How Compliance Score is Calculation in ServiceNow GRC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-22-2025 12:20 AM - edited 06-22-2025 12:22 AM
Understanding Compliance Score in ServiceNow GRC
In ServiceNow GRC, the Compliance Score provides insights into how well the organization is adhering to defined control objectives and how those controls are being enforced across various entities (like Windows Servers). This article walks through a step-by-step example to help understand how these scores are calculated and interpreted.
Step-by-Step Example
1. Create an Entity Class
Create a new Entity Class: Windows Servers.
2. Define the Entity Type
Create an Entity Type named Windows Servers.
Add an Entity Filter with the table: cmdb_ci_win_server, along with an appropriate condition to filter relevant CI records.
3. Initial Compliance Score
At this point, the Compliance Score for the Entity Type is 0%, as no control objectives or assessments have been added yet.
- Click Update Entities from Filters, to create associated Entities.
4. Add Control Objectives
Add two Control Objectives.
- Ensure Security Patches Are Applied Within 7 Days of Release
- Enforce Password Expiry Every 30 Days
Their initial Compliance Score is also 0% since no controls have been assessed.
Control Objective Example 1: Ensure Security Patches Are Applied Within 7 Days
5. Control State Changes
Open the Control Objective: Ensure Security Patches Are Applied Within 7 Days of Release.
From the Related List, move four associated Controls to the Attest state.
6. GRC Task Updates
In GRC Tasks, mark:
First three controls as CompliantFourth control as Non-Compliant
7. Compliance Score Calculation – Control Objective
Return to the Control Objective. The Compliance Score is now updated to 75%.
Formula:
(Compliant + Non-Compliant) / (Total Controls excluding Draft)
= (10 + 10 + 10 + 0) / 40 = 75%
8. Impact on Entity Type Compliance Score
The Windows Servers Entity Type now also shows a 75% Compliance Score.
⚠️It's important to note that the Control Objective Compliance Score and the Entity Type Compliance Score are calculated differently.
How Entity Type Compliance Score is Calculated
The score is based on how many Controls associated with each entity have met the conditions.
Example breakdown:
1st, 2nd, and 3rd Entities: Controls are Compliant → 100%
4th Entity: Control is Non-Compliant → 0%
Formula:
(Compliant score of Entities) / (Total compliance Score [Excluding Draft Controls on Entities])
(100 + 100 + 100 + 0) / (100 + 100 + 100 + 100) = 75%
Control Objective Example 2: Enforce Password Expiry Every 30 Days
9. Additional Control State Changes
Move two Controls to Attest state.
From GRC Tasks, mark both as Non-Compliant.
10. Compliance Score – Control Objective
Compliance Score remains 0%.
Calculation:
(0 + 0) / 20 = 0%
11. Updated Entity Type Score
The Windows Servers Entity Type score drops to 50% after accounting for both Control Objectives.
Entity breakdown:
1st & 2nd Entities: One control Compliant out of two → 50%
3rd Entity: One control Compliant, one in Draft → 100%
4th Entity: One Control is Non - Compliant, one in Draft →0%
Formula:
(50 + 50 + 100 + 0) / 400 = 50%
Summary
Control Objective Compliance Score: Measures how well a single rule is being Compliant across associated Entities.
Entity Type Compliance Score: Reflects how many rules (Control Objectives) are being Compliant for the associated Entity type.
If the above information helps you, Kindly mark it as Helpful.
Regards,
Najmuddin.
- 546 Views
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-22-2025 01:24 AM
Thanks for sharing this information