New Speed Learning! Implementing IRM Policy and Compliance Management — with video tutorials

This is a developing series, and we'll continue to release new content over time. Bookmark this page to stay up to date and let us know in the comments what topics you'd like to see.

 

Welcome to the Speed Learning Series for Policy and Compliance Management (P&C), an app within our Integrated Risk Management (IRM) product. You'll find everything you need to implement and operate a structured compliance program on ServiceNow.

 

You'll learn how to build your authority document and policy library, manage the full policy lifecycle, author and redline policy documents, set up controls, attest compliance using the Smart Assessment Engine, and run your program from the Compliance Workspace.

 

Speed Learning Series – Policy and Compliance Management ▶ YouTube playlist 

Policy and Compliance Management provides a centralized platform for creating and managing policies, standards, and internal control procedures cross-mapped to external regulations and benchmarks — from HIPAA and GDPR to PCI DSS and beyond. It connects authority documents to internal policies, control objectives, and controls, then provides structured workflows to test, monitor, and continuously verify compliance. The result is a single, auditable compliance program that eliminates siloed tracking, reduces manual burden, and gives every compliance team member — from analyst to manager — a clear view of where things stand.

 

• Structural overview of Policy and Compliance Management >

 

Foundational data and compliance library

Features that help you establish the data foundation your compliance program depends on — authority documents, citations, entity types, policies, and control objectives — before any assessment or monitoring begins.

 

Authority documents are the external regulations your organization must comply with (HIPAA, GDPR, PCI DSS, and others). Citations are the specific passages within those documents that create obligations. Policies define what your organization should or should not do. Control objectives sit at the hub of the application, tying authority documents and policies together and defining exactly how adherence is achieved. One control objective can simultaneously fulfill multiple internal and external requirements. You can populate your library manually or accelerate setup by importing through the Unified Compliance Framework (UCF) Common Controls Hub integration.

 

• Exploring Policy and Compliance Management >
• Manage compliance frameworks and authority documents >
• Implementing Policy and Compliance Management (setup checklist) >

 

Policy lifecycle management

Features that guide a policy from creation through review, approval, publication, and eventual retirement — with structured state transitions, reviewer and approver assignments, and automatic Knowledge Base article generation on publish.

 

When a policy is created, it enters Draft state, where control objectives and approvers are defined. It then moves to Review (editable by assigned reviewers), Awaiting Approval (approval task created and routed to the approver), and Published (KB article auto-generated, policy becomes active and a mandate for all users). Policies can be retired when no longer required, with the record retained for audit purposes. Alongside standard policies, the Policy Exception module lets teams formally document and approve situations where a policy or control cannot be met.

 

• Policy lifecycle management >
• Policy lifecycle overview >
• Policies and procedures >
• Policy and Compliance integrator >

 

Policy authoring and redlining

Features that enable policy owners, collaborators, reviewers, and approvers to collaboratively draft, edit, and redline policy documents — with full version history maintained for audit purposes — directly from the Compliance Workspace.

 

Policies tend to become outdated as organizations grow or restructure, so authoring and redlining capabilities are built to support consistent, auditable revision cycles. Policy owners and collaborators draft policy text using Microsoft OneDrive, Microsoft SharePoint, or Google Drive. Reviewers then redline and annotate the document in real time within the same cloud environment. Approvers can review and formally approve the final version before it moves to the Published state.

 

Every revision cycle produces a new policy version, and the full history is retained. For organizations without a cloud integration, policy text can also be imported as an attachment directly in the Compliance Workspace.

 

Note: Policy authoring and redlining are available exclusively to ServiceNow cloud-based customers. Cloud integration requires Microsoft OneDrive, Microsoft SharePoint, or Google Drive, each with specific spoke and Integration Hub entitlement requirements.

 

• Policy authoring and redlining overview >
• Pre-requisites to enable policy redlining >
• Create and associate a policy text document in Microsoft OneDrive >
• Create and associate a policy document in Microsoft SharePoint >

 

Control assessment and continuous monitoring

Features that help you test controls, assess their effectiveness through attestations and indicators, identify compliance gaps, and track remediation — creating a continuous monitoring loop tied directly to your policy and control framework.

 

Controls are specific implementations of a control objective. Indicators allow you to run scheduled tests (daily, weekly, monthly, quarterly) and mark results Pass or Fail, with issues created automatically on failure. Attestations are ad hoc assessments of control compliance, powered by the Smart Assessment Engine.

