- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-15-2019 01:42 PM
Hi,
We are going through a SOC 2 Audit. How does ServiceNow's GRC products help us to better position ourselves for the SOC 2 Audit? Which products within the suite are related to the SOC 2 Audit?
How are other companies leveraging ServiceNow's GRC for SOC 2?
Thanks
Kathy
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-16-2019 04:23 AM
Policy and Compliance:
select controls required by SOC2 (UCF integration)
Assign controls to owners
Attest controls
Gather evidence of control effectiveness
Audit:
planning engagement
gather the evidence needed directly from P&C, or additional task
Create reports
More examples (not SOC 2, but are good examples of how GRC being used to meet a given set of requirements):
Check out GRC: NIST RMF Use Case Accelerator, GRC: NIST CSF Use Case Accelerator and GRC SOX Content PackGRC SOX Content Pack
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-16-2019 04:23 AM
Policy and Compliance:
select controls required by SOC2 (UCF integration)
Assign controls to owners
Attest controls
Gather evidence of control effectiveness
Audit:
planning engagement
gather the evidence needed directly from P&C, or additional task
Create reports
More examples (not SOC 2, but are good examples of how GRC being used to meet a given set of requirements):
Check out GRC: NIST RMF Use Case Accelerator, GRC: NIST CSF Use Case Accelerator and GRC SOX Content PackGRC SOX Content Pack
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-09-2022 05:11 AM - edited 02-07-2023 07:53 AM
Hi Kathy,
A large number of our customers use ServiceNow as ITSM tool. The information used for a SOC2 audit is primarily incident management logs and the change management process. Within these processes the existence of procedures are audited (are controls correctly designed in accordance with the descriptions in the SOC2 report) and the operational effectiveness of procedures is audited in which the contents of incidents are reviewed against the control objectives.
We feel that ServiceNow could be a more integrated tool to achieve automated auditing in which evidence is automatically audited and exceptions are automatically identified.
If you require more information on SOC2 or would to like to get met information on SOC2, I can manage that our learning partner who provides a SOC2 course helps you further on this subject.
