ServiceNow CIS-RC Exam Dumps & Practice Test Questions
Within the GRC: Profiles application scope in ServiceNow, which of the following tables are included? (Select three options.)
A. Document
B. Policy
C. Risk
D. Content
E. Indicator
Answer: B, C, D
Explanation:
The GRC: Profiles application scope in ServiceNow is a framework that supports organizations in managing compliance, risk, and governance through structured data. It organizes and aligns essential components like policies, risks, and supporting content to ensure businesses remain compliant and resilient in the face of evolving regulatory demands and risk factors. Among the available tables in this scope, Policy, Risk, and Content are integral and foundational to the module’s purpose.
Policy (B):
This table is at the heart of the governance function. Policies define rules, standards, or requirements that an organization must follow. Within the GRC framework, policies help enforce regulatory mandates and best practices. The inclusion of the Policy table allows users to create, manage, and track these documents for compliance auditing and operational enforcement.
Risk (C):
The Risk table is vital for identifying, assessing, and managing risks across the enterprise. GRC relies on this table to store structured risk data—such as likelihood, impact, and mitigation strategies. This enables organizations to perform proactive risk management and develop action plans tied to operational and regulatory needs.
Content (D):
This table supports the management of content pieces like guidelines, procedures, and templates associated with policy enforcement or risk responses. The Content table acts as a repository for the supportive materials necessary to understand or operationalize policies and risk management frameworks.
Why the other answers are incorrect:
Document (A):
While documents are used throughout ServiceNow and even within some parts of GRC, the “Document” table is not specifically tied to the GRC: Profiles scope. It is often managed through document management systems or knowledge bases, not as a core GRC: Profiles table.
Indicator (E):
Indicators are typically tied to performance or compliance monitoring and are more relevant in other GRC modules, such as Risk Indicators or Policy Acknowledgements. They do not form part of the core data model for the Profiles scope, which is primarily concerned with defining and linking policies, risks, and related content.
The tables Policy, Risk, and Content are central to the GRC: Profiles application scope in ServiceNow. They allow for proper documentation, tracking, and management of governance and compliance-related elements. Options B, C, and D are correct.
Which of the following accurately describe features of the ServiceNow Store? (Select four options.)
A. Some applications are certified by ServiceNow
B. All applications are certified by ServiceNow
C. Applications may be developed by ServiceNow Technology Partners
D. It houses both paid and free applications and integrations
E. Applications are built on the ServiceNow platform
F. Applications are certified by other developers
Answer: A, C, D, E
Explanation:
The ServiceNow Store is an online marketplace where users can browse, acquire, and install applications and integrations that extend the functionality of the core ServiceNow platform. These apps are developed either by ServiceNow itself or by Technology Partners—third-party developers approved to create compatible solutions.
A. Some applications are certified by ServiceNow:
This is correct. Many applications on the store go through a formal ServiceNow certification process. This certification indicates that the app has been tested for compatibility, security, and performance. However, not every application is certified—only those that meet the strict criteria defined by ServiceNow.
C. Applications may be developed by ServiceNow Technology Partners:
Absolutely. The ServiceNow ecosystem includes a wide range of partners who develop apps to address industry-specific or functional gaps. These partners must follow ServiceNow's design and development standards to ensure seamless platform integration.
D. It houses both paid and free applications and integrations:
The Store offers flexibility with both free and paid solutions. Some apps may be open-access or bundled with ServiceNow subscriptions, while others may require a license fee. This diverse offering allows businesses to scale solutions according to budget and operational needs.
E. Applications are built on the ServiceNow platform:
All apps listed on the store are designed to run on the ServiceNow platform, ensuring consistent user experience and native integration. This provides organizations confidence that apps will work with existing modules and workflows without the need for major custom development.
Why the other answers are incorrect:
B. All applications are certified by ServiceNow:
Incorrect. While many are certified, not all applications on the Store are. Some apps may still be pending certification or are offered as-is by developers.
F. Applications are certified by other developers:
This is false. Certification is an official process performed by ServiceNow, not by the developers themselves. Developers can submit their apps, but only ServiceNow has the authority to grant certification status.
The ServiceNow Store includes both free and paid applications built on the ServiceNow platform. Some of these apps are certified by ServiceNow and may be created by Technology Partners. Correct answers: A, C, D, and E.
Which of the following is not a recognized role in the ServiceNow GRC module?
A. Risk User
B. Risk Developer
C. Risk Manager
D. Risk Reader
Correct Answer: B
Explanation:
ServiceNow’s Governance, Risk, and Compliance (GRC) platform offers a structured role-based access model that helps organizations manage risks, enforce compliance, and establish governance. These roles are tailored to ensure users have the appropriate permissions to perform their designated functions effectively. Among the roles included in the system are Risk User, Risk Manager, and Risk Reader, each with its own level of access and functionality.
