what is the difference between a policy statement and a policy in grc?

juan9 · ‎04-23-2023

what is the name of the tables for policy statement and a policy in grc?

I keep seeing that their are different but I cant find the tables for policy statement, only policy

Community Alums · ‎04-23-2023

These two terms are often confusing just because of the table names!!

Policy for which table name is "sn_compliance_policy" , these represent what they company has decided they want to follow. This helps drive the culture of their company. These are the policies they want their employees to follow. Examples of Policies could include: Acceptable Use Policy, Expense Policy,, Facility Access Policy, Non-Charitable Contribution Policy. It can also include procedures, standards, etc. In the baseline there are about 7 different types. There is no workflow in the baseline for the different types.

Now We have Control Objectives whose table name is "sn_compliance_policy_statement", a Policy can have sub-policies. A Policy should also have children that are stored in the Policy Statement table. These further define the Policy. it is from Policy Statements that Controls are created. Policy Statement is a ServiceNow term that is often misunderstood by customers. Other names for this table could be Control Objective, Control Template or Requirement. Regardless of what you call it - it is a breakdown of the Policy. These are statements that describe how the company wants to manage the policy. And BTW Policy Statements can also have sub-policies.

View solution in original post

DUGGI · ‎04-23-2023

@juan9

In ServiceNow GRC, a policy is a document that outlines a set of rules, guidelines, or standards that an organization must follow to achieve compliance with a specific regulation, industry standard, or best practice. A policy statement, on the other hand, is a specific provision or requirement within a policy document that defines a particular rule or guideline.

The main difference between a policy statement and a policy is that a policy statement is a smaller and more granular component of a policy document. A policy may consist of multiple policy statements, each of which addresses a specific aspect of the policy.

In ServiceNow GRC, the name of the table for policies is "sn_grc_policy." This table stores the policy documents and associated metadata, such as the policy owner, policy type, and policy category.

There is also a related table called "sn_grc_policy_statement," which stores the policy statements associated with each policy document. This table stores the statement text, statement number, and other details related to the policy statement.

Both the "sn_grc_policy" and "sn_grc_policy_statement" tables can be accessed through the ServiceNow platform and can be used in GRC workflows and processes.