Product documentation Docs
    • English
    • Deutsch
    • 日本語
    • 한국어
    • Français
  • More Sites
    • Now Community
    • Developer Site
    • Knowledge Base
    • Product Information
    • ServiceNow.com
    • Training
    • Customer Success Center
    • ServiceNow Support Videos
  • Log in

Product documentation

  • Home
How search works:
  • Punctuation and capital letters are ignored
  • Special characters like underscores (_) are removed
  • Known synonyms are applied
  • The most relevant topics (based on weighting and matching to search terms) are listed first in search results
Topics are ranked in search results by how closely they match your search terms
  • A match on the entire phrase you typed
  • A match on part of the phrase you typed
  • A match on ALL of the terms in the phrase you typed
  • A match on ANY of the terms in the phrase you typed

Note: Matches in titles are always highly ranked.

  • Release version
    Table of Contents
    • Governance, Risk, and Compliance
Table of Contents
Choose your release version
    Home London Governance, Risk, and Compliance Governance, Risk, and Compliance Policy and Compliance Management Understanding Policy and Compliance Management Manage policy statements and policies

    Manage policy statements and policies

    • Save as PDF Selected topic Topic & subtopics All topics in contents
    • Unsubscribe Log in to subscribe to topics and get notified when content changes.
    • Share this page

    Manage policy statements and policies

    Organizations import their authority documents from Network Frontiers Unified Compliance Framework (UCF), another third-party provider, or they create them manually. The Policies and Procedures module contains overview and detailed information related to policy approvals, policies, and policy statements.

    Policies and Procedures Overview

    The Policies and Procedures Overview is contained in the Policies and procedures module and provides an executive view into compliance requirements, overall compliance, and compliance breakdowns so areas of concern can be identified quickly. Users with the Compliance Administrator and Compliance Manager roles view the Policies and Procedures Overview.
    Table 1. Policies and Procedures Overview reports in the base system
    Name Visual Description
    Control compliance Donut chart Displays the overall compliance of all the controls in the system.
    Control details Donut chart Displays a breakdown of controls, grouped by owner, category, or type.
    Control Overview Column Chart Displays the total number of controls related to each policy. The chart is stacked to display overall control compliance status for each policy.
    Control Issues by Policy (Opened Date) Line Chart Displays the number of control issues opened each week, grouped by policy.
    Policy Exceptions List Displays a list of control issues that have been closed with a response value of accept, meaning the issue was not remediated.
    Total Policy Statements by Policy Bar graph Displays a count of the overall number of policy statements in each policy. The chart is stacked to display policy statements by type.

    Policy Approval Process

    Policies are part of a strict approval process to ensure compliance and to reduce exposure to risk. Publishing a policy is automatically incorporated in the approval process. Compliance managers set the length of time that policies are valid, ensuring that the team reviews the policy often to affirm its validity. Policies have a type, such as a policy, procedure, standard, plan, checklist, framework, or template.

    The image depicts the approval process flow that is shown at the top of each policy record.

    Table 2. Policy approval states
    State Description
    Draft All policies start in Draft state. In this stage, all compliance users can modify the policy and policy statements.
    Review The owner, owning group, and reviewers can modify the policy and policy statements and send it on to the next state.
    Awaiting Approval The policy is read only in this state. Approved policies move forward to the Published state. Unapproved policies move back to Review. If no approvers are identified on the policy form, the state is skipped and published without an approval.
    Published Approved policies are automatically published to a template-defined KB. Once a policy is published, it remains in a read-only state. The Valid to field on the policy form defines how long the policy is valid.

    When a policy reaches the end of the Review state and is Approved for publishing, it is automatically published to the GRC knowledge base (as defined in the Policy and Compliance > Administration > Properties. The article template field on the policy form defines the style of the published policy.

    Retired The KB article is removed when a policy is put into a Retired state.

    Policies

    Compliance managers catalog and publish internal policies that define a set of business processes, procedures, and or standards.

    Policy Statements

    Compliance managers catalog the policy statements and generate controls from those policy statements.

