Production · Policies as Code

Security Policies as Code

22 security and privacy policies rewritten, version-controlled in GitHub as markdown, and automatically published to Notion via GitHub Actions on every merge. A single source of truth that stays current without manual publishing, accessible to every employee in the company.

Role
Author & Architect
Timeline
AI-assisted drafting
Status
Live in Production
Stack
GitHub + Actions + Notion
22
Policies Managed
0
Manual Publishing Steps
100%
Employee Accessible
Auto
Sync on Every Merge
The Problem
Policies nobody could find, nobody could trust

Before

  • Policies scattered across Google Drive, Confluence, and shared folders
  • No version control; unclear which document was current
  • Updates required manual copy-paste into multiple locations
  • Employees asked "where is the X policy?" in Slack regularly
  • Audit evidence required manual export and formatting
  • Disconnected from actual operating procedures

After

  • All 22 policies stored as markdown in a single GitHub repository
  • Full version history with git; every change is a tracked commit
  • GitHub Actions auto-publishes to Notion on every merge to main
  • Employees find current policies in Notion without asking anyone
  • Audit evidence is the git log itself
  • Aligned to SOC 2 and ISO 27001 control requirements
The Repository
Version-controlled policy management
Each policy is a markdown file in a structured repository. Pull requests for changes, review from stakeholders, merge to main, auto-publish to Notion.
GitHub | company-grc-security-policies
company-grc-security-policies Public Code Issues Pull requests Actions main 22 files Last commit 3 days ago tipashiba Update access-control-policy.md 📁 .github/workflows Add Notion sync workflow 2 weeks ago 📄 access-control-policy.md Align RBAC section to SOC 2 CC6.1 3 days ago 📄 acceptable-use-policy.md Annual review update 1 week ago 📄 asset-management-policy.md Add cloud asset classification 2 weeks ago 📄 change-management-policy.md Clarify emergency change process 3 weeks ago 📄 data-classification-policy.md Update PII handling requirements 1 month ago 📄 encryption-policy.md Add TLS 1.3 requirement 1 month ago 📄 incident-response-policy.md Revise severity classification 1 month ago ... and 15 more policy files
The Automation
GitHub Actions: merge to main, publish to Notion
Every time a policy change is merged, a GitHub Actions workflow automatically syncs the updated content to Notion. No manual steps, no stale documents, no publishing lag.
GitHub Actions | Workflow Runs
Sync Policies to Notion Run workflow Showing runs from all workflows Sync Policies to Notion Update access-control-policy.md main 3 days ago 12s Sync Policies to Notion Annual review: acceptable-use-policy.md main 1 week ago 9s Sync Policies to Notion Add cloud asset classification to asset-management main 2 weeks ago 11s Sync Policies to Notion Clarify emergency change process main 3 weeks ago 10s Sync Policies to Notion Update PII handling in data-classification-policy main 1 month ago 8s
How It Works
The workflow
01

Draft or Update

Policy changes are drafted as markdown edits in a feature branch. AI-assisted drafting accelerates the writing process while maintaining alignment with control requirements.

02

Pull Request

Changes go through a pull request with review from relevant stakeholders. The diff shows exactly what changed, making review focused and auditable.

03

Merge to Main

Approved changes merge to the main branch. The git history serves as a complete, immutable audit trail of every policy change with timestamps and authors.

04

Auto-Publish

A GitHub Actions workflow triggers on merge, parsing the updated markdown and pushing the content to the corresponding Notion page. Employees see the change immediately.

Key Features
Why policies as code
📜

Version Control

Full git history on every policy. Every change has a commit, a reviewer, and a timestamp. No more "which version is current" questions.

Automated Publishing

GitHub Actions sync to Notion on every merge. Zero manual publishing steps. The published version is always the latest approved version.

🔍

Audit-Ready by Default

The git log is the audit evidence. Reviewers can see when a policy was last updated, who approved the change, and exactly what was modified.

🤖

AI-Assisted Drafting

Policy drafts and rewrites use AI to accelerate the documentation cycle while maintaining alignment with SOC 2 and ISO 27001 control requirements.

👥

Self-Service Access

Every employee can find the current version of any policy in Notion without asking the security team. No more hunting through shared drives.

🔃

Review Workflow

Pull request model means stakeholders from legal, privacy, HR, and engineering can review and comment on policy changes before they go live.

Tech Stack
Simple tools, powerful workflow
Source of Truth

GitHub

All 22 policies stored as markdown in a single repository. Branch protection enforces review before merge. Git history provides immutable audit trail.

Automation

GitHub Actions

Workflow triggers on push to main. Identifies changed policy files, parses markdown content, and calls the Notion API to update the corresponding page.

Distribution

Notion

Company-wide access to all published policies. Employees find what they need through Notion search without involving the security team.

Drafting

Claude

AI-assisted policy drafting and revision. Described requirements in natural language, generated policy text aligned to SOC 2 and ISO 27001 controls.

Markdown GitHub GitHub Actions Notion API YAML Claude SOC 2 ISO 27001
Outcomes
Results
22
Policies rewritten and managed
0
Manual publishing steps
100%
Audit trail coverage
Instant
Policy updates visible to all