Combined Policy and Compliance Management release notes for upgrades from Vancouver to Zurich

How to use this page

To help you prepare for your upgrade, we have combined the cross-family Policy and Compliance Management release notes onto one page. Read this summary of the new features, changes, and updated information for your product from Vancouver to Zurich.

Tip:

If there were no updates for a release notes section in a certain family release, we included a short note for your reference. For example, if a product did not have any updates in Tokyo, the row says "No updates for this release."

Important information for upgrading Policy and Compliance Management to Zurich

Before you upgrade to Zurich, review these pre- and post-upgrade tasks and complete the tasks as needed.


Release	Release notes
Vancouver	No updates for this release.
Washington DC	No updates for this release.
Xanadu	No updates for this release.
Yokohama	No updates for this release.
Zurich	No updates for this release.

New features

Between your current release family and Zurich, new features were introduced for Policy and Compliance Management.


Release	Release notes
Vancouver	Lite operator license to enhance user operations Assign an indicator task to complete the task to users with the business user lite role in addition to users with the business user role. Users with business user lite role can respond to the indicator task requests. If you are a lite operator and do not have an Operator license, you can still approve policy exceptions, evidence requests, and others. If you are an indicator task owner you can respond to indicator tasks with the lite operator license. You can also do similar tasks in Employee Service Center. Policy knowledge base and quick links in the Employee Center portal View the knowledge base articles of all published policies from the Employee Service Center. Use the quick links in the Policies topic page to report events and raise exceptions on policies with respect to risk, and policy and compliance. Eliminate having to provide repetitive responses for similar attestations by grouping control attestations on the Task pages of Employee Service Center – Risk Portal and on the Compliance Workspace.
Washington DC	Policy authoring using Google Drive Monitor and revise your organization's policies at regular intervals to maintain their relevance and compliance. Integrating Microsoft Word document files with Google Drive helps your policy owners, reviewers, and approvers to author, modify, and maintain different versions of a policy text and thus retain its history. The users can also collaborate on the policy drafting and review processes. The policy text is updated automatically and the text can be copied from a document into the Policy text field in HTML, and then it can be converted to a PDF format later. Set up dynamic approval configuration on a policy record Set up the dynamic approval configuration on a policy record. Define the levels of approvals for dynamic conditions such as policy type, state, and owner in the approval configuration record. Create an approval rule for each approval level by selecting an approver type, source table, and filter condition. You can also set up dynamic approval configuration on a policy that has redlining enabled.
Xanadu	Upload policy document from your local machine to Microsoft OneDrive Upload a Microsoft Word document that exists in your local machine to Microsoft OneDrive and link the document with the policy. You can access the document from any device and enable multiple users to collaborate on the policy document. Create and associate a policy text document in Google Drive Integrate your ServiceNow instance with Google documents to manage documents in Google Drive. Create a Word document in Google Drive that you can access through a browser and store in Google Drive. You also have the option to create a Microsoft Word document that you can manage in Google Drive. Upload policy document from your local machine to Google Drive Upload a Microsoft Word document that exists in your local machine to Google Drive and link the document with the policy to enable multiple users to collaborate on the policy document. Upload policy document from your local machine to Microsoft SharePoint Upload a Microsoft Word document that exists in your local machine to Microsoft SharePoint and link the document with the policy to enable multiple users to collaborate on the policy document. Policy authoring using Microsoft SharePoint Monitor and revise your organization's policies at regular intervals to maintain their relevance and compliance. Integrating Microsoft Word document files with multiple Microsoft SharePoint sites helps your policy owners, reviewers, and approvers to author, modify, and maintain different versions of a policy text and thus retain its history. You can also collaborate on policy drafting and review processes. The policy text is updated automatically. You can copy and paste text from a document into the Policy text field in HTML and then convert it to a PDF format. Using CRI assessment questions to profile an entity Perform a CRI tiering assessment for an entity to determine its tier, and then perform a CRI assessment for that entity. Based on the response to the CRI questionnaire from the assessor, the compliance status of each mapped control to a question is determined. The overall compliance score of the entity is also calculated. User role enhancements in Policy and Compliance Management Respond to policy acknowledgments and request a policy exception from the Employee Center portal with the employee operator role.
