Governance your compliance with ServiceNow

General Add comments

“We need to do this! Else we are not compliant!”

I have heard this numerous times while working at a SOx and FDA compliant customer. Of course, we need to ensure we are and stay compliant. But who knows exactly why and how we are compliant? There are so many standards, frameworks and regulations used within companies that we loose track of them. Not to mention all policies we have defined for these authoritative sources. This is where the IT Governance Risk and Compliance module steps in.

The IT Governance Risk and Compliance module can be used to log, plan and maintain your authoritative sources, policies, controls for policies and control tests. Also, you are able to plan and manage your audit sessions, including any audit observations for policies and controls.

The plug-in provides all tools to log and maintain all policies within the company. ServiceNow named this specifically for the IT, in my opinion, this module can be used company wide.

I’d like to focus on the “Policies” part for now and all that is related with “Policies”. Policies tell us what we are committing ourselves too, like: “Provide a healthy and save working environment”. We can determine the classification (Public, retired, confidential), distribution (internal, permitted for external communication) and until when the policy is valid. We can also define to whom the policy applies; this is called the “Scope”. The scope can be anything you define (like people, buildings, countries, etc. etc.)


Besides just the policy and scope, we can define the risks (like “Employees are unavailable due too sick leave”) and controls (like “Each employee will be given a discount for the local gym”). Also we can determine if the policy comes from an “Authoritative Source”, this can be from a standard (like ISO), frameworks (like ITIL and COBIT) or even law and regulations (like HIPAA or SOx).

This plug-in is really interesting if you have a lot of policies regarding standards, frameworks or regulations. It can give you an overview of what you have committed to and what kind of controls you have in place to control the policy.

As all modules in ServiceNow, the IT Risk and Compliance module can be related to other modules. It will be possible to relate policies to incidents (To see how many incidents are related to a policy) or which changes have impact on certain policy controls.

Good luck!
Kind regards,
Tim Willer (.img[at].img)

Leave a Reply