Using indicator templates

  • Release version: Zurich
  • Updated July 31, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Using indicator templates

    Indicator templates in ServiceNow enable you to create multiple indicators that monitor similar controls or risks, streamlining the data collection and assessment process. These templates are integral to the Technology Controls Monitoring Accelerator application, which provides 171 predefined indicator templates specifically designed for cybersecurity control monitoring. Indicators collect audit evidence and monitor individual controls or risks, supporting both automated and manual data collection methods.

    Show full answer Show less

    Key Features

    • Indicator Types:
      • Basic: Collects evidence directly from a source table.
      • Manual: Requires third-party data input without automated evidence collection.
      • Scripted: Gathers evidence from multiple source tables using scripts.
    • Indicator Process Flow: Set up the indicator template, then apply it to a risk statement or control. When scoped to entity types, multiple indicators can be generated automatically.
    • Automation and Manual Tasks: Indicator results generate tasks reflecting the indicator’s final status, enabling automated or manual evidence collection.
    • Scheduling: Templates include configurable collection frequencies—daily, weekly, monthly, quarterly, semi-annually, or annually—to automate indicator result updates.
    • Collection Methods: Data can be collected manually via tasks or automatically using filters, Performance Analytics, or scripts with detailed configuration options for target type, thresholds, and instructions.
    • Supporting Data: Templates support historical data viewing and sampling for more accurate monitoring and analysis.

    Practical Usage and Impact

    • Link indicator templates directly to policy or risk statements to automate indicator creation for associated controls or risks.
    • Indicator results automatically update control status and can influence linked risk scores, with failure conditions triggering GRC issue creation and remediation workflows.
    • Controls or risks in the “Retired” state do not execute indicators, ensuring relevant focus on active items.
    • Indicator failures impact the Calculated Risk Score via the Indicator Failure Factor field, helping prioritize risk management efforts.
    • Examples include automated checks like verifying server updates or password age, and manual tasks such as conducting penetration tests.

    Benefits for ServiceNow Customers

    Using indicator templates allows customers to efficiently scale monitoring across multiple similar controls or risks, improving compliance oversight and audit readiness. The automation and scheduling capabilities reduce manual effort, increase data accuracy, and enable proactive risk management through real-time control status updates and issue generation. With supporting data and flexible collection methods, organizations can customize monitoring to their operational needs while maintaining comprehensive cybersecurity control assurance.

    Indicators collect data to monitor a single control or risk. Indicator templates allow you to create multiple indicators for similar controls or risks. The Technology Controls Monitoring Accelerator application provides a collection of 171 predefined indicator templates for monitoring cybersecurity controls.

    Indicators and Indicator templates

    The indicators collect data to monitor the controls and risks and collect the audit evidence. Indicators monitor a single control or risk.

    The indicator templates allow the creation of multiple indicators for similar controls or risks.

    The indicator templates obtained with the Technology Controls Monitoring Accelerator application provide the instructions that you must run the indicators, as described in the following sections.

    Supporting information can be collected for the indicators through automatic data collection or manual tasks. Indicator results are then used to perform the following tasks:
    • Create issues for the controls.
    • Update the risk scores.
    • Provide supporting information for the audit activities and control testing
    The following types of indicators are available:
    1. Basic: Evidence is collected from on the source table.
    2. Manual: Evidence is not collected. This type of indicator requires a third party data source.
    3. Scripted: Evidence can be collected from multiple source tables.

    Flow of the indicator process

    The indicator process consists of the following steps:
    • Set up the indicator template.
    • Apply the indicator template to a risk statement or control. When the control or risk statement is scoped with an entity type or specific entities, then all the controls or risks under that control objective or risk statement have an indicator generated for them.

    Indicators can be automated or manual. The indicator tasks are generated that show the final state of the indicator.

    Examples of automated indicators and manual indicators

    An example of an automated indicator would be to check that all servers in the CMDB are up to date. Another example would be that all LDAP passwords are less than three months old.

    An example of a manual indicator would be to ask the network administrator to conduct the annual Network Penetration Tests are conducted and the results are attached to the task. If a result indicates failed or not passed, it is used to trigger the creation of GRC issues.

    Usage of indicator templates

    You can link the indicator templates to the policy statements or risk statements so that the indicators are automatically created for the controls or risks. The status of the controls is also automatically calculated by the linked indicator results and it may affect any linked risks. For example, if the indicator tied to a control fails, then the overall status cannot be completed unless the remediation task is closed by the user.

    The Calculated Risk Score for the risk is also adjusted automatically by the indicators results of the risk. The Indicator Failure Factor field in the Risk table displays the impact of the failures.

    Note:
    Indicators are not weighted. When you weigh their impact on a control or risk, they are considered equalizing. Indicators are not executed when the risks and controls are in the Retired state.

    Indicator template collection frequency

    Each indicator template includes a schedule for identifying the frequency of data collection, as shown here.
    Figure 1. Indicator template schedule
    Indicator template schedule tab
    Table 1. Schedule tab
    Field Description
    Collection frequency Collection frequency for indicator results. Indicator tasks and results are generated automatically based on the indicator schedule.
    • Daily
    • Weekly: The day of the week to perform the collection.
    • Monthly: The day of the month to perform the collection.
    • Quarterly: The date of the first collection run.
    • Semi-Annually: The date of the first collection run.
    • Annually: The month and day to perform the collection.

    Indicator template collection method

    The Method tab identifies how the results are collected, as shown here.
    Figure 2. Indicator template collection method
    Indicator template collection method
    Table 2. Method tab
    Field Description
    Type Results can be gathered manually using task assignment or automatically using basic filter conditions, Performance Analytics, or a script.
    Target Type Identifies whether the target is a percentage or a count.
    Short Description If Type = Manual, a brief description of the issue.
    Instructions If Type = Manual, instructions for the collection of indicator results.
    Value Mandatory If Type = Manual, the check box indicates whether the value is mandatory for the indicator task.
    Passed/Failed If Type = Basic, the conditions defined on the Supporting Data tab are met, and the results exceed the Target value, it indicates whether the indicator passed or failed.
    Target If Type = Basic, the threshold by which the results returned based on the conditions defined on the Supporting Data tab determine whether the indicator template passes or fails.
    PA Threshold If Type = PA Indicator, the associated PA Threshold.
    Script If Type = Script, the script that obtains the desired system information.

    Indicator template supporting data

    Starting with version 10.1, the Supporting Data tab displays actual historical data for the supporting data records from the indicator results or indicator tasks. In earlier versions, only the real-time state of the records collected could be viewed.
    Figure 3. Indicator template supporting data
    Indication template supporting data
    Table 3. Indicator template supporting data
    Field Description
    Collect supporting data Indicates that you want to collect supporting data. The following three fields are displayed.
    Table The supporting data table.
    Supporting Data Fields The fields from the supporting data table to be considered.
    Criteria Filter conditions.
    Use reference field Indicates that you want to use a reference field. The following two fields are displayed.
    Reference field The reference field that you want to use for sampling.
    Sample size The number of records you want to use for data sampling.
    You can also view information on the following tabs:
    • Indicators
    • Control Objectives/Risk Statements
    • Content References
    Note:
    The Control Objectives/Risk Statements tab allows you to reuse the same template for multiple control objectives or risk statements.