Yokohama	Calculate compliance score and roll up to entity View a comprehensive compliance score at the entity level that includes all the child entities rolled up to the parent entity along with the compliance score of the parent entity's direct controls. Elimination of duplicate citations from UCF Shared list download Eliminate duplicate citations associated with the authority documents when you download UCF content. You can retain one citation as active and mark the duplicate citations as inactive. Move the control objectives of the duplicate citations to the active citation, and update the duplicate citation records with the Source ID of the active citation. Improve compliance workspace performance Improved the performance of the compliance workspace by removing the issue widget to ensure a faster and smoother user experience. You can still access issue details from the "Issues Overview" section. Entity based access Entity based access aims to provide a more granular approach to data access, ensuring that users can only access data through entity-based access. The entity-based access has been enabled for controls, attestations and policy exception to control mappings. Administrators can grant access to an entity's related records by adding users or user groups, or by using entity user fields for entity-based access configuration. Deduplication of control objectives Using Generative AI, identify and recommend similar control objectives. You can choose to accept a control objective as duplicate, dismiss those that are not similar, or retain a control objective as primary in which details from all other similar control objectives are merged. Additionally, the system automatically copies related records, including policies and risk statements, to ensure comprehensive information is maintained in one location after retiring the accepted control objectives.
Zurich	Association of citations to controls In many compliance frameworks, a single control objective may be referenced by multiple citations across different standards, regulations, or policy requirements. Without proper association management, organizations risk duplicating controls, misinterpreting coverage, or inaccurately reporting compliance. The association of citations to controls feature addresses this challenge by enabling users to associate controls with citations directly. When this feature is enabled, compliance scores update dynamically based on the status of directly associated active controls. Enhancements to control objectives rationalization process The following enhancements have been introduced to the rationalization process of control objectives: Rationalization process is now automatically created when selecting the Rationalize button in the control objective page.  The recommendation workflow has been simplified into a two-step process: Step 1 identifies duplicates by accepting or dismissing recommendations; Step 2 finalizes by retaining one recommendation or creating a new common control objective. Approvals for the rationalization process are skipped for owners who are reviewers, and levels where all reviewers are owners are automatically approved.  Owners and approvers can add comments and justifications directly on recommendation cards and reply to existing comments.  The user interface has been updated with better navigation, quick summaries, visual improvements, and clear error messages. Citation impact analysis and updates with Now Assist for IRM When a citation’s description or supplemental guidance is updated, Now Assist identifies related control objectives that might be affected. It reviews these control objectives to determine whether the descriptions or guidance need changes and provides suggested updates. Users can review, provide feedback, and approve these updates directly in the Now Assist panel, ensuring that citation changes are reflected in associated control objectives. Enhancements to control objectives and controls The following enhancements have been introduced to control objectives and controls: The Control objective requirements option provides a granular layer under a control objective. When each control objective has multiple statements, each statement becomes a control objective requirement. The Create control requirements option generates control requirements automatically for every control generated under an entity type. The Attestation at control requirement level enables attestation at a granular level for individual control requirements within a control. Enhancements to policy exception and extension requests The following enhancements have been introduced: For policy exception and extension requests, approvers can now view key details, such as justification, reason, and validity period, within a pop-up before approving or rejecting a policy exception or policy exception extension. For manual indicators, if the associated control is marked as exempt, no indicator task is generated. When a policy exception is in the Analyze state and the Awaiting Requested Information sub-state, the interface now includes a Send Information button that allows the requester to provide additional details or clarifications requested by the approver. Previously, an issue-based exception required a linked policy or control objective for additional approvals. Now, it requires any one of the following: a linked policy, control objective, or control. The control must be linked to the policy exception itself, not just to the issue. GRC Approval Configurator The GRC Approval Configurator can now be used to manage both policy exception and extension approvals. It allows verification, approval, and extension rules to be defined based on state, sub-state, and other filter conditions, with support for multiple user groups and multi-level approvals. This enhancement provides greater flexibility in assigning appropriate approvers at each level based on defined conditions, facilitating structured and collaborative reviews. For extension approvals, users can now configure multiple approvers, overcoming the previous limitation of a single default approver (Compliance Manager). Common Control Objective Creation Use Generative AI to merge similar control objectives into a single, consolidated common control objective. The system automatically populates the name, description, and guidance fields from the accepted duplicates, eliminating the need to manually select a primary control objective. Entity based record access rules to secure new records When entity based record access rules are enabled on the Entity Based Access Configuration Properties page, any newly created controls, control attestations, indicators, and indicator tasks associated with a configured entity will automatically inherit the entity-based access (EBA) value from that entity. Previously, users had to run bulk access updates to apply EBA restrictions whenever new objects were created. Additionally, when a standard control is converted to a common control, the Entity based access restriction option is inactive by default. Users can manually enable the EBA option for common controls directly from the Access Settings section in the Details tab of the respective control.

Changes

Between your current release family and Zurich, some changes were made to existing Policy and Compliance Management features.


