Set Up Policies

A policy is a collection of controls used to measure and report compliance for a set of hosts. Your compliance reports will show you host compliance status (pass or fail) with the policy controls.

Interested in SCAP Policies? Go to SCAP Policies


You'll need a policy in order to create compliance reports. You can restrict a scan to a policy in the scan settings (option profile). In this case you have to create your policy before you scan.

Yes, there are several types of controls you can create. In order to report on policies with user-defined controls, be sure to add these controls to your account before you scan.

How do I add these controls to my account? Go to PC > Policies > Controls and select New > Control.

Qualys Custom Control (QCC) is a predefined control type which is provided by Qualys when you import policies from the library.

With this control type you are quickly provided new controls that are similar to user-defined controls. Once added to your account you can copy any QCC to make your own UDC that you can customize to meet your needs.

Learn more

Managers and Auditors can report on agent host compliance by adding agent host IPs to compliance policies. Edit the assets in the Policy Editor and select the check box "Include all hosts with PC agents". All hosts in your PC Agent license will be included. Note - This option only appears in accounts with PC Agent.


Go to PC > Policies > New > Policy > Import from Library. Click on the policy you want and then click Next. Follow the wizard to give your policy a name and choose whether the policy should be locked or unlocked after import and whether to keep the policy active or inactive.

Can I edit the imported policy?Can I edit the imported policy?

You can edit the policy to change the assigned assets. If the policy is unlocked, you can also change the title, technologies, controls, etc. If the policy is locked, no other changes are allowed. You can, however, save a copy of any locked policy with a new name and edit it as needed.

You can also lock a policy once you edit it, to prevent others from editing it further. Learn More

Interested in CIS policies?Interested in CIS policies?

You can import a CIS-certified policy from the library into your account, assign relevant assets to the policy and then use the policy to certify that you are meeting all requirements outlined in the CIS benchmark.

Go to PC > Policies > New > Policy > Create from Scratch. Follow the wizard to select policy technologies, assign assets to the policy, and give your policy a name. Choose whether to keep the policy active or inactive. When the Policy Editor appears, you can add controls to your policy and set control values.

Go to PC > Policies > New > Policy > Create from Host. You'll select a host that has already been scanned for compliance, and give your policy a name. Choose whether to keep the policy active or inactive and click Create. We'll build the policy for you based on the latest compliance findings for the host. We'll add controls to the policy and organize them into sections.

Go to PC > Policies > New > Policy > Import from XML file. Follow the wizard to choose the XML file you want to import and give your policy a name. Choose whether to keep the policy active or inactive.

How does it work?How does it work?

When you import a policy from an XML file, we perform several validation checks on the XML. If validation is successful, the policy is saved to your policies list. If validation fails, an error appears and the policy cannot be imported. Fix the XML and try again.

If the <EVALUATE> tag is present for any control, its checksum is validated to ensure that the evaluation logic hasn't been modified since the policy was exported. If the evaluation logic has changed then validation will fail. Note that you may remove the <EVALUATE> tag for any control. When the <EVALUATE> tag is not present for a control, the control is automatically assigned the default control value from the controls library.


Check out these videos on the various policy creation options:

Interested in more capabilities?

Check out these options: File Integrity Monitoring | Password Auditing | Windows user Rights Controls | Detailed Security Auditing for Windows | Control Criticality

Quick Links

Using the Policy Editor

Manage Your Policies

Export Your Policies


Download datalist