Policies

    Author, maintain, and map your security policies inside Anzen.

    What are policies in Anzen?

    A policy is a governing document you author and maintain directly in Anzen - an information security policy, an access control policy, a backup policy, and so on. Each policy has a title, an optional framework and version, an owner and an organisational scope (entity), and a status. The body is written as ordered sections in Markdown, so a policy reads like a real document while staying structured enough to map to controls and to power search and Q&A.

    Sections

    A policy is built from sections rather than one block of text. Each section has:

    • A clause reference (optional) - e.g. A.8.24 or 5.2, so the section traces back to a framework requirement.
    • A title - e.g. "Purpose", "Scope", "Access reviews".
    • A Markdown body - the actual policy text, with lists and emphasis.
    • An order - sections render and export in the sequence you arrange them.

    Policy Template Library

    You do not have to start from a blank page. The Policy Template Library ships ready-to-adapt policy documents drawn from industry frameworks, opened from the Template library button on the Policies page.

    • ISO 27001:2022, English and Dutch. A full ISMS policy set of 22 policies (Information Security, Access Control, Acceptable Use, Cryptography, Incident Management, Business Continuity, Supplier Security, and more), each broken into complete, audit-ready sections that map to the relevant Annex A controls and management-system clauses. Choose the language pack you want.
    • Preview before importing. Open a pack and read any policy in a side-by-side viewer - the section list on the left, the full content on the right - then select exactly the policies you want.
    • Import as drafts. Selected policies are created in your workspace as draft documents, owned by you, with all their sections, ready to review and adapt.
    • Safe to re-run. Importing skips any policy whose title already exists in your workspace, so you will not create duplicates.

    Templates are a starting point, not certified compliance: you remain responsible for reviewing and adapting every policy to your own context, scope, and legal obligations. More frameworks will follow ISO 27001.

    Linking controls to policy sections

    Policies describe what must be done; <a href="/docs/controls">controls</a> are how you implement and test it. Anzen connects the two at the section level:

    • Map an existing control to a section. On a policy section, choose a control from your library and pin it to that section.
    • Create a control from a section. Generate a new control pre-filled from the section text and linked back to the policy.
    • Sections hold many controls; a control is pinned to one section per policy. Re-mapping a control moves its pin; unmapping removes the link.
    • Draft controls with AI. With the Anzen Extract add-on, controls can be drafted from the policy's source document and linked back automatically.

    Source documents and Anzen Extract

    You can attach the official source file (PDF, DOCX, ODT) to a policy for reference. With the Anzen Extract add-on you can also draft from a document. On the Policies page, Library › Draft from document reads the file and drafts a full policy (title, framework, version, summary and ordered sections with clause references) that opens in the editor for you to review before saving. Extract can also draft structured controls from a policy's source file and link them back to the policy. See the Extract documentation for the full flow and data-processing notice.

    Policies power the Knowledge Base

    Browsing and managing knowledge base articles is included free in every plan. Your policy sections are also the grounding for the AI ask layer in the Anzen Knowledge Base add-on. When that add-on is enabled, end users can ask plain-language questions and get answers drawn from the policy clauses they are allowed to see, cited back to the exact section. Keeping your policy library current directly improves those answers.

    Exporting to PDF

    Any policy can be exported to a formatted PDF from its detail page, useful for approvals, audits, and sharing with parties who do not have workspace access.

    Status and lifecycle

    • Draft - being authored or reviewed; the default for new and imported policies.
    • Active - approved and in force.
    • Retired - superseded or withdrawn, kept for the record.