Citation and Controls import if you dont have UCF account
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-28-2024 09:49 AM
Implementing ISO 27001:2022 Framework and we dont have UCF subscription so what is the best way to
1.create controls
2. Import Controls
3. Authority Document
4. Citations
5. Linking of these all
Thanks.....Regards
MP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-28-2024 09:54 AM
To implement the ISO 27001:2022 Framework in ServiceNow without a Unified Compliance Framework (UCF) subscription can be a bit of a manual task, but it can be done. Here's how you could approach it:
Create Controls: First, you need to know what controls you're dealing with. These are usually found in the ISO 27001 Standard Documentation. In ServiceNow, navigate to Policy and Compliance > Compliance > Controls, then click New and fill in the necessary fields like Name, Description, Control Objective, and more. These details should be aligned with what's in the ISO 27001 Standard.
Import Controls: You can use Import Sets and Transform Maps to import bulk Controls data from a spreadsheet. Prepare your excel file containing the control details as per ISO 27001, upload it in Import Sets, and create a Transform Map to map the excel fields to the Control table fields.
Authority Document: Authority documents are created in the Policy and Compliance > Compliance > Authority Documents. Click New and add the Name (ISO 27001: 2022 Framework) and Description, and set the State to Published.
Citations: Citations are specific requirements or provisions found in an authority document. In this case, each of the controls from the ISO 27001 documentation would have its own citation. Create one for each control in Policy and Compliance > Compliance > Citations. Each citation should be linked to the appropriate authority document.
Linking: Now link everything together.
On each Citation record, associate the correct Control from the Controls table.
For each Citation, you should link it back to the Authority Document using the provided field.
Under each Control, in the Compliance section, associate the control with appropriate Citation.
This process will manually create the Compliance Framework, linking the controls to citations to the authority document.
Remember, ISO 27001 is a comprehensive standard, and entering all the controls, citations, and associating them can be a lengthy process. Make sure you have the correct and complete information before entering it into the system.
Also, always ensure to test the process flow, fine-tuning based on your organization needs before deploying it for all users.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2025 01:38 PM
Hi @Mahendraphadke ,
If you don't have third party tools like UCF you can use manual import to load data into ServiceNow. Always create
1. The Authority document first
2. Load citations and map them with the Authority document
3. Load the control objectives
4. Map the control objectives with the citations using the m2m table
Here are 5 Best Practices for GRC Library Integration with ServiceNow
Test Data Sources Early
Always test load a small batch of records (e.g., 20) from your data source to verify connectivity and format before proceeding with transformations.Use Auto-Mapping for Fields
Leverage the Auto Map Matching Fields feature in Transform Maps to ensure accurate field mapping and reduce manual errors. Double-check critical fields like u_source_id.Set Coalesce Fields Correctly
Define coalesce fields, such as u_source_id, to ensure proper deduplication and linking of records across Authority Documents, Citations, and Control Objectives.Maintain Logical Execution Order
Ensure Transform Maps are executed in ascending order (e.g., 100, 101, 102) to maintain data integrity and proper linkage between imported records.Validate Results After Each Step
After each transform, review imported records to confirm data accuracy and relationships (e.g., Authority Documents linked to Citations and Control Objectives).
If you like this response click helpful,
Thanks,
Mohammed.