Using indicator templates

  • Release version: Australia
  • Updated March 12, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Using indicator templates

    Indicator templates in ServiceNow enable customers to efficiently create multiple indicators for monitoring similar cybersecurity controls or risks. These templates streamline data collection and evidence gathering for controls by providing predefined instructions and schedules. The Technology Controls Monitoring Accelerator offers 171 predefined indicator templates tailored for cybersecurity control monitoring.

    Show full answer Show less

    Indicators focus on a single control or risk and support both automated and manual data collection methods. Their results help create issues, update risk scores, and support audit and control testing activities.

    Key Features

    • Indicator Types:
      • Basic: Automatically collects evidence from a source table.
      • Manual: Requires external data sources and manual task completion.
      • Scripted: Gathers evidence from multiple source tables using scripts.
    • Indicator Process Flow: Includes setting up templates, applying them to risk statements or controls, and generating indicator tasks that reflect their status.
    • Automatic Integration: Linking indicator templates to policy or risk statements enables automatic indicator creation and control status calculation, which also affects related risks and risk scores.
    • Collection Frequency: Templates define collection schedules such as daily, weekly, monthly, quarterly, semi-annually, or annually, automating data gathering and task generation.
    • Collection Methods: Supports manual task assignments, automated filters, Performance Analytics, or scripted data gathering, with configurable targets and pass/fail thresholds.
    • Supporting Data: Allows historical and real-time data viewing for indicator results, including sampling capabilities using reference fields and criteria filters.

    Practical Application for ServiceNow Customers

    • Use indicator templates to standardize and automate monitoring across multiple similar controls or risks, reducing manual effort and improving consistency.
    • Integrate indicator results with governance, risk, and compliance (GRC) workflows to trigger issue creation and update risk scores automatically based on control effectiveness.
    • Leverage predefined schedules and data collection methods to ensure timely and accurate evidence gathering, supporting audit readiness and control testing.
    • Customize indicator templates by linking them to multiple control objectives or risk statements, facilitating reuse and scalability in large environments.
    • Understand that indicators are equal in weighting and are inactive when controls or risks are in a Retired state, ensuring appropriate lifecycle management.

    Indicators collect data to monitor a single control or risk. Indicator templates allow you to create multiple indicators for similar controls or risks. The Technology Controls Monitoring Accelerator application provides a collection of 171 predefined indicator templates for monitoring cybersecurity controls.

    Indicators and Indicator templates

    The indicators collect data to monitor the controls and risks and collect the audit evidence. Indicators monitor a single control or risk.

    The indicator templates allow the creation of multiple indicators for similar controls or risks.

    The indicator templates obtained with the Technology Controls Monitoring Accelerator application provide the instructions that you must run the indicators, as described in the following sections.

    Supporting information can be collected for the indicators through automatic data collection or manual tasks. Indicator results are then used to perform the following tasks:
    • Create issues for the controls.
    • Update the risk scores.
    • Provide supporting information for the audit activities and control testing
    The following types of indicators are available:
    1. Basic: Evidence is collected from on the source table.
    2. Manual: Evidence is not collected. This type of indicator requires a third party data source.
    3. Scripted: Evidence can be collected from multiple source tables.

    Flow of the indicator process

    The indicator process consists of the following steps:
    • Set up the indicator template.
    • Apply the indicator template to a risk statement or control. When the control or risk statement is scoped with an entity type or specific entities, then all the controls or risks under that control objective or risk statement have an indicator generated for them.

    Indicators can be automated or manual. The indicator tasks are generated that show the final state of the indicator.

    Examples of automated indicators and manual indicators

    An example of an automated indicator would be to check that all servers in the CMDB are up to date. Another example would be that all LDAP passwords are less than three months old.

    An example of a manual indicator would be to ask the network administrator to conduct the annual Network Penetration Tests are conducted and the results are attached to the task. If a result indicates failed or not passed, it is used to trigger the creation of GRC issues.

    Usage of indicator templates

    You can link the indicator templates to the policy statements or risk statements so that the indicators are automatically created for the controls or risks. The status of the controls is also automatically calculated by the linked indicator results and it may affect any linked risks. For example, if the indicator tied to a control fails, then the overall status cannot be completed unless the remediation task is closed by the user.

    The Calculated Risk Score for the risk is also adjusted automatically by the indicators results of the risk. The Indicator Failure Factor field in the Risk table displays the impact of the failures.

    Note:
    Indicators are not weighted. When you weigh their impact on a control or risk, they are considered equalizing. Indicators are not executed when the risks and controls are in the Retired state.

    Indicator template collection frequency

    Each indicator template includes a schedule for identifying the frequency of data collection, as shown here.
    Figure 1. Indicator template schedule
    Indicator template schedule tab
    Table 1. Schedule tab
    Field Description
    Collection frequency Collection frequency for indicator results. Indicator tasks and results are generated automatically based on the indicator schedule.
    • Daily
    • Weekly: The day of the week to perform the collection.
    • Monthly: The day of the month to perform the collection.
    • Quarterly: The date of the first collection run.
    • Semi-Annually: The date of the first collection run.
    • Annually: The month and day to perform the collection.

    Indicator template collection method

    The Method tab identifies how the results are collected, as shown here.
    Figure 2. Indicator template collection method
    Indicator template collection method
    Table 2. Method tab
    Field Description
    Type Results can be gathered manually using task assignment or automatically using basic filter conditions, Performance Analytics, or a script.
    Target Type Identifies whether the target is a percentage or a count.
    Short Description If Type = Manual, a brief description of the issue.
    Instructions If Type = Manual, instructions for the collection of indicator results.
    Value Mandatory If Type = Manual, the check box indicates whether the value is mandatory for the indicator task.
    Passed/Failed If Type = Basic, the conditions defined on the Supporting Data tab are met, and the results exceed the Target value, it indicates whether the indicator passed or failed.
    Target If Type = Basic, the threshold by which the results returned based on the conditions defined on the Supporting Data tab determine whether the indicator template passes or fails.
    PA Threshold If Type = PA Indicator, the associated PA Threshold.
    Script If Type = Script, the script that obtains the desired system information.

    Indicator template supporting data

    Starting with version 10.1, the Supporting Data tab displays actual historical data for the supporting data records from the indicator results or indicator tasks. In earlier versions, only the real-time state of the records collected could be viewed.
    Figure 3. Indicator template supporting data
    Indication template supporting data
    Table 3. Indicator template supporting data
    Field Description
    Collect supporting data Indicates that you want to collect supporting data. The following three fields are displayed.
    Table The supporting data table.
    Supporting Data Fields The fields from the supporting data table to be considered.
    Criteria Filter conditions.
    Use reference field Indicates that you want to use a reference field. The following two fields are displayed.
    Reference field The reference field that you want to use for sampling.
    Sample size The number of records you want to use for data sampling.
    You can also view information on the following tabs:
    • Indicators
    • Control Objectives/Risk Statements
    • Content References
    Note:
    The Control Objectives/Risk Statements tab allows you to reuse the same template for multiple control objectives or risk statements.