Operational changes in item generation of common controls

  • Release version: Zurich
  • Updated July 31, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Operational changes in item generation of common controls

    This update in the Zurich release clarifies the operational changes related to item generation for common controls within ServiceNow's governance, risk, and compliance framework. The changes focus on how controls are created, associated with entities, and managed to optimize control usage, avoid control explosion, and ensure proper linkage to related entities and risk management components.

    Show full answer Show less

    Creating and Associating Controls

    • Control Creation: Customers should leverage existing controls to test entities where possible to minimize unnecessary creation of new controls. If needed, common controls can be created by selecting "Common" in the Function field of the Control form and converting a standard control to a common control after selecting a control objective.
    • Associating Reliant Entities: Reliant entities and entity types can be associated or removed from common controls using the related lists on the Control form. This association takes precedence over creating new controls for those entities.
    • Inheriting Controls: Users can inherit common controls grouped by control objectives from the Risk form, simplifying control management across related entities.

    Item Generation Assumptions and Precedence

    • Common controls are not auto-generated; manual association or creation is required.
    • When validating control existence, the control's name, entity, and control objective must match exactly.
    • There is a defined order of precedence:
      • If no reliant association or standard control exists, a standard control is created based on the action type.
      • If no reliant association or standard control exists, a reliant association to a common control is created based on action type.
      • If the action type is ambiguous and no standard control exists, the system prefers associating a reliant entity to a common control rather than creating a standard control.

    Key Item Generation Actions

    The update introduces specific action types that govern how items and associations are created or removed, including:

    • Add or Remove Entity Types: Associates or disassociates entity types to/from common controls via many-to-many (m2m) relationships.
    • Add or Remove Entities: Manages entities linked to controls and updates related risk associations if Risk Management is installed. Removal actions also update associations in Privacy Management if applicable.
    • Activate or Deactivate Entities and Items: Controls activation state changes and corresponding risk or processing activity associations, ensuring that only active entities and items maintain these links.

    Practical Impact for ServiceNow Customers

    These operational changes enable customers to:

    • Effectively reuse existing controls and avoid control proliferation.
    • Manage and track associations between controls and multiple reliant entities or entity types with precision.
    • Ensure risk and privacy management associations are dynamically maintained in response to control and entity activations or deactivations.
    • Follow a clear precedence model that guides control creation and association, reducing ambiguity and duplication.

    Overall, this enhances control governance, reduces administrative overhead, and improves alignment with risk and privacy frameworks within ServiceNow.

    Operational changes are made in item generation mainly because item generation either creates a control or activates an existing standard control. When it comes to associating a control to an entity, then associating a reliant entity to a common control takes precedence over creating a control for that entity.

    Creation of controls

    If the existing controls in your system can be used for testing entities, then you can take advantage of the existing data and avoid creating controls. Having many controls can lead to control explosion. If that is not feasible, then you can associate a primary entity with a common control, test the common control, and implement the test results on the reliant entities of the common control. If both these options don’t work, then you can create a control.

    To create a common control, select Common in the Function field of the Control form. Select the Convert to common list UI action. A common control is created upon validation. It’s mandatory that you select a control objective before you convert a standard control to common control.

    Association of reliant entities to common control

    1. Use the Reliant entities related list in the Control form to add individual entities to the common control. You can also remove the reliant entities using the Remove button.
    2. Use Reliant entity types related list in the Control form to add entity types to the common control. You can also remove the reliant entity types using the Remove button.
    3. Use the Inherit common controls UI action in the Controls related list of the Risk form to select common controls grouped by control objectives.
    Note:
    For more information on reliant entity associations for a common control, see Create a control using the Compliance Workspace and Convert standard control to common control and add reliant entities.

    Item generation – Assumptions

    • There’s no auto-generation of common controls.
    • When the existence of common controls or associations of reliant entities to common control or standard controls are checked, the control’s name, entity, and control objective must match.
    • Order of precedence between standard and common controls:
      • If reliant association and standard control do not exist, then based on the action type, a standard control is created. Action types, for example can be Add content to entity type, Add document to entity type, Activate content, Activate document.
      • If reliant association and standard control do not exist, then based on the action type a reliant association to common control is created. Action type can be Add entity type to common control.
      • If the user's intent is not clear from the action type and a standard control does not already exist, then in conflicting entity type, the preference is to associate the reliant entity to the common control over creation of a standard control. Action type, for example can be Add entity to entity type.

    Item generation changes

    Table 1. New action types in the generation of items
    Item generation action type Description
    Add entity type to common control If the entity is not associated with the common item, then the application associates the entity with the common item by creating an m2m association between the two.
    Remove entity type from common control If the entity is associated with the common item, and the Entity types field has other entity types or Individually_added is true in the m2m record, then the application removes the Entity type ID from the Entity types column or deletes the entity to common item m2m record.
    Add entity to item If Risk Management is installed, based on the risk statement associated to the control objective, the risk to common control m2m records are added in the Control to Entity m2m table after considering the reliant entities.
    Remove entity from item
    • If Risk Management is installed, based on the risk statement associated to the control objective, risk to common control m2m records are deleted in consideration of the reliant entities.
    • If Privacy Management is installed, then the Processing Activity to common control m2m association based on its reliant entity and also the Processing Activity to control objective m2m association are removed.
    Activate entity to item If Risk Management is installed, based on the risk statement associated to the control objective, risk to common control m2m records are added in the Control to Entity m2m table in consideration of its reliant entities.
    Deactivate entity to item
    • If Risk Management is installed, based on the risk statement associated to the control objective, then the risk to common control m2m records are deleted after considering the control's reliant entities.
    • If Privacy Management is installed and the Processing Activity corresponds to a reliant entity, then the Processing Activity to common control m2m association and also the Processing Activity to control objective m2m association are removed.
    Activate item A common item is added:
    1. When no standard control exists with the same name, content (control and control objective), and entity combination.
    2. If the entity is not reliant on any other common item with the same name, content, and entity.
    3. When the entity is active.
    A standard item is added:
    1. Risk Management and Policy and Compliance Management plugins are installed
    2. Based on the risk statement and control objective association, risks are associated to controls.
    Deactivate item
    • Common item: Deactivates all Control to Entity m2m records.
    • Standard item: Deletes risks to control associations based on the Risk statement and Control objective associations.