Product documentation Docs
    • English
    • Deutsch
    • 日本語
    • 한국어
    • Français
  • More Sites
    • Now Community
    • Developer Site
    • Knowledge Base
    • Product Information
    • ServiceNow.com
    • Training
    • Customer Success Center
    • ServiceNow Support Videos
  • Log in

Product documentation

  • Home
How search works:
  • Punctuation and capital letters are ignored
  • Special characters like underscores (_) are removed
  • Known synonyms are applied
  • The most relevant topics (based on weighting and matching to search terms) are listed first in search results
Topics are ranked in search results by how closely they match your search terms
  • A match on the entire phrase you typed
  • A match on part of the phrase you typed
  • A match on ALL of the terms in the phrase you typed
  • A match on ANY of the terms in the phrase you typed

Note: Matches in titles are always highly ranked.

  • Release version
    Table of Contents
    • Governance, Risk, and Compliance
Table of Contents
Choose your release version
    Home London Governance, Risk, and Compliance Governance, Risk, and Compliance Policy and Compliance Management Understanding Policy and Compliance Management

    Understanding Policy and Compliance Management

    • Save as PDF Selected topic Topic & subtopics All topics in contents
    • Unsubscribe Log in to subscribe to topics and get notified when content changes.
    • Share this page

    Understanding Policy and Compliance Management

    The ServiceNow® Policy and Compliance Management product provides a centralized process for creating and managing policies, standards, and internal control procedures that are cross-mapped to external regulations and best practices. Additionally, the application provides structured workflows for the identification, assessment, and continuous monitoring of control activities.

    What is Policy and Compliance Management

    Policy and Compliance Management centralizes the following activities:
    • Establish controls and controls owners
    • Define control tests and expected results
    • Establish test and control frequencies
    • Identify risks: impact and likelihood
    • Prepare attestations
    • Map authoritative sources to policies, procedures, controls, and risks

    Who uses Policy and Compliance Management?

    Policy and Compliance activities involve all levels of management. A key function of good governance involves the establishment of a strong organization structure.
    • Board of directors
    • IT steering committee
    • Audit committee
    • All levels of management

    Policy and Compliance Management and the Now Platform

    Policy and Compliance Management and the Now Platform
    • Activate Policy and Compliance Management

      The GRC: Policy and Compliance Management (com.sn_compliance) plugin is available as a separate subscription.

    • Supported migration

      After migrating from the Legacy GRC application, certain relationships between elements are maintained.

    • Configure Policy and Compliance Management

      System and compliance administrators in the global domain can set properties to determine how the system defines the Policy and Compliance Management application.

    • Establish profile scoping for policies and controls

      Profile scoping is permitted in each of the GRC applications. Policy and compliance managers use profile scoping to create a system of internal controls and monitor compliance. Risk managers use profile scoping to monitor risk exposure and perform risk assessments. Dependencies are created using the dependency map and model or by creating tiers.

    • Manage policy statements and policies

      Organizations import their authority documents from Network Frontiers Unified Compliance Framework (UCF), another third-party provider, or they create them manually. The Policies and Procedures module contains overview and detailed information related to policy approvals, policies, and policy statements.

    • Manage policy exceptions

      Policy exceptions provide temporary relief for a non-compliant control. The policy exception captures the rationale, comments, and evidence to support the acceptance or rejection of a policy exception request. The control owner, the compliance manager, and the risk manager may be involved in the policy exception workflow. When a policy exception request exceeds the expiration date by more than 3 days, the approver, the requestor, and the requestor's manager receive a notification that it is expired.

    • Use UCF Common Controls Hub to manage compliance frameworks

      The UCF Common Controls Hub® (CCH) is a Software-as-a-Service portal that allows retrieval of regulatory data from the underlying Unified Compliance Framework®. Compliance administrators can download content to use as GRC Authority Documents, citations, controls, and policy statements. The documents can be updated on pre-defined intervals. You must have a CCH account to create shared lists and import them into the ServiceNow® instance. API access is also required to download UCF content from the CCH.

