What is a Policy?
Policies are the top tier of BFF’s controlled documents — the governing rules and standards everything else implements. The four tiers form a hierarchy:
| Tier | Answers | Example |
|---|---|---|
| Policy | What we require and why | Information Security Policy |
| SOP | How we operate to meet it | Access Review Procedure |
| Work Instruction | Exactly how to execute | Revoke a Departing User’s Access |
| Training | How people learn it | Security Onboarding |
Policies live at Policies in the sidebar (under the Docs group), alongside SOPs, Work Instructions, Training, and Required Reading.
Creating a Policy
- Navigate to Policies in the sidebar
- Click “New Policy”
- Fill in the fields:
- Title — e.g., “Information Security Policy”
- Content — the policy text itself
- External URL (optional) — link to an external document (Google Docs, Notion, etc.) if the source of truth lives elsewhere
- Click “Create Policy”
New policies start in Draft status.
The Document Lifecycle
Every policy moves through the standard controlled-document lifecycle:
| Status | Meaning |
|---|---|
| Draft | Being written or revised — not yet in force |
| In Review | Submitted for approval |
| Published | The current, in-force version |
| Archived | Retired, with history preserved |
From a Draft, you can click “Submit for Review” to route it for approval, or “Publish” directly. A policy In Review shows an “Approve & Publish” button for the approver. Publishing bumps the version number and snapshots it in Version History.
Editing a Published Policy
When you edit a published policy, BFF requires a Change Summary (e.g., “Updated data-retention clause to 24 months”). The change creates a new version — and because publishing a policy triggers Change Impact Analysis, every linked document’s owner is alerted, and anyone with a stale acknowledgement is asked to re-read.
Version History and Comparison
The Version History card on the policy detail page lists every published version with its date and change summary. Click “Compare” to see a line-by-line diff between any two versions — additions in green, removals in red.
You can also click “Audit” to open the full audit trail (creations, updates, locks, rollbacks), and restore a previous version from there — a rollback creates a new version with the restored content, so nothing is ever lost.
Locking
Click “Lock” to prevent edits while you’re working on a major revision. A locked policy shows “Locked by {name}” and its Edit button is disabled until unlocked.
Governance
Like all controlled documents, policies support role assignments (Owner, Author, Reviewer, Approver, Reader), document links into the governance graph, Required Reading assignments, and completion reports. See Document Roles and Lifecycle in the Document Control section for details.
Tip: Keep policies short and stable, and put the operational detail in linked SOPs and Work Instructions. Policies should change rarely — every publish ripples through your whole governance graph.