Create a control objective using the Compliance Workspace

  • Release version: Australia
  • Updated March 12, 2026
  • 3 minutes to read

    • A control objective is an objective, direction, or standard that acts as guidance for company interactions and operations. Control objectives can be categorized, classified, and related to policies using the Compliance Workspace.

    Before you begin

    Role required: sn_compliance.admin, sn_compliance.manager, sn_compliance.user

    Procedure

    1. Navigate to All > Policy and Compliance > Compliance Workspace.
    2. In the Compliance Workspace, click the List icon icon.
    3. Navigate to Compliance library > Control objectives.
    4. Click the Create list and select Control objective.
    5. On the form, fill in the fields.
      Table 1. Create New Control Objective form
      Field Description
      Name Name of the control objective.
      Source Source of the policy. For example, if the statement is from the a third-party provider, indicate which one.
      Source ID Unique identification number used by the source to catalog this authority document.
      Reference Unique numerical identifier.
      Parent Control objective that is not a child of the current control objective. This is to avoid cyclic parent – child relationship.
      Compliance Score Percentage Compliance score percentage calculated for this control objective and its color code:
      • Green: 80 and higher
      • Yellow: 80 to 50
      • Red: below 50
      Active Option that indicates whether a policy is active.
      Creates controls automatically Option that indicates that controls are automatically created from the control objective.
      Note:
      Select this option if the control objective can also serve as the control.
      Category List of options:
      • Acquisition or sale of facilities, technology, and services
      • Audits and risk management
      • Compliance and Governance Manual of Style
      • Human Resources management
      • Leadership and high-level objectives
      • Monitoring and measurement
      • Operational management
      • Physical and environmental protection
      • Privacy protection for information and data
      • Records management
      • System hardening through configuration management
      • Systems continuity
      • Systems design, build, and implementation
      • Technical security
      • Third party and supply chain oversight
      • Root
      • Deprecated
      Classification List of options:
      • Preventive
      • Corrective
      • Detective
      Type List of options:
      • Acquisition/Sale of Assets or Services
      • Actionable Reports or Measurements
      • Audits and Risk Management
      • Behavior
      • Business Processes
      • Communicate
      • Configuration
      • Data and Information Management
      • Duplicate
      • Establish Roles
      • Establish/Maintain Documentation
      • Human Resources Management
      • Investigate
      • IT Impact Zone
      • Log Management
      • Maintenance
      • Monitor and Evaluate Occurrences
      • Physical and Environmental Protection
      • Process or Activity
      • Records Management
      • Systems Continuity
      • Systems Design, Build, and Implementation
      • Technical Security
      • Testing
      • Training
      Attestation method List of options:
      • Classic attestation: ServiceNow AI Platform classic method of control assessment.
      • Attestation: Method by which controls are assessed.
        Note:
        If you select Attestation, then the Attestation field is populated with GRC Attestation
      Attestation GRC Attestation is chosen by default.
      Note:
      If the user changes the control attestation, the related control objective attestation type is also changed.
      Issue group rule Group rule assigned to this control objective.
      Description Description of the control objective.
    6. Click Save.
      To view and manage the details of the control objective that you created, see Manage a control objective from the overview page.
      The control objective is created and all related lists are visible.
      • A control is created for every control objective when a policy is associated with an entity.
      • The control attributes default to the same attributes as the related control objective.
    7. From the Overview page, click the More tabs and select Issues tab.
      You can add existing one or more related issues to the control objective that you created. By mapping the existing issues to the control objective, you can reduce the count of open issues on the control objective.
      1. Click the Add button.
      2. Select the related issue or issues from the Issues pop-up.
      3. Click Add.
        The selected issues are added to the control objective as related issues and an m2m relationship is created between the control objective and the issues in issue to control objective [sn_grc_m2m_issue_content] table. You can also create an issue for the control objective by clicking the New button.
      4. To remove an issue that is mapped to the control objective, select the issue and click Remove.
        The remove action only removes the mapping between the control objective and the issue. The action doesn’t delete the issue record.
        Note:
        The UI action buttons such as New, Add, Remove aren’t available if the control objective is in Retired state.

    What to do next

    If you’re implementing the Policy and Compliance Management software, return to the Policy and Compliance Management setup checklist and proceed to the next step.