Release	Release notes
Vancouver	Workspace record page template upgrade Streamline page creation, simplify maintenance, and minimize the cost of page ownership using the new record page template. If you’re upgrading and have customizations to workspace record pages, see Revert the record page templates to the pre-17.x version. Enhanced user experience while redlining policies Work more quickly with browser pages automatically refreshing after every action that you take in policy redlining. Actions that cause an automatic browser page refresh include creating and associating a Microsoft OneDrive document, importing a policy text, connecting an existing Microsoft OneDrive document, syncing a Word document to view the policy text, providing document access to policy users, and completing publishing checklist and requesting policy approval in the playbook. You can also associate an existing Microsoft Word document to a policy record even if the policy record has a Word document already associated to it. Business user lite role activities through Employee Center Business users with the GRC business user lite role can manage indicator tasks that are in the Open state by selecting the GRC tasks link through the Employee Service Center portal.
Washington DC	Performance enhancements in processing indicator jobs To support parallel processing capabilities, two additional custom queues have been introduced. One is the Indicator Data Queue for processing indicators, and the other is the Supporting Data Queue for handling events related to control, risk, and issue updates. A new job is introduced to collect supporting data, which significantly aids in improving the data handling processes. New fields have been introduced in the Indicator template form to support percentage sampling. To streamline data handling, the data storage system is updated with storing sample data in JSON format. This new approach enables a more structured and efficient storage, enhancing data retrieval process and analysis. The Due date duration (days) field is added in the Indicator template and Indicator forms to capture the due date of the indicator task. Based on this due date, the indicator task owners receive reminder emails. Analytics and Reporting solutions for Policy and Compliance Management in Next Experience UI Framework Starting with version 18.1.0 of the Policy and Compliance Management application, the Analytics and Reporting solutions for Policy and Compliance are available in the Next Experience UI Framework.
Xanadu	Perform CRI tiering questionnaire to determine the tier value of entity In addition to the Entity owner, the Corporate compliance manager [sn_compliance_ws.corporate_compliance_manager], Corporate compliance analyst [sn_compliance_ws.corporate_compliance_analyst], and IT compliance manager [sn_compliance_ws.it_compliance_manager] can trigger CRI tiering questionnaire and initiate CRI profile assessments. UI action button Initiate CRI tiering assessment has been renamed as Initiate CRI tiering questionnaire. UI action button Initiate CRI assessment has been renamed as Initiate CRI profile assessment. Domain separation in GRC: Policy and Compliance Management Now both manually created records and auto-generated records created through scheduled jobs or scripts are domain separated based on their parent object or user domain for all Policy and Compliance Management objects.
Yokohama	Yokohama Patch 11 Some Now Assist skills are now turned on by default The new default behavior works as follows: New customers: When you install a Now Assist product, designated skills are turned on automatically. Existing customers who are upgrading (starting with Yokohama Patch 11): Any previously unconfigured skill is turned on automatically (the skill was never configured and turned on, then turned off again). Previously configured skills that were turned on, then off, remain inactive. Changes to Now Assist usage measurement
Zurich	Improvements to the rationalization process of control objectives Several enhancements have been made to the rationalization process: Redesigned the rationalization UI with a reordered layout and highlighted primary actions. Validations added for deactivated and deleted control objectives. Introduced the “Restart Analyze” option to support reevaluation of recommendations. Introduced support for Azure OpenAI, Amazon Bedrock, and Google Gemini for recommendations of control objectives. Updated the Consolidate state UI to show the recommendation panel with retained and accepted control objectives and their associated items.

Removed

Between your current release family and Zurich, some Policy and Compliance Management features or functionality were removed.


Release	Release notes
Vancouver	No updates for this release.
Washington DC	No updates for this release.
Xanadu	No updates for this release.
Yokohama	No updates for this release.
Zurich	No updates for this release.

Deprecations

Between your current release family and Zurich, some Policy and Compliance Management features or functionality were deprecated.


Release	Release notes
Vancouver	No updates for this release.
Washington DC	No updates for this release.
Xanadu	No updates for this release.
Yokohama	GRC DevOps Accelerator is now deprecated and no longer supported or available for new activation. For details, see the Deprecation process [KB0867184] article in the Now Support Knowledge Base.
Zurich	No updates for this release.

Activation information

Review information on how to activate Policy and Compliance Management.


Release	Release notes
Vancouver	Install GRC: Policy and Compliance Management by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.
Washington DC	Install GRC: Policy and Compliance Management by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.
Xanadu	Install Policy and Compliance Management by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.
Yokohama	Install Policy and Compliance Management by requesting it from the ServiceNow Store.
Zurich	Install Policy and Compliance Management by requesting it from the ServiceNow Store.

Additional requirements

If any additional requirements were introduced or changed for Policy and Compliance Management we have noted them here.