 

When a gap is identified, whether from an indicator failure, attestation result, or audit finding, an issue is created and a remediation task can be logged and tracked through to closure. Issues are shared across Policy and Compliance, Risk Management, and Audit Management.

 

• Control Attestation using Smart Assessment Engine >
• Preventive compliance with Policy as Code Engine >
• Remediate an issue in Policy and Compliance Management >

 

Compliance Workspace

Features that give compliance managers and analysts a unified, role-aware interface for managing all compliance activity — policy approvals, control objectives, acknowledgment campaigns, control tests, and task queues — from a single home page.

 

The Compliance Workspace provides distinct home pages for the Corporate Compliance Manager, Corporate Compliance Analyst, and IT Compliance Manager. Each view surfaces role-relevant widgets: donut charts for compliant and non-compliant authority documents, policies, and entities; control assurance tracking; and a unified tasks page for both your own tasks and your team's. The List view gives a summary of all compliance-related records in a single view and supports informed decision-making without navigating across modules.

 

• GRC Compliance Workspace >
• Create a policy in Compliance Workspace >
• Manage compliance of policy >
• Acknowledge a policy >

 

Policy and Compliance Management Speed Learning Playlist

 

Watch the latest video tutorials from the Speed Learning Series.

 

ServiceNow University

 

The GRC: Policy and Compliance Management Implementation learning path on ServiceNow University packages the required content and assessments for implementation specialists. Courses cover authority document setup, policy and control configuration, attestation workflows, and Compliance Workspace operation.

 

• GRC: Policy and Compliance Management Implementation — ServiceNow University >

 

Policy and Compliance Management FAQs

 

What is Policy and Compliance Management in ServiceNow?

Policy and Compliance Management is ServiceNow's centralized solution for creating and managing policies, standards, and internal control procedures that are cross-mapped to external regulations and benchmarks. It provides structured workflows for identifying, assessing, and continuously monitoring control activities across the organization.

 

What is the relationship between authority documents, citations, policies, and control objectives?

Authority documents are the external regulations your organization must comply with. Citations are the specific passages within those documents that create obligations. Policies define how your organization will respond internally. Control objectives sit at the center — they tie authority documents and policies together and define exactly how adherence is achieved. One control objective can simultaneously fulfill multiple internal and external requirements.

 

How does the policy lifecycle work?

A policy moves through five states: Draft (created and defined), Review (reviewed and edited by assigned reviewers), Awaiting Approval (approval task routed to the approver), Published (active, with KB article auto-generated), and Retired (inactive, record preserved for audit). Each state has specific roles and available actions, and policies can be rolled back if further work is needed.

 

What is policy authoring and redlining, and who can use it?

Policy authoring and redlining allow policy owners, collaborators, reviewers, and approvers to draft and redline policy documents using Microsoft OneDrive, Microsoft SharePoint, or Google Drive — directly from the Compliance Workspace. Full version history is maintained for audit purposes. The feature is available exclusively to ServiceNow cloud-based customers and requires specific spoke and Integration Hub entitlements for cloud integration.

 

How do controls get created and what is a control test?

Controls are specific implementations of a control objective. They can be generated automatically when a policy is associated with an entity type or created manually. A control test verifies whether the control is effective in achieving its objective. Indicators allow control tests to run on a schedule and automatically create an issue if the test fails.

 

What is the difference between an attestation and an indicator?

Indicators are scheduled, recurring tests of a control — run daily, weekly, monthly, or quarterly — with a Pass/Fail result. Attestations are ad hoc assessments powered by the Smart Assessment Engine that gather compliance evidence at a point in time. Both can trigger issue creation when compliance is not confirmed.

 

What is the Compliance Workspace and who uses it?

The Compliance Workspace is a unified interface where compliance managers and analysts manage all tasks related to policies, control objectives, controls, and policy exceptions. It provides role-specific home pages for the Corporate Compliance Manager, Corporate Compliance Analyst, and IT Compliance Manager — each with relevant dashboards, task queues, and record lists.

 

How does Policy and Compliance Management connect to the rest of the GRC suite?

Issues are shared across Policy and Compliance, Risk Management, and Audit Management — meaning a control failure identified in compliance can be tracked and remediated in a shared context. Controls and control objectives can also be linked to risks, and control test results feed into the broader risk posture visible in the Risk Workspace.

 

Have feedback on the Speed Learning experience? Leave a comment below and let us know which topics you'd like to see covered next.