How to implement control objective periodic authoring, review, redlining and approval?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-11-2025 02:00 PM
I know that the current process authoring and redlining is limited to the policies table. This was confirmed today by the product team. How does everyone review their control objectives? We have a requirement to do so at least annually.
I have submitted an idea into the Idea portal to extend the current functionality to the control objective table but knowing how long it would take to get implemented if ever I am looking for an alternative method.
Would appreciate community to review and comment on the idea as well.
Thank you!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-11-2025 02:01 PM
Link to the idea in the Idea Portal: View Idea Page - Idea Portal
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-17-2025 11:50 AM
If you are linking your Control Objectives to Policies, you should should have the "Valid To" be the trigger to review all the Control Objectives which support the Policy.
Update the Policy
Update the Control Objectives (2 ways)
- Modify in place (Impacting Historical and Current assessments)
OR
- Retire current and create newly worded Control Objectives (time consuming, but does not impact historical records)
Remember the Power of Test Once, Apply Many means that we can associate the different Citations from the different frameworks (NIST, ISO, etc.) into ONE Control Objective.
If you are using Regulatory Change Management (RCM) this would also help in the review of Control Objectives when new Regulations are released.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-18-2025 06:35 AM
I don't see how that would help with redlining and approval flow of each objective itself.
We have owners for each objective, currently documented in a SharePoint, and all the redlining has to do be done manually outside of ServiceNow.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-20-2025 01:58 AM
Depending on what exactly you are looking for. If you have manually self created control objectives, you have to check them whenever the associated policy document is due for review.
If you want to do this in according to regulatory frameworks you can use e.g. the Unified Compliance API and receive all this automatically when the regulatory framework changes. So you only have to check you manually created ones.