Release	Release notes
Vancouver	No updates for this release.
Washington DC	No updates for this release.
Xanadu	No updates for this release.
Yokohama	No updates for this release.
Zurich	No updates for this release.

Browser requirements

If any specific browser requirements were introduced or changed for Policy and Compliance Management we have noted them here.


Release	Release notes
Vancouver	Policy and Compliance Management requires the latest public release and two previous release versions of the following browsers: Google Chrome, Firefox and Firefox ESR, and Microsoft Edge Chromium Safari 12.0 and later versions
Washington DC	GRC: Policy and Compliance Management requires the latest public release and two previous release versions of the following browsers: Google Chrome Firefox and Firefox Extended Support Release (ESR) Microsoft Edge Chromium Safari 12.0 and later versions
Xanadu	GRC: Policy and Compliance Management requires the latest public release and two previous release versions of the following browsers: Google Chrome Firefox and Firefox Extended Support Release (ESR) Microsoft Edge Chromium Safari 12.0 and later versions
Yokohama	GRC: Policy and Compliance Management requires the latest public release and two previous release versions of the following browsers: Google Chrome Firefox and Firefox Extended Support Release (ESR) Microsoft Edge Chromium Safari 12.0 and later versions
Zurich	Policy and Compliance Management supports the latest public release and the two preceding versions of the following web browsers: Google Chrome Firefox and Firefox Extended Support Release (ESR) Microsoft Edge Chromium Safari 12.0 and later versions

Accessibility information

Review details on accessibility information for Policy and Compliance Management, such as specific requirements or compliance levels.


Release	Release notes
Vancouver	No updates for this release.
Washington DC	No updates for this release.
Xanadu	No updates for this release.
Yokohama	No updates for this release.
Zurich

Localization information

If there are specific localization considerations for Policy and Compliance Management we have noted them here.


Release	Release notes
Vancouver	No updates for this release.
Washington DC	No updates for this release.
Xanadu	No updates for this release.
Yokohama	No updates for this release.
Zurich	No updates for this release.

Highlight information

If there are specific highlight considerations for Policy and Compliance Management we have noted them here.


Release	Release notes
Vancouver	Consolidate similar issues created on controls, control objectives, authority documents, engagements, and policies, resolve them quickly, and reduce the number of open issues in an organization. Perform a test on a common control and implement its results on multiple reliant entities instead of testing each entity with its own control to reduce time and effort, especially when new systems are deployed and pre-validations are conducted. Use the IT compliance workspace to manage your organization's IT-related compliance activities. See Policy and Compliance Management for more information.
Washington DC	Revise your policies and update the policy text periodically by integrating with Google Drive. Use policy authoring and the redlining feature to enable policy owners and reviewers to collaborate, review, and redline policies. Set up the dynamic approval configuration on a policy record. Define the approval levels and rules based on different dynamic conditions, such as policy type, source table, state, and filter conditions. See Policy and Compliance Management for more information.
Xanadu	Revise your policies and update the policy text periodically by integrating with Microsoft SharePoint. Use policy authoring and the redlining feature to enable policy owners and reviewers to collaborate, review, and redline policies. Perform a Cyber Risk Institute (CRI) assessment on a company as an entity to determine its control status and calculate the assessment score. Use the employee operator role introduced in Policy and Compliance Management for operations in Employee Center. See Policy and Compliance Management for more information.
Yokohama	View the compliance score at the entity level based on the hierarchy of entities. Eliminate duplicate citations associated with the authority documents when you download UCF content. Revise your policies and update the policy text periodically by integrating with Microsoft SharePoint. Enable policy owners and reviewers to collaborate, review, and redline policies by using policy authoring and the redlining feature. The Issues widget has been removed from the Compliance Workspace landing page to enhance the performance. Enable data access by implementing Entity-Based Access controls. Recommend similar control objectives using generative AI. You can then retain, dismiss, or merge duplicate control objectives. See Policy and Compliance Management for more information.
Zurich	Association of citations to controls feature enables users to associate controls with citations directly to avoid duplicated controls and ensure accurate compliance reporting. Multiple enhancements to control objectives rationalization process, including improvements including automatic rationalization process creation, simplified two-step workflow for recommendations, skipped approvals for owner-reviewers, comment capabilities, and improved UI. Now Assist for IRM includes skills and AI agent to identify affected control objectives when citation descriptions change and to provide suggested updates for review and approval. Enhancements to control objectives and controls, including control objective requirements for granular statements, automatic control requirement generation, and attestation at control requirement level. Enhancements to policy exception and extension requests, including approver pop-ups with key details, no indicator tasks for exempt controls, Send Information button for requesters, and expanded linking requirements for issue-based policy exceptions. See Privacy Management for more information.