Policy and Compliance Management release notes

ServiceNow® GRC: Policy and Compliance Management application enhancements and updates in the Istanbul release.

Policy and Compliance Management is one of the applications contained within the GRC application.

Istanbul upgrade information

To use the resources of the Unified Compliance Framework (UCF) after you upgrade, see Policy and Compliance UCF upgrade instructions for account configuration details.

Activation information

The GRC: Policy and Compliance Management (com.sn_compliance) plugin is available as a separate subscription.

Activate Policy and Compliance Management.

New in the Istanbul release

GRC PA indicators
Users can associate PA indicators with policy statements. PA indicators can automatically be associated with controls based on available breakdowns. Trends are displayed at a higher granularity on the policy statement or at the breakdown level on the control. PA scorecards are provided for policy statements and controls.
Use the Unified Compliance Framework (UCF) with Policy and Compliance Management

UCF has released a REST API allowing authenticated users (through OAuth) to download content from their Common Controls Hub website. Users configure Shared Lists of Authority documents, then download those into the Policy and Compliance Management application.


If you were using one of the following ways to import or download the UCF content, you must activate the new plugin:

  • When using the (Geneva or Fuji) Legacy UCF UI, navigate to GRC > Administration > Import UCF content.
  • When using the Helsinki UCF UI, navigate to Policy and Compliance > Administrative > Download UCF content.
After you activate the GRC: Compliance UCF (com.sn_comp_ucf) plugin, configure the UCF integration.
  • Navigate to Policy and Compliance > Administrative > Unified Compliance Integration. Users must have a UCF Common Controls Hub account to create shared lists and import them into the instance.
Note: If your GRC entitlement date is before December 1, 2016, you are entitled to a free UCF CCH account for the period of December 1, 2016 through November 30, 2018. For customers on Helsinki (Patch 7 and above), or Istanbul and whose effective GRC entitlement date start on Dec 1, 2016 or after, you need to sign up for a UCF CCH account and customize your basic subscription to include API Access. For more information about establishing a UCF CCH account, see Unified Compliance.

Users can set the assessment metric type for policy statements or controls. By default, controls inherit the same type as their policy statements. The survey designer has been extended to work with attestations. Attestation surveys are now optional. If the Attestation field is populated, the respondents are sent a survey when the control moves to the Attest state. Otherwise, no attestation is sent and the control moves to the next state. Attestations can have multiple recipients.

Changed in this release

  • Publish policies to various knowledge bases by setting the knowledge base field on the policy.
  • Create an HTML article template for simple formats needing information from the policy but not information from other records. Create an XML or script article template for formats needing information from other records in the system. For example, you may want to add information from the policy statement to the KB article, as well.
  • Files attached to a policy are automatically attached to the KB article that is created from it.
  • Set up which policy statements automatically create controls when associated to a profile type.

Removed in this release

  • The GRC: UCF Import plugin has been deprecated and replaced by the new plugin, GRC: Compliance UCF.