0
22.3.2
Australia Patch 3, Australia, Zurich Patch 7, Zurich Patch 4, Zurich, Yokohama Patch 12, Yokohama Patch 9, Yokohama Patch 6, Yokohama Patch 4, Yokohama Patch 2, Xanadu Patch 9, Xanadu Patch 8, Xanadu Patch 4
Standalone Application
The ServiceNow® Policy and Compliance Management application provides a centralized process for creating and managing policies, standards, and internal control procedures that are mapped to external regulations. Additionally, the application provides structured workflows for identifying, assessing, and continuously monitoring control activities.
The Policy and Compliance Management application enables you to:
- Scope entities and entity types.
- Manage a compliance library consisting of authority documents, citations, policies, and control objectives.
- Manage policies, procedures, and standards using a policy authoring workflow integrated with Microsoft® Office 365® for drafting, reviewing, approving, redlining, and publishing policies.
- Create a unique control for a control objective and entity, or create multiple and granular controls for the same control objective and entity.
- Respond to control attestations from the Employee Center.
- Request policy exceptions from the Employee Center or from other ServiceNow applications, such as Vulnerability Response, using the Policy Exception Integration Registry.
- Acknowledge policies from the Employee Center.
- Monitor controls continuously using indicator templates and indicators.
- View the compliance posture through reports and dashboards.
- Review the compliance posture of policies or checks from other ServiceNow applications by mapping them to control objectives using the Compliance data source registry.
- Manage issues and remediation tasks.
- Mark issues, remediation tasks, and evidence requests as confidential.
- Provide visibility of issues and remediation tasks to the management hierarchy.
New
- Enabled versioning support for Smart assessment-based Control attestation templates.
- Enabled Audit entries support for Control and Control objectives.
- Query range ACLs enhancements:
- Consistent access control — All tables include standardized query range security ACLs. These ACLs ensure that authenticated users with appropriate read permissions can query records consistently across the platform.
- Seamless upgrade experience — New query ACL rules are installed automatically during upgrade, with no administrator action required. Automated upgrade scripts handle the transition, including detecting and processing previously customized ACLs to ensure existing processes continue without interruption.
Post-upgrade review for customized ACLs:
-
- If the instance includes administrator-modified query range ACLs, review those records after upgrade to confirm they align with the intended access policy.
Changed
- Email notification links for Policy and Compliance Management now redirect users to the appropriate workspace based on their access permissions.
- Added stale action reset logic to allow recovery and prevent blockage of the Item generation action queue.
Fixed
- The Supplemental guidance fields on controls are not updating with the latest changes from control objectives.
- Date formatting issue in the policy exception request system, where extension dates were not carrying over correctly from Employee portal to Native UI.
- Business rules using current.update() which is not recommended.
-
-
- Security fix for ACL bypass in Policy related script included.
- ACL added for Script field on Article template to mitigate vulnerability concerns.
- Item generation action queue processor job sets incorrect processing duration in the action event queue table.
- Citation to control records were being created in Citation to control table even for empty references
- Non-admin users are unable to create indicators on controls
- After closure the IRM issue source changes to AD-HOC
- Policy Exception Extension "Restart workflow" business rule is erroring out
- Duplicate risk statements are showing in control objectives related list
- Ackowledgements are getting created on the next day of the first ackowledgement date on the policy.
- Policy Exception Server‑Side validation enforces default 30‑day limit
-
The following applications are automatically installed when the Policy and Compliance Management application is activated:
- GRC: Profiles
- GRC: Approval Configurator
- GRC: Taxonomy Management
Permissions and roles:
- To install the application, you require the System Administrator (admin) role.
When upgrading the Policy and Compliance Management application, ensure that you also upgrade the Compliance Management Workspace and any other installed GRC applications to their corresponding release versions. For example, Policy and Compliance Management version 21.x has been qualified to work with Compliance Management Workspace version 21.x and other GRC applications from the same 21.x release series.