An overview of policy life cycle in Policy and Compliance Management

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of An overview of policy life cycle in Policy and Compliance Management

    The policy life cycle in Policy and Compliance Management guides the creation, review, approval, publication, and retirement of policies to ensure compliance and minimize risk exposure. Policies can include various types such as procedures, standards, frameworks, and templates. The life cycle tracks the policy’s progress through defined states, each with specific activities and controls, enabling clear visibility and management of the policy’s status.

    Show full answer Show less

    Key Stages in the Policy Life Cycle

    • Draft: Policies are created and defined by compliance admins, managers, or users. Reviewers and approvers are assigned. Control objectives can be added or created. Actions available include updating, readying for review, or deleting the policy.
    • Review: Assigned reviewers update the policy to meet regulatory requirements, adjusting control objectives and mappings. Reviewers can return the policy to Draft if more work is needed but cannot request approval. Policy owners or compliance managers can request approval.
    • Awaiting Approval: If approvers are assigned, the policy enters this state where approval tasks are created. Approvers can approve, reject, cancel, or delete the policy. If no approver is assigned, the policy moves directly to Published.
    • Published: The policy becomes active and enforceable, with a Knowledge Base article generated automatically. It can be sent back to Review, Retired, or Deleted from this state.
    • Retired: Policies no longer needed or relevant are retired. The associated Knowledge Base article is removed, but the policy record remains for audit purposes. Retired policies can be reactivated by returning them to Draft.

    Practical Benefits for ServiceNow Customers

    • Provides a structured approach to policy management, ensuring policies are properly reviewed, approved, and published.
    • Enables clear role assignments for drafting, reviewing, and approving policies, supporting compliance governance.
    • Maintains audit trails through state transitions, including retention of retired policies for compliance reporting.
    • Automates the creation of Knowledge Base articles upon publication, facilitating policy communication and enforcement.
    • Allows flexibility to revert policies to previous states if further refinement or reactivation is necessary.

    Policies ensure compliance and reduce exposure to risks. A policy can be of any type – it can be a policy, procedure, standard, plan, checklist, framework, or template. Publishing a policy is within its approval process.

    When you create a policy, it is in a Draft state, and all the required information about the policy are defined and captured in the record. The required information that you capture are the attributes that drive the process flow of the policy.

    Process flow diagram of Policy and Compliance Management.

    The life cycle of a policy record passes through different states. This is designed to understand where the record currently resides and to display its progress. Each state has a specific set of related activities before it moves to the next state. A policy may also move to the previous state, if required, which is configured and identified according to the current state.

    Draft
    A compliance admin, compliance manager, or a compliance user can create a policy, define and capture its related information. In this draft state, reviewers are identified, who have the ability to edit the policy in its review state, and approvers who can approve the policy. Control objectives that already exist can be added to the policy or new ones can be created. Each policy has a Valid to period, within which it is updated, reviewed, republished, or retired. In this state, the actions that are available for you to perform on the policy are Update, Ready for Review, and Delete.
    Review
    Only the policy reviewers can Update the policy in this state to ensure that it satisfies all regulatory requirements. They review the control objectives, its associated entities, controls, and citations, and add additional information, remove unnecessary mappings, or create new control objectives. The reviewer can move the policy Back to Draft state if the policy does not fulfill the requirements or if more details are needed.

    Reviewers cannot request approval for a policy. However, the owner of the policy with sn_compliance.user, which is the minimum required role, and users with compliance manager role can request approval for a policy.

    Awaiting approval
    If a policy approver is assigned to the policy, the policy moves to the Awaiting approval state. Otherwise, it moves to the Published state. In this state, the approver can Delete the policy as well. In the Awaiting approval state, a policy approval task is created and assigned to the approver. The task is in Requested state, and the approver can change it to any of the following states:
    • Requested
    • Approved
    • Rejected
    • Cancelled
    • No longer required
    Published
    When the policy moves to the Published state the system automatically generates a Knowledge Base article. The policy becomes a mandate for all users to follow its guidelines and requirements, which is through the controls that are mapped to the policy. In this state, the policy can also be sent Back to Review, Retired, or Deleted.
    Retired
    A policy may be retired if no longer required, or when it no longer serves a business purpose. The Knowledge Base article that was created is removed, but the policy stays in retired state for audit purpose. If the policy is needed again, it can be sent back to the Draft stage, and the policy's life cycle begins again.