What This Addresses
Before the Australia (Q1 2026) release, a cascade changes business rule applied edits to control objectives immediately on live records—including in-flight control attestations. As a result, any compliance user could directly update a control objective record with no review process, resulting in the undesirable outcome of unreviewed changes affecting downstream records such as controls, policies, risk statements, and issues. Whether you changed a testing frequency or fixed a typo, every associated control reset to Draft. This made updating control objectives difficult, and teams often deferred updates or created unnecessary duplicates to avoid triggering mass re-attestation.
The Control Objective Workflow, generally available in Australia (Q1 2026), introduces a staging model and a Major/Minor revision type. Edits happen on a staging record while the published version stays active, and the downstream records (controls, policies, risk statements, and issues) continue to reference the current published version through the staging process. When the new control objective is published, you choose whether controls should reset (Major change) or just sync the new values (Minor change). If the changes are rejected during the review, the published record remains unaffected.
Turn Control Objective workflow on when your organization needs governed change management over control objectives with approval workflows and downstream impact management. Watch a short video of the feature here.
How the Staging Model Works
There are five workflow states for the Control Objective (see image).
When you edit a published control objective, changes are drafted on a staging record, as against the published record. The published record remains active—controls, policy exceptions, and risk statements continue referencing it until you explicitly publish the staging changes. The staging record remains inactive until published, moving through states.
Key behaviors:
- One staging record per control objective, reused each edit cycle. This means you cannot have parallel change requests on the same control objective—one edit must be published or abandoned before another can begin.
- Staging record is retained after publishing for audit trail.
- This workflow governs control objective content changes. To modify control associations, use the existing process.
- Configurable review & approval workflow depending on organizational needs.
Choosing Major or Minor changes
When you start editing, you select a revision type: Major or Minor. This determines what happens to associated controls when you publish.
|
Major change |
Minor change |
|
The meaning or intent of the control objective changed substantially |
Corrections - spelling, typos, or rewording that does not change functional meaning |
|
Downstream controls reset to Draft → re-attestation required |
Controls stay in current state → new values of Control Objective sync, no re-attestation necessary |
|
Examples: • Changing testing frequency from quarterly to monthly • Adding new requirements to the control objective • Modifying the scope of what the control covers • Changing evidence requirements |
Examples: • Fixing typos or grammatical errors • Clarifying wording without changing meaning • Updating formatting or structure • Correcting metadata fields |
The revision type is subjective—it is not enforced by the system. Reviewers can reject a change if the selected type does not match the scope of the edit. You can change the revision type using "Update Revision Type" before publishing.
The control objective workflow states Draft -> Review -> Approved -> Published remains the same for both major and minor changes.
Things to Remember
Policy Association Constraint
You cannot publish control objective changes if the associated policy is in Published, Retired, or pending-approval state. Move the policy to Draft or Review first.
Active Flag Sync
Published state equals Active = true. All other states equal Active = false. If you set Active = false directly on a published record, the state automatically changes to Retired.
Effective Date
Effective Date is optional. If set in the Approved state, the record auto-publishes on that date. If left blank, the system populates it with the actual publish date when you click Publish.
Key Implementation Steps
- Enable the workflow: Navigate to Policy and Compliance > Administration > Properties and enable "Enable control objective workflow." See product documentation for details.
- Configure approval rules: Navigate to Assignment and Approval Configurations > Approval Configurations to create rules for control objective approvals. No out-of-box rules are shipped—you must configure them for the workflow to require approvals. See product documentation for configuration guidance.
Planning Your Implementation
Governance
- Document what constitutes Major vs Minor for your organization and get stakeholder alignment.
- Establish a review cadence for keeping approval roles and levels current.
Operations
- Monitor for abandoned staging records—a new edit cannot begin on a control objective until the existing staging record is published or cleared.
Auditing
- Staging records are retained after publishing, providing a complete audit trail of control objective changes over time.
Roles and Capabilities
|
ServiceNow Role |
Persona |
Capabilities |
|
sn_compliance.admin |
Admin |
· Enable workflow property · configure approval rules |
|
sn_compliance.user |
Compliance User / Control Objective Owner / Owning Group |
· Create new control objectives · Edit draft/staging records · Request Review, set Effective Date, Publish |
|
sn_compliance.manager |
Compliance Manager |
· Edit at any stage regardless of ownership · Can perform all workflow actions · Can change revision type (major vs minor) before publishing |
|
Configured via Approval Rules (optional) |
Approver |
· Approve or reject records in Review state · Rejection returns record to Draft |
What Else Would Help?
Have use cases for control objective changes that this workflow doesn't yet address? Drop them in the comments—your input helps shape what comes next.