    • Manage controls

      Controls are specific implementations of a policy statement. Retired controls do not appear in the list. Before defining controls, take time to rationalize, consolidate, and define the important controls in your organization.

    • Manage control attestations

      Attestations are surveys that gather evidence to prove that a control is implemented. The attestation designer provides a single interface that users can use to create, and edit attestations, as well as change scoring parameters.

    • Manage control indicators

      Continuous monitoring involves activities related to identifying and creating key risk and controls indicators. The Compliance Overview is available to compliance administrators and compliance managers, providing an executive view into compliance requirements, overall compliance, and compliance breakdowns.

    • Monitor controls using GRC Performance Analytics Indicators

      You can link Policy and Compliance Management content and items to Performance Analytics indicators, breakdowns and thresholds. You can associate Performance Analytics indicators with policy statements and controls to view scorecards and trends and analyze current conditions and trends.

    • Manage compliance issues and remediation

      Issues can be created manually to document audit observations, remediations, or to accept any problems. They are automatically generated from indicator results, attestation results, or control test effectiveness.

    • Manage continuous monitoring between Configuration Compliance and Policy and Compliance Management

      Continuous monitoring is a feature integration between the GRC: Policy and Compliance Management product and the Security Operations Configuration Compliance products. This feature integrates the scan results from third-party applications, like Qualys to determine the compliance status for each associated control.

    • Out-of-the-box GRC: Policy and Compliance Management Performance Analytics Solutions

      Performance Analytics Solutions contain preconfigured dashboards. These dashboards contain actionable data visualizations that help you improve your business processes and practices.

    Tags:

    Feedback
    On this page

    Previous topic

    Next topic

    • Contact Us
    • Careers
    • Terms of Use
    • Privacy Statement
    • Sitemap
    • © ServiceNow. All rights reserved.

    Release version
    Choose your release version

      Understanding Policy and Compliance Management

      • Save as PDF Selected topic Topic & subtopics All topics in contents
      • Unsubscribe Log in to subscribe to topics and get notified when content changes.
      • Share this page

      Understanding Policy and Compliance Management

      The ServiceNow® Policy and Compliance Management product provides a centralized process for creating and managing policies, standards, and internal control procedures that are cross-mapped to external regulations and best practices. Additionally, the application provides structured workflows for the identification, assessment, and continuous monitoring of control activities.

      What is Policy and Compliance Management

      Policy and Compliance Management centralizes the following activities:
      • Establish controls and controls owners
      • Define control tests and expected results
      • Establish test and control frequencies
      • Identify risks: impact and likelihood
      • Prepare attestations
      • Map authoritative sources to policies, procedures, controls, and risks

      Who uses Policy and Compliance Management?

      Policy and Compliance activities involve all levels of management. A key function of good governance involves the establishment of a strong organization structure.
      • Board of directors
      • IT steering committee
      • Audit committee
      • All levels of management

      Policy and Compliance Management and the Now Platform

      Policy and Compliance Management and the Now Platform
      • Activate Policy and Compliance Management

        The GRC: Policy and Compliance Management (com.sn_compliance) plugin is available as a separate subscription.

      • Supported migration

        After migrating from the Legacy GRC application, certain relationships between elements are maintained.

      • Configure Policy and Compliance Management

        System and compliance administrators in the global domain can set properties to determine how the system defines the Policy and Compliance Management application.

      • Establish profile scoping for policies and controls

        Profile scoping is permitted in each of the GRC applications. Policy and compliance managers use profile scoping to create a system of internal controls and monitor compliance. Risk managers use profile scoping to monitor risk exposure and perform risk assessments. Dependencies are created using the dependency map and model or by creating tiers.

      • Manage policy statements and policies

        Organizations import their authority documents from Network Frontiers Unified Compliance Framework (UCF), another third-party provider, or they create them manually. The Policies and Procedures module contains overview and detailed information related to policy approvals, policies, and policy statements.