    Policy statements only reference a single policy, although they can cover multiple citations from different authority documents. They can be organized into Classification, Category, and Type.
    Note: UCF refers to policy statements as Controls. When UCF is data is imported, controls are imported into the policy statements table.
    • Create a policy

      A policy is a document which defines an internal practice that processes must follow. Policies are defined as policies, procedures, standards, plans, checklists, frameworks, and templates.

    • Approve and publish policy

      When a policy is approved, it is automatically published.

    • Review a policy

      It is important that the right people in your organization are involved in the review of policies.

    • Retire a policy

      Retiring a policy is part of the policy management process. It can be retired any time after being approved and published to the KB.

    • Create a GRC article template

      Policy and Compliance managers can create templates for policy article publishing.

    • Create a policy statement

      A policy statement is an objective, direction, or standard that acts as guidance for company interactions and operations. Policy statements can be categorized, classified, and related to policies.

    • Deactivate a policy statement

      Deactivate policy statements that are no longer relevant to their citation or policy statement.

    • Relate a policy statement to a policy

      Policy statements can be associated to a policy individually by choosing the policy in the document field on the policy statement, or by editing the policy statements related list.

    • Relate a policy statement to a citation

      A single policy statement can be mapped to many citations from different authority documents. This function allows you to test a policy statement once while complying with many different citations.

    • Create a citation

      Usually, authority documents, citations, and policy statements are downloaded from UCF. However, citations can be created manually from an authority document.

    • Deactivate a citation

      The Active option in a citation indicates whether the citation has been retired.

    • Deactivate an authority document

      The Active option in an authority document indicates whether the authority documents has been retired.

    Previous topic
    • Establish profile scoping for policies and controls
    Next topic
    • Manage policy exceptions

    Tags:

    Feedback
    On this page

    Previous topic

    Next topic

    • Contact Us
    • Careers
    • Terms of Use
    • Privacy Statement
    • Sitemap
    • © ServiceNow. All rights reserved.

    Release version
    Choose your release version

      Manage policy statements and policies

      • Save as PDF Selected topic Topic & subtopics All topics in contents
      • Unsubscribe Log in to subscribe to topics and get notified when content changes.
      • Share this page

      Manage policy statements and policies

      Organizations import their authority documents from Network Frontiers Unified Compliance Framework (UCF), another third-party provider, or they create them manually. The Policies and Procedures module contains overview and detailed information related to policy approvals, policies, and policy statements.

      Policies and Procedures Overview

      The Policies and Procedures Overview is contained in the Policies and procedures module and provides an executive view into compliance requirements, overall compliance, and compliance breakdowns so areas of concern can be identified quickly. Users with the Compliance Administrator and Compliance Manager roles view the Policies and Procedures Overview.
      Table 1. Policies and Procedures Overview reports in the base system
      Name Visual Description
      Control compliance Donut chart Displays the overall compliance of all the controls in the system.
      Control details Donut chart Displays a breakdown of controls, grouped by owner, category, or type.
      Control Overview Column Chart Displays the total number of controls related to each policy. The chart is stacked to display overall control compliance status for each policy.
      Control Issues by Policy (Opened Date) Line Chart Displays the number of control issues opened each week, grouped by policy.
      Policy Exceptions List Displays a list of control issues that have been closed with a response value of accept, meaning the issue was not remediated.
      Total Policy Statements by Policy Bar graph Displays a count of the overall number of policy statements in each policy. The chart is stacked to display policy statements by type.

      Policy Approval Process

      Policies are part of a strict approval process to ensure compliance and to reduce exposure to risk. Publishing a policy is automatically incorporated in the approval process. Compliance managers set the length of time that policies are valid, ensuring that the team reviews the policy often to affirm its validity. Policies have a type, such as a policy, procedure, standard, plan, checklist, framework, or template.

      The image depicts the approval process flow that is shown at the top of each policy record.

