An overview of policy life cycle in Policy and Compliance Management

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of An overview of policy life cycle in Policy and Compliance Management

    The policy life cycle in Policy and Compliance Management guides policies through defined states to ensure compliance and minimize risk exposure. Policies can be of various types, such as standards, procedures, or frameworks, and their management involves capturing essential attributes that drive their progression through the life cycle. Tracking each state helps stakeholders understand the policy's current status and required actions.

    Show full answer Show less

    Policy Life Cycle States

    • Draft: Created by compliance administrators, managers, or users, the policy is defined with necessary information, including reviewers, approvers, and control objectives. Actions available include updating, marking ready for review, or deleting the policy.
    • Review: Assigned reviewers update the policy to meet regulatory requirements by reviewing controls and associated entities. They can revert the policy to Draft for more information, request approval, or delete it if obsolete.
    • Awaiting Approval: If approvers are designated, the policy moves here with an approval task assigned. Approvers can approve, reject, cancel, or mark the task as no longer required. Policies without approvers move directly to Published.
    • Published: The policy becomes an enforceable mandate, and a corresponding Knowledge Base article is automatically generated. From here, the policy can be sent back to Review, retired, or deleted.
    • Retired: When a policy is no longer needed, it is retired, and its Knowledge Base article is removed. The policy record remains for audit purposes and can be reinstated by returning it to Draft.

    Practical Implications for ServiceNow Customers

    This structured life cycle enables ServiceNow customers to systematically manage policies, ensuring compliance and traceability throughout the process. It supports collaboration among policy creators, reviewers, and approvers while maintaining audit readiness. Automated Knowledge Base article generation upon publishing facilitates communication and adherence to policy mandates across the organization.

    Policies ensure compliance and reduce exposure to risks. A policy can be of any type – it can be a policy, procedure, standard, plan, checklist, framework, or template. Publishing a policy is within its approval process.

    When you create a policy, it is in a Draft state, and all the required information about the policy are defined and captured in the record. The required information that you capture are the attributes that drive the process flow of the policy.

    Process flow diagram of Policy and Compliance Management.

    The life cycle of a policy record passes through different states. This is designed to understand where the record currently resides and to display its progress. Each state has a specific set of related activities before it moves to the next state. A policy may also move to the previous state, if required, which is configured and identified according to the current state.

    Draft
    A compliance admin, compliance manager, or a compliance user can create a policy, define and capture its related information. In this draft state, reviewers are identified, who have the ability to edit the policy in its review state, and approvers who can approve the policy. Control objectives that already exist can be added to the policy or new ones can be created. Each policy has a Valid to period, within which it is updated, reviewed, republished, or retired. In this state, the actions that are available for you to perform on the policy are Update, Ready for Review, and Delete.
    Review
    Only the policy reviewers can Update the policy in this state to ensure that it satisfies all regulatory requirements. They review the control objectives, its associated entities, controls, and citations, and add additional information, remove unnecessary mappings, or create new control objectives. The reviewer can move the policy Back to Draft state if the policy does not fulfil the requirements or if more details are needed. The reviewer can also Request Approval for the policy or Delete if no longer needed.
    Awaiting approval
    If a policy approver is assigned to the policy, the policy moves to the Awaiting approval state. Otherwise, it moves to the Published state. In this state, the approver can Delete the policy as well. In the Awaiting approval state, a policy approval task is created and assigned to the approver. The task is in Requested state, and the approver can change it to any of the following states:
    • Requested
    • Approved
    • Rejected
    • Cancelled
    • No longer required
    Published
    When the policy moves to the Published state the system automatically generates a Knowledge Base article. The policy becomes a mandate for all users to follow its guidelines and requirements, which is through the controls that are mapped to the policy. In this state, the policy can also be sent Back to Review, Retired, or Deleted.
    Retired
    A policy may be retired if no longer required, or when it no longer serves a business purpose. The Knowledge Base article that was created is removed, but the policy stays in retired state for audit purpose. If the policy is needed again, it can be sent back to the Draft stage, and the policy's life cycle begins again.