      • Manage policy exceptions

        Policy exceptions provide temporary relief for a non-compliant control. The policy exception captures the rationale, comments, and evidence to support the acceptance or rejection of a policy exception request. The control owner, the compliance manager, and the risk manager may be involved in the policy exception workflow. When a policy exception request exceeds the expiration date by more than 3 days, the approver, the requestor, and the requestor's manager receive a notification that it is expired.

      • Use UCF Common Controls Hub to manage compliance frameworks

        The UCF Common Controls Hub® (CCH) is a Software-as-a-Service portal that allows retrieval of regulatory data from the underlying Unified Compliance Framework®. Compliance administrators can download content to use as GRC Authority Documents, citations, controls, and policy statements. The documents can be updated on pre-defined intervals. You must have a CCH account to create shared lists and import them into the ServiceNow® instance. API access is also required to download UCF content from the CCH.

      • Manage controls

        Controls are specific implementations of a policy statement. Retired controls do not appear in the list. Before defining controls, take time to rationalize, consolidate, and define the important controls in your organization.

      • Manage control attestations

        Attestations are surveys that gather evidence to prove that a control is implemented. The attestation designer provides a single interface that users can use to create, and edit attestations, as well as change scoring parameters.

      • Manage control indicators

        Continuous monitoring involves activities related to identifying and creating key risk and controls indicators. The Compliance Overview is available to compliance administrators and compliance managers, providing an executive view into compliance requirements, overall compliance, and compliance breakdowns.

      • Monitor controls using GRC Performance Analytics Indicators

        You can link Policy and Compliance Management content and items to Performance Analytics indicators, breakdowns and thresholds. You can associate Performance Analytics indicators with policy statements and controls to view scorecards and trends and analyze current conditions and trends.

      • Manage compliance issues and remediation

        Issues can be created manually to document audit observations, remediations, or to accept any problems. They are automatically generated from indicator results, attestation results, or control test effectiveness.

      • Manage continuous monitoring between Configuration Compliance and Policy and Compliance Management

        Continuous monitoring is a feature integration between the GRC: Policy and Compliance Management product and the Security Operations Configuration Compliance products. This feature integrates the scan results from third-party applications, like Qualys to determine the compliance status for each associated control.

      • Out-of-the-box GRC: Policy and Compliance Management Performance Analytics Solutions

        Performance Analytics Solutions contain preconfigured dashboards. These dashboards contain actionable data visualizations that help you improve your business processes and practices.

      Tags:

      Feedback

          Share this page

          Got it! Feel free to add a comment
          To share your product suggestions, visit the Idea Portal.
          Please let us know how to improve this content

          Check any that apply

          To share your product suggestions, visit the Idea Portal.
          Confirm

          We were unable to find "Coaching" in Jakarta. Would you like to search instead?

          No Yes
          • Contact Us
          • Careers
          • Terms of Use
          • Privacy Statement
          • Sitemap
          • © ServiceNow. All rights reserved.

          Subscribe Subscribed Unsubscribe Last updated: Tags: January February March April May June July August September October November December No Results Found Versions Search preferences successfully updated My release version successfully updated My release version successfully deleted An error has occurred. Please try again later. You have been unsubscribed from all topics. You are now subscribed to and will receive notifications if any changes are made to this page. You have been unsubscribed from this content Thank you for your feedback. Form temporarily unavailable. Please try again or contact  docfeedback@servicenow.com  to submit your comments. The topic you requested does not exist in the release. You were redirected to a related topic instead. The available release versions for this topic are listed There is no specific version for this documentation. Explore products Click to go to the page. Release notes and upgrades Click to open the dropdown menu. Delete Remove No selected version Reset This field is required You are already subscribed to this topic Attach screenshot The file you uploaded exceeds the allowed file size of 20MB. Please try again with a smaller file. Please complete the reCAPTCHA step to attach a screenshot
          Log in to personalize your search results and subscribe to topics
          No, thanks Login