      Table 2. Policy approval states
      State Description
      Draft All policies start in Draft state. In this stage, all compliance users can modify the policy and policy statements.
      Review The owner, owning group, and reviewers can modify the policy and policy statements and send it on to the next state.
      Awaiting Approval The policy is read only in this state. Approved policies move forward to the Published state. Unapproved policies move back to Review. If no approvers are identified on the policy form, the state is skipped and published without an approval.
      Published Approved policies are automatically published to a template-defined KB. Once a policy is published, it remains in a read-only state. The Valid to field on the policy form defines how long the policy is valid.

      When a policy reaches the end of the Review state and is Approved for publishing, it is automatically published to the GRC knowledge base (as defined in the Policy and Compliance > Administration > Properties. The article template field on the policy form defines the style of the published policy.

      Retired The KB article is removed when a policy is put into a Retired state.

      Policies

      Compliance managers catalog and publish internal policies that define a set of business processes, procedures, and or standards.

      Policy Statements

      Compliance managers catalog the policy statements and generate controls from those policy statements.

      Policy statements only reference a single policy, although they can cover multiple citations from different authority documents. They can be organized into Classification, Category, and Type.
      Note: UCF refers to policy statements as Controls. When UCF is data is imported, controls are imported into the policy statements table.
      • Create a policy

        A policy is a document which defines an internal practice that processes must follow. Policies are defined as policies, procedures, standards, plans, checklists, frameworks, and templates.

      • Approve and publish policy

        When a policy is approved, it is automatically published.

      • Review a policy

        It is important that the right people in your organization are involved in the review of policies.

      • Retire a policy

        Retiring a policy is part of the policy management process. It can be retired any time after being approved and published to the KB.

      • Create a GRC article template

        Policy and Compliance managers can create templates for policy article publishing.

      • Create a policy statement

        A policy statement is an objective, direction, or standard that acts as guidance for company interactions and operations. Policy statements can be categorized, classified, and related to policies.

      • Deactivate a policy statement

        Deactivate policy statements that are no longer relevant to their citation or policy statement.

      • Relate a policy statement to a policy

        Policy statements can be associated to a policy individually by choosing the policy in the document field on the policy statement, or by editing the policy statements related list.

      • Relate a policy statement to a citation

        A single policy statement can be mapped to many citations from different authority documents. This function allows you to test a policy statement once while complying with many different citations.

      • Create a citation

        Usually, authority documents, citations, and policy statements are downloaded from UCF. However, citations can be created manually from an authority document.

      • Deactivate a citation

        The Active option in a citation indicates whether the citation has been retired.

      • Deactivate an authority document

        The Active option in an authority document indicates whether the authority documents has been retired.

      Previous topic
      • Establish profile scoping for policies and controls
      Next topic
      • Manage policy exceptions

      Tags:

      Feedback

          Share this page

          Got it! Feel free to add a comment
          To share your product suggestions, visit the Idea Portal.
          Please let us know how to improve this content

          Check any that apply

          To share your product suggestions, visit the Idea Portal.
          Confirm

          We were unable to find "Coaching" in Jakarta. Would you like to search instead?

          No Yes
          • Contact Us
          • Careers
          • Terms of Use
          • Privacy Statement
          • Sitemap
          • © ServiceNow. All rights reserved.

          Subscribe Subscribed Unsubscribe Last updated: Tags: January February March April May June July August September October November December No Results Found Versions Search preferences successfully updated My release version successfully updated My release version successfully deleted An error has occurred. Please try again later. You have been unsubscribed from all topics. You are now subscribed to and will receive notifications if any changes are made to this page. You have been unsubscribed from this content Thank you for your feedback. Form temporarily unavailable. Please try again or contact  docfeedback@servicenow.com  to submit your comments. The topic you requested does not exist in the release. You were redirected to a related topic instead. The available release versions for this topic are listed There is no specific version for this documentation. Explore products Click to go to the page. Release notes and upgrades Click to open the dropdown menu. Delete Remove No selected version Reset This field is required You are already subscribed to this topic Attach screenshot The file you uploaded exceeds the allowed file size of 20MB. Please try again with a smaller file. Please complete the reCAPTCHA step to attach a screenshot
          Log in to personalize your search results and subscribe to topics
          No, thanks Login