@Jason yeon
The logic behind allowing Policy association only when the Control Objective is in Draft or Review state is to maintain data integrity and ensure that only reviewed and approved information is linked to Control Objectives.
Here's a table that illustrates the different states of a Control Objective and the policy association possibilities:
| Control Objective State |
Policy Association |
Explanation |
| Draft |
Allowed |
In Draft state, you can create, modify, or associate policies with Control Objectives as they are being defined. |
| Review |
Allowed |
During the Review state, stakeholders can still review and suggest changes, including policy association or modification. |
| Published |
Not Allowed* |
Once the Control Objective is Published, it is considered final, and policy association or modifications should not be made to maintain data integrity. |
*If you need to make changes to a Published Control Objective, you should first revert it to Draft or Review state, make the necessary changes, and then move it through the review and approval process again.
I hope this table helps you understand the different states and policy association possibilities for Control Objectives in ServiceNow GRC.
If you found my response helpful or applicable, please consider marking it as correct or helpful to assist others who may be seeking the same information.
---------------
Regards,
Rajesh Singh
