|---|
| PDF Documents | ||
| Word Documents | .doc, .docx | DOCX |
| Spreadsheets | .xlsx, .xls | XLSX |
| CSV Files | .csv | CSV |
| Text Files | .txt | FILE |
| Images | .png, .jpg, .jpeg | IMG |
Policy Card Details
Each policy in the list displays:
- Title — the policy name
- Framework badge — colour-coded label (DORA/NIS2/ISO 27001/GDPR)
- Status badge — Draft, In Review, Approved, or Archived
- Version number — shown as "v1", "v2", etc.
- Article references — relevant regulatory articles (up to 4 shown, with "+N more" for additional)
- Last updated date — when the policy was last modified
- Created by — the user who created the policy
Expand a policy card to see the full content preview (for generated policies, first 3000 characters shown in monospace font), the document attachment section, and status transition buttons.
Best Practices
- Generate first, customise second: Use the auto-generate feature for each applicable framework, then review and tailor each policy to your organisation before approving.
- Upload supporting documents: Attach procedures, process diagrams, and evidence documents to the relevant policy for a complete audit package.
- Track versions: Each policy carries a version number. When a policy needs significant revision, the version increments on update.
- Archive, do not delete: When a policy is superseded, use the Archive status instead of deleting it. This preserves the audit trail showing which policies were in effect at any given time.
- Approval dates matter: Regulators expect policies to be formally approved. The approval timestamp on each policy provides evidence of management oversight as required by DORA Art. 9(4) and NIS2 Art. 20.
Step-by-Step: Full Policy Lifecycle
Use "Generate Policies" for framework-standard policies (DORA, NIS2, ISO 27001, GDPR), or "Custom Policy" for organisation-specific documents. Generated policies arrive pre-filled with standard content; custom policies start as empty containers for your uploads.
Expand each draft policy to review its content. For generated policies, download the .docx file, customise it to your organisation, and re-upload. Attach supporting documents (procedures, diagrams, evidence) as needed.
Click "Submit for Review" to move the policy to In Review status. This signals to reviewers and policy owners that the policy is ready for formal assessment.
Reviewers can either "Approve" the policy (moving it to Approved with an automatic approval timestamp) or "Return to Draft" for further revisions.
When a policy is replaced by a newer version or is no longer applicable, click "Archive" to move it to Archived status. The policy remains visible for audit history.