We've updated the ServiceNow Community Code of Conduct, adding guidelines around AI usage, professionalism, and content violations. Read more

Smart Assessment - One Assessment for Multiple Controls

ShafrazMubarak
Giga Guru

4 hours ago

we have a business requirement as follows.
 
Client currently uses  'Network Security Checklist'  excel sheet which will sent to network team. This excel sheet contains list of questions. Each question maps to a control objective (and citations). NEtwork Team control owner provides binary answers (Yes/No/Partial) for implementing those controls. Now, client wants the same questionnaire to be triggered, and control owner should be able to see and work only one single interface where he/she able to provide answers to all the questions. 
 
Instead of creating many controls, we want one control and one attestation sent to the Network team; when they attest (with evidence), we need all mapped control objectives and citations to update their compliance scores automatically. (Using Smart assessment, we can build the questionnaire)
 
What’s the best OOB approach to model this—Attestation Designer (single template with questions) vs Control Test + Indicators mapped to multiple objectives? How should we set up the mappings, scoring/rollups, evidence reuse, and automation (Flow Designer vs light scripting) so it’s auditable, upgrade-safe, and easy to maintain (recurring cadence, reporting)? Any pitfalls when one control drives many objectives across multiple authority documents, and tips for keeping performance and data model clean would be appreciated. 
0 Helpfuls
  • 146 Views
1 REPLY 1

Sebastien Fix
Giga Guru

3 hours ago

"Instead of creating many controls, we want one control and one attestation sent to the Network team; when they attest (with evidence), we need all mapped control objectives and citations to update their compliance scores automatically"

 

You cannot have one control record and one attestation to update all control objectives and citations. The easiest path based on your description would be to define one SAE template for all control objectives, and then issue a combined assessment to the end users 

 

https://www.servicenow.com/docs/r/governance-risk-compliance/smart-assessment-engine/combine-assessm...

 

They will then have all controls in one interface, but each question (yes/no) would actually be linked to the control. when they submit the questionnaire, they will in fact have replied to all X controls by answering all X questions. 

0 Helpfuls