Why the workflow exists

Before the control objective workflow, any user with the compliance user role could directly update a control objective record without a review process. Because control objectives are referenced by controls, policy acceptances, issues, and other objects, unreviewed changes would immediately affect all downstream records.

The workflow introduces a staging record model. When you revise a published control objective, a staging record is created to hold draft changes. The published record remains active and available to downstream processes until you explicitly publish the approved staging changes. The staging record is linked to the current version record and is always inactive, regardless of its workflow state.

For example, a control objective might require monthly sprinkler testing. If a compliance author wants to change the interval to two months, the existing published record continues to drive exception management and attestation while the proposed change goes through review and approval in the staging record. If the change is not approved, the published record is unaffected.

Control objective workflow states

When the workflow property is enabled, a control objective moves through the following states:

Draft

The initial state for a new or revised control objective. The record is inactive. Users listed in the Owner field, members of groups listed in the Owning Group field, and users with the compliance manager role can edit the record and perform workflow actions.

Review

Triggered when the owner selects Request Review. Approvals are generated based on configured dynamic approval rules. If no approval rules apply, the control objective moves directly to Approved. The record is read-only during review.

Approved

The control objective has passed all required approvals. The record is read-only except for the Effective Date field. The control objective is not yet active.

Published

The control objective is active. The active flag is set to true. Core content fields (name, description, supplemental guidance, category, classification, and type) are locked. Metadata fields such as attestation settings and issue grouping rule, and ownership fields, remain editable without requiring a staging record.

Retired

The control objective is inactive. The active flag is set to false. Retirement is triggered by selecting the Retire button or by setting the active flag to false directly.

Revision types

When you initiate a change on a published control objective, you must select a revision type. The revision type determines how associated controls are affected when the change is published.

Major

Use for substantive changes to the meaning or intent of the control objective. When a major revision is published, all associated controls move back to Draft, requiring control owners to review the changes and re-attest.

Minor

Use for corrections such as spelling fixes, typo corrections, or rewording that does not change the functional meaning of the control objective. When a minor revision is published, associated controls remain in their current states. Updated field values are applied to controls without triggering re-attestation.

The categorization of a change as major or minor is subjective and is not enforced by field-level restrictions. Reviewers can reject a staging record if the revision type does not match the scope of the changes made. You can change the revision type at any point before publishing by selecting Update Revision Type on the staging record.

Behavior with the workflow property enabled and disabled

The control objective workflow is controlled by the Enable control objective workflow property. The following table summarizes how behavior differs based on the property setting.