Has anyone looked at aligning frameworks - Cyber and IT

jtshone · ‎06-10-2025

Q. how we can do multiple cross-framework references in GRC?

Our Risk manager would like to link control objectives to both Cybersecurity and IT Frameworks so they can be cross-referenced.

Currently OOB an objective can only link to one parent and SN have confirm it is not possible and to raise a request for future development.

Connor Levien · ‎06-11-2025

@jtshone depends what you mean by Cybersecurity and IT Fraemwork, are they policies or procedures? If so you can use the policy object in ServiceNow to do this. For example IT Policy may require you to do vulnerability management and the Cybersecurity policy may ask for that as well. Instead of creating two control objectives you can instead create one control objective and link it to both policies so application owners only need to respond to a single requirement but the results can role up to each framework.

Additionally there is an OOTB capability to link control objectives to multiple control objectives. There is a relationship table called sn_compliance_m2m_policy_stmt_policy_stmt which can be surfaced on the control objective form. However, the compliance score calculation doesnt look at this table as part of its calculations so it wont roll up compliance scores

Mehernosh Amrol · ‎06-16-2025

If you have a Team to oversee the Compliance and Risk, then you create your internal Control Objectives and use the Citations from the Frameworks. This allows for the Compliance score Roll-up from the Control to the Framework. If you relate the Control Objectives to Policies, the Policy will also have a Compliance Score.

I would love to see Now Assist or some other AI scan the Frameworks and automatically relate the citations from the different frameworks and create a high-level Control Objective though.