Manage control objectives and policies

  • Release version: Yokohama
  • Updated January 30, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Manage control objectives and policies

    The Policies and Procedures module in ServiceNow provides comprehensive management of policy approvals, policies, and control objectives. It offers an executive-level overview of compliance requirements, status, and breakdowns to quickly identify areas of concern. Users with compliance administrator and compliance manager roles can access detailed compliance reports and dashboards.

    Show full answer Show less

    Policies and Procedures Overview

    • Control compliance: Donut chart showing overall compliance of all controls.
    • Control details: Donut chart breaking down controls by owner, category, or type.
    • Control Overview: Stacked column chart showing total controls per policy and their compliance status.
    • Control Issues by Policy: Line chart tracking control issues opened weekly by policy.
    • Policy Exceptions List: Lists control issues accepted without remediation.
    • Total Control Objectives by Policy: Stacked bar graph showing control objectives count by type per policy.

    Policy Approval Process

    Policies undergo a strict approval workflow to ensure compliance and reduce risk exposure. Compliance managers set validity periods to ensure timely reviews. Policies can be categorized as policies, procedures, standards, plans, checklists, frameworks, or templates.

    Approval States:

    • Draft: Policies are editable by all compliance users.
    • Review: Policy owners and reviewers can modify and advance policies.
    • Awaiting Approval: Policies are read-only; approved policies move to Published, unapproved return to Review.
    • Published: Approved policies are published as knowledge base articles and become read-only. Policies have a validity period, after which they automatically revert to Draft/Review based on configured settings.
    • Retired: Policies removed from active use and their KB articles deleted.

    Managing Policies and Control Objectives

    • Create a policy: Define internal practices as policies, procedures, standards, etc.
    • Approve and publish: Policies are automatically published upon approval.
    • Acknowledge a policy: Launch campaigns for employees to acknowledge published policies.
    • Retire a policy: Remove outdated policies as part of lifecycle management.
    • Create GRC article templates: Customize templates for publishing policies.
    • Create and manage control objectives: Define objectives that guide company operations, categorize them, relate them to policies, and deactivate when obsolete.
    • Relate control objectives: Link objectives to policies during draft or review states and map objectives to multiple citations for cross-compliance testing.
    • Manage citations and authority documents: Create, activate/deactivate, and relate citations and authority documents to control objectives to manage compliance references.

    Practical Benefits for ServiceNow Customers

    This module enables compliance administrators and managers to centrally manage policies and control objectives, ensuring consistent compliance with internal standards and external regulations. The approval workflows, validity management, and acknowledgement campaigns help maintain policy relevance and enforce accountability. Visual compliance reports facilitate quick identification of issues and gaps. Integration of control objectives with multiple citations improves testing efficiency and regulatory alignment. Overall, the module supports effective governance, risk management, and compliance processes.

    The Policies and Procedures module contains overview and detailed information related to policy approvals, policies, and control objectives.

    Policies and Procedures Overview

    Policies and Procedures Overview is contained in the Policies and procedures module and provides an executive view into compliance requirements, overall compliance, and compliance breakdowns so areas of concern can be identified quickly. Users with the compliance administrator and compliance manager roles view the Policies and Procedures Overview.
    Table 1. Policies and Procedures Overview reports in the base system
    Name Visual Description
    Control compliance Donut chartDonut icon Displays the overall compliance of all the controls in the system.
    Control details Donut chartDonut icon Displays a breakdown of controls grouped by owner, category, or type.
    Control Overview Column ChartColumn icon Displays the total number of controls related to each policy. The chart is stacked to display the overall control compliance status for each policy.
    Control Issues by Policy (Opened Date) Line ChartLine icon Displays the number of control issues opened each week, grouped by policy.
    Policy Exceptions List Displays a list of control issues that have been closed with a response value of accept, meaning the issue was not remediated.
    Total Control Objectives by Policy Bar graph Displays a count of the overall number of control objectives in each policy. The chart is stacked to display control objectives by type.

    Policy approval process

    Policies are part of a strict approval process that ensures compliance and reduces exposure to risk. When a policy is published, it is automatically incorporated in the approval process. Compliance managers set the length of time that policies are valid, ensuring that the team reviews the policy often to affirm its validity. Policies have a type, such as a policy, procedure, standard, plan, checklist, framework, or template.

    The image depicts the approval process flow that is shown at the top of each policy record.

    Table 2. Policy approval states
    State Description
    Draft All policies start in Draft state. In this stage, all compliance users can modify the policy and control objectives.
    Review The owner, owning group, and reviewers can modify the policy and control objectives and send it on to the next state.
    Awaiting Approval The policy is read only in this state. Approved policies transition to the Published state. Unapproved policies return to Review. If no approvers are identified on the policy form, the state is skipped and the policy is published without an approval.
    Published Approved policies are automatically published to a template-defined KB article, and the policy remains in a read-only state. The Valid to field on the policy form defines how long the policy is valid.
    Note:
    After the policy is published and when the valid to date on the policy is reached, then based on the value of the Number of days after reaching a policy "Valid to" date in which the expired policy will automatically move from its Published state back to a Draft/Review state property, the policy moves back to the Draft/Review state. For example, if the value of the property is 10, then the policy moves back to review state 10 days after the valid to date is reached.

    When a policy reaches the end of the Review state and is Approved for publishing, it is automatically published to the GRC knowledge base (as defined in Policy and Compliance > Administration > Properties. The Article template field on the policy form defines the style of the published policy.
    Retired When a policy is put into the Retired state, its associated KB article is removed.

    Policies

    Compliance managers catalog and publish internal policies that define a set of business processes, procedures, and or standards.

    Control objectives

    Compliance managers catalog the control objectives and generate controls from those control objectives.

    Note:
    UCF refers to control objectives as controls. When UCF data is imported, controls are imported into the control objectives table.