Operational changes in item generation of common controls

  • Release version: Yokohama
  • Updated July 31, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Operational changes in item generation of common controls

    This update introduces operational changes to the item generation process for common controls in the Yokohama release. The changes focus on efficiently managing controls by prioritizing association of reliant entities to existing common controls over creating new controls. This approach helps avoid control proliferation and leverages existing controls for testing and implementation purposes.

    Show full answer Show less

    Control Creation and Association

    • Creating Controls: Customers should use existing controls whenever possible to avoid unnecessary creation. If needed, a common control can be created by selecting "Common" in the Function field of the Control form and using the "Convert to common" UI action, ensuring a control objective is selected before conversion.
    • Associating Reliant Entities: Reliant entities or entity types can be added or removed from common controls via the Reliant entities and Reliant entity types related lists on the Control form. Additionally, common controls can be inherited on the Risk form using the "Inherit common controls" UI action.

    Item Generation Behavior and Assumptions

    • Common controls are not auto-generated; associations and creations depend on matching control name, entity, and control objective.
    • Order of precedence favors associating reliant entities to common controls over creating standard controls when user intent is ambiguous or no existing control exists.
    • New action types have been introduced to manage associations and activations/deactivations of entities and entity types with common controls, including adding/removing entities, activating/deactivating items, and handling risk and privacy associations where applicable.

    Practical Implications for ServiceNow Customers

    • Customers can reduce control duplication by leveraging common controls and associating reliant entities accordingly, improving control management and testing efficiency.
    • Understanding the new item generation action types enables precise control over entity associations and lifecycle management of controls, especially when Risk Management and Privacy Management plugins are installed.
    • Activations and deactivations of controls now appropriately manage associated risk and processing activity relationships, ensuring compliance data integrity.

    Operational changes are made in item generation mainly because item generation either creates a control or activates an existing standard control. When it comes to associating a control to an entity, then associating a reliant entity to a common control takes precedence over creating a control for that entity.

    Creation of controls

    If the existing controls in your system can be used for testing entities, then you can take advantage of the existing data and avoid creating controls. Having many controls can lead to control explosion. If that is not feasible, then you can associate a primary entity with a common control, test the common control, and implement the test results on the reliant entities of the common control. If both these options don’t work, then you can create a control.

    To create a common control, select Common in the Function field of the Control form. Select the Convert to common list UI action. A common control is created upon validation. It’s mandatory that you select a control objective before you convert a standard control to common control.

    Association of reliant entities to common control

    1. Use the Reliant entities related list in the Control form to add individual entities to the common control. You can also remove the reliant entities using the Remove button.
    2. Use Reliant entity types related list in the Control form to add entity types to the common control. You can also remove the reliant entity types using the Remove button.
    3. Use the Inherit common controls UI action in the Controls related list of the Risk form to select common controls grouped by control objectives.
    Note:
    For more information on reliant entity associations for a common control, see Create a control using the Compliance Workspace and Convert standard control to common control and add reliant entities.

    Item generation – Assumptions

    • There’s no auto-generation of common controls.
    • When the existence of common controls or associations of reliant entities to common control or standard controls are checked, the control’s name, entity, and control objective must match.
    • Order of precedence between standard and common controls:
      • If reliant association and standard control do not exist, then based on the action type, a standard control is created. Action types, for example can be Add content to entity type, Add document to entity type, Activate content, Activate document.
      • If reliant association and standard control do not exist, then based on the action type a reliant association to common control is created. Action type can be Add entity type to common control.
      • If the user's intent is not clear from the action type and a standard control does not already exist, then in conflicting entity type, the preference is to associate the reliant entity to the common control over creation of a standard control. Action type, for example can be Add entity to entity type.

    Item generation changes

    Table 1. New action types in the generation of items
    Item generation action type Description
    Add entity type to common control If the entity is not associated with the common item, then the application associates the entity with the common item by creating an m2m association between the two.
    Remove entity type from common control If the entity is associated with the common item, and the Entity types field has other entity types or Individually_added is true in the m2m record, then the application removes the Entity type ID from the Entity types column or deletes the entity to common item m2m record.
    Add entity to item If Risk Management is installed, based on the risk statement associated to the control objective, the risk to common control m2m records are added in the Control to Entity m2m table after considering the reliant entities.
    Remove entity from item
    • If Risk Management is installed, based on the risk statement associated to the control objective, risk to common control m2m records are deleted in consideration of the reliant entities.
    • If Privacy Management is installed, then the Processing Activity to common control m2m association based on its reliant entity and also the Processing Activity to control objective m2m association are removed.
    Activate entity to item If Risk Management is installed, based on the risk statement associated to the control objective, risk to common control m2m records are added in the Control to Entity m2m table in consideration of its reliant entities.
    Deactivate entity to item
    • If Risk Management is installed, based on the risk statement associated to the control objective, then the risk to common control m2m records are deleted after considering the control's reliant entities.
    • If Privacy Management is installed and the Processing Activity corresponds to a reliant entity, then the Processing Activity to common control m2m association and also the Processing Activity to control objective m2m association are removed.
    Activate item A common item is added:
    1. When no standard control exists with the same name, content (control and control objective), and entity combination.
    2. If the entity is not reliant on any other common item with the same name, content, and entity.
    3. When the entity is active.
    A standard item is added:
    1. Risk Management and Policy and Compliance Management plugins are installed
    2. Based on the risk statement and control objective association, risks are associated to controls.
    Deactivate item
    • Common item: Deactivates all Control to Entity m2m records.
    • Standard item: Deletes risks to control associations based on the Risk statement and Control objective associations.