what is the difference between a policy statement and a policy in grc?

juan9 · ‎04-23-2023

what is the name of the tables for policy statement and a policy in grc?

I keep seeing that their are different but I cant find the tables for policy statement, only policy

Community Alums · ‎04-23-2023

These two terms are often confusing just because of the table names!!

Policy for which table name is "sn_compliance_policy" , these represent what they company has decided they want to follow. This helps drive the culture of their company. These are the policies they want their employees to follow. Examples of Policies could include: Acceptable Use Policy, Expense Policy,, Facility Access Policy, Non-Charitable Contribution Policy. It can also include procedures, standards, etc. In the baseline there are about 7 different types. There is no workflow in the baseline for the different types.

Now We have Control Objectives whose table name is "sn_compliance_policy_statement", a Policy can have sub-policies. A Policy should also have children that are stored in the Policy Statement table. These further define the Policy. it is from Policy Statements that Controls are created. Policy Statement is a ServiceNow term that is often misunderstood by customers. Other names for this table could be Control Objective, Control Template or Requirement. Regardless of what you call it - it is a breakdown of the Policy. These are statements that describe how the company wants to manage the policy. And BTW Policy Statements can also have sub-policies.

View solution in original post

Rahul Kumar17 · ‎04-23-2023

Hi Juan,

In GRC (Governance, Risk, and Compliance), a policy is a high-level statement that outlines an organization's objectives, goals, or rules related to a specific area of compliance or risk management. It is a broad and generic statement that guides the development and implementation of more detailed controls, procedures, and standards.

On the other hand, a policy statement is a more specific and detailed document that describes the specific actions, behaviors, or guidelines that an organization should follow to comply with the policy. It provides a more granular level of guidance to employees and stakeholders on how to implement the policy.

The tables for policy and policy statement in GRC depend on the specific version of the ServiceNow platform and the GRC plugin installed in your instance. In general, the tables for policies and policy statements are:

Policy: The main table for policies is the "sn_grc_policy" table. This table stores the high-level policy statement and related information, such as owner, status, scope, and compliance obligations.
Policy statement: The main table for policy statements is the "sn_grc_policy_statement" table. This table stores the more specific and detailed statements that support the policy. It includes fields for the statement, the policy it is associated with, and its status.

Other related tables might include "sn_grc_control" for controls that are implemented to enforce policies, "sn_grc_compliance_task" for tasks related to compliance obligations, and "sn_grc_risk" for risk assessments related to policy compliance.

Thanks,

Rahul Kumar

If my response helped please mark it correct and close the thread.

Thanks,
Rahul Kumar

Community Alums · ‎04-23-2023

Hi @juan9 ,

These two terms are often confusing just because of the table names!!

Policy for which table name is "sn_compliance_policy" , these represent what they company has decided they want to follow. This helps drive the culture of their company. These are the policies they want their employees to follow. Examples of Policies could include: Acceptable Use Policy, Expense Policy,, Facility Access Policy, Non-Charitable Contribution Policy. It can also include procedures, standards, etc. In the baseline there are about 7 different types. There is no workflow in the baseline for the different types.

Now We have Control Objectives whose table name is "sn_compliance_policy_statement", a Policy can have sub-policies. A Policy should also have children that are stored in the Policy Statement table. These further define the Policy. it is from Policy Statements that Controls are created. Policy Statement is a ServiceNow term that is often misunderstood by customers. Other names for this table could be Control Objective, Control Template or Requirement. Regardless of what you call it - it is a breakdown of the Policy. These are statements that describe how the company wants to manage the policy. And BTW Policy Statements can also have sub-policies.

Jan Spurlin · ‎04-24-2023

@Community Alums has provided the correct answers to this question. The other answers are "kind of" correct - they just reference the wrong table name. The tables that begin with sn_grc... are those that are in the GRC: Profiles scope. The Policy and policy statement tables are in the GRC: Policy and Compliance scope.

One other little factoid that may help on this...

Policy is the parent record for a policy - like Password Policy, Remote Access policy and it holds some attributes. But the details of the policy are stored in the sn_compliance_policy_statement table. The reason this table is named this is that originally when the GRC app was built, we called this table "Policy Statement" - but there was a loud outcry from customers and partners that they didn't know what a policy statement was and it was confusing. So, we relabeled the table to be Control Objectives. (The label of the table changed) We DID NOT change the underlying table name - that would mess things up for lots of existing customers.

FYI - ServiceNow also did this with entities. Entities were originally called profiles.