Can someone provide an example of how to use the controls (control objectives), which UCF generates in the ServiceNow IRM tool, for an audit engagement? Currently, before UCF integration, we manually uploaded ISO27001 controls and have been testing them with a one to one format. This means, we would take a control such as 8.1 User endpoint devices and test it for different entity types and entities. Now that we have UCF, it's difficult to see how we can test these controls against entities when a lot of the citations don't generate control objectives and some citations generate several control objectives. If someone has an example of how they would conduct an audit engagement with the UCF citations/control objectives, please share. This will help us identify the best way to start testing with the UCF integration. Thank You.
