Control Life Cycle - Difference between Review and Monitor state

Lokesh5
Tera Contributor

‎12-24-2024 04:35 AM

Hello All,

 

What is the difference between 'Review' state and 'Monitor' state in Control life cycle. How these two helps to the  customer??


0 Helpfuls
  • 1,736 Views
3 REPLIES 3

ShafrazMubarak
Giga Guru

‎12-25-2024 04:51 AM

  1. Review State:

    • Purpose: This state is used to evaluate the control after it has been attested. It involves a thorough review to ensure that the control is effective and meets the required standards.
    • Activities: During this phase, compliance managers or administrators review the control's performance and documentation. They may identify any issues or areas for improvement.
    • Customer Benefit: This state helps customers by ensuring that controls are thoroughly evaluated before they are put into continuous monitoring. It helps in identifying and addressing any gaps or weaknesses early on, thereby enhancing the overall effectiveness of the control framework
       

  2. Monitor State:

    • Purpose: Once a control passes the review phase, it moves into the monitor state. This state involves continuous monitoring of the control's performance to ensure ongoing compliance.
    • Activities: In this phase, indicators and automated tools are used to continuously assess the control's effectiveness. Any deviations or issues are flagged for immediate attention.
    • Customer Benefit: Continuous monitoring provides real-time insights into the control's performance, allowing for proactive management of risks. It helps customers maintain compliance and quickly respond to any issues that arise
       

By having both these states, ServiceNow GRC ensures that controls are not only implemented correctly but are also continuously effective, providing a robust framework for managing compliance and risk.

0 Helpfuls

Anand Kumar P
Giga Patron
Giga Patron

‎12-25-2024 05:25 AM - edited ‎12-25-2024 05:29 AM

Hi @Lokesh5 ,

 

Following is lifecycle of control State

  •  Draft

Controls are created in draft state,they are automatically generated when you associate a policy with a Entity type or a Entity type with a control objective,they can also be manually created.

  • Attest

Control owners are assigned to attest.When Control is set back to draft the attestation is cancelled.

  • Review

Controls are automatically moved to review from the attestation phase.

  • Monitor

Compliance managers or administrators(only if they impersonate a user with a Compliance Manager role) can move a control from review to monitor state.In this state indicators monitor the control's status.

  • Retired 

Compliance managers or administrators(only if they impersonate a user with a Compliance Manager role) can move a control from Monitor to Retired.All the associated indicators do not run and all the associated attestations are canceled.

IMG_6839.jpeg

If my response helped, please mark it as the accepted solution and give a thumbs up👍.
Thanks,
Anand

Srini
ServiceNow Employee
ServiceNow Employee

‎12-26-2024 07:11 AM

The control(s) will be assigned to the respondent for attestation and once they submit the attestation questionnaire then it will be sent to the reviewers for reviewing them and the workflow at this stage is moved from Attest -> Review. Once the review is complete and moved into Monitor state (by clicking on the Monitor UI action) the control status is calculated as Compliant/Non-compliant. The control will be in Monitor state for it's life time until it's moved back to draft for updates or moved to retire state if it's no longer in use.

Thanks

Srini

0 Helpfuls