The Risk User role is a legitimate role in ServiceNow GRC. It typically grants users the ability to view and interact with risk records, such as submitting new risks or responding to risk tasks. However, users with this role generally have limited control over administrative settings or workflows.
The Risk Manager role is more privileged. It is intended for users tasked with overseeing risk mitigation activities, approving risk assessments, and managing mitigation plans. These users have broader permissions and more operational responsibility in the GRC process.
Similarly, the Risk Reader role provides read-only access. This is intended for stakeholders or auditors who need visibility into the system for monitoring and review, but who are not actively modifying or managing records.
However, the role labeled Risk Developer does not exist as a standard predefined role within the ServiceNow GRC framework. While developers may work on customizing GRC applications, they do so under generic roles such as Application Developer or System Administrator. These roles allow back-end access to scripts, workflows, and system configurations but are not GRC-specific user roles.
In summary, among the options listed, only Risk Developer is not an official role tied specifically to the ServiceNow GRC module. The system does allow development and customization, but that functionality is managed through separate developer or administrator roles not exclusive to risk management. Therefore, the correct choice is B, as it is not a recognized GRC-specific role in the platform.
What is true regarding the assignment of Risk Response tasks in ServiceNow Risk Management?
A. A risk can have only one Risk Response task at a time
B. Only users with the risk_manager role or higher can be assigned to a Risk Response task
C. The risk_admin role is mandatory to assign Risk Response tasks
D. Risk Response tasks automatically move through states via workflow
Correct Answer: B
Explanation:
Risk Response tasks in ServiceNow are used to manage how identified risks are addressed within an organization. These tasks are essential to the implementation of mitigation, transfer, avoidance, or acceptance strategies that help reduce an organization’s exposure to threats.
ServiceNow uses a role-based access control model to ensure that only appropriately authorized personnel handle critical components of the risk management process. In this model, the risk_manager role has elevated permissions that enable users to own, manage, and execute Risk Response tasks. Individuals with this role can be assigned tasks because they are trusted to assess the risk and implement the necessary response strategy. This ensures accountability and control over risk resolution activities.
Option A, which claims only one Risk Response task can be assigned per risk, is incorrect. In practice, multiple tasks can be associated with a single risk. For example, different departments may need to respond to different aspects of the same risk, requiring several coordinated tasks.
Option C suggests that only users with the risk_admin role can assign Risk Response tasks. This is misleading. While risk_admins do have broad permissions for configuring and administering the system, the assignment of tasks typically falls under the responsibility of the risk_manager or project team members involved in mitigation.
Option D is also incorrect. While workflows are used to assist in transitioning Risk Response tasks through various stages (e.g., from "Open" to "In Progress" to "Closed"), they do not progress automatically without user intervention. Human action—such as updating the task status or providing necessary inputs—is generally required to move the task forward.
To conclude, the only correct statement is that users must hold the risk_manager role or higher in order to be eligible for assignment to Risk Response tasks. This ensures that risk mitigation efforts are managed by qualified individuals with the appropriate level of authority and responsibility. Hence, the correct answer is B.
Which table, in addition to the Policy table, forms a many-to-many relationship with the Control Objective table in ServiceNow GRC?
A. Entity Class
B. Citation
C. Authority Documents
D. Risk Framework
Answer: B
Explanation:
In ServiceNow’s Governance, Risk, and Compliance (GRC) module, control objectives are essential components that define the intended outcome of governance and risk mitigation efforts. They describe what an organization must achieve to meet regulatory or internal compliance requirements. Often, these control objectives are linked to multiple policies, which outline the steps or standards an organization follows to satisfy those objectives.
However, to reinforce compliance and ensure traceability back to actual legal, regulatory, or industry sources, control objectives also need to be connected to the relevant external requirements. This is where the Citation table comes in. Citations represent specific clauses, mandates, or rules from external regulations, laws, or frameworks that justify or necessitate a policy or control objective. In this model, the Citation table is connected via many-to-many relationships to both the Policy and Control Objective tables. This allows multiple control objectives and policies to reference multiple citations and vice versa.
The value of this structure lies in its flexibility and comprehensive compliance mapping. For instance, if a single citation—such as a GDPR article—requires multiple internal control objectives to be met, each of those objectives can be linked to that single citation. Similarly, one policy might satisfy several control objectives derived from different citations, making the many-to-many relationship ideal.
Let’s clarify why the other options are incorrect:
A. Entity Class: This table is used to define groups of similar entities (e.g., users, departments, assets). It helps in organizing entities for risk and control applications but does not directly relate to control objectives through a many-to-many link like Citation does.
C. Authority Documents: These documents are higher-level references (e.g., ISO standards, NIST publications) and support citations indirectly. However, they do not directly link to control objectives in a many-to-many structure.
D. Risk Framework: This table categorizes and defines risk structures for organizations. It plays an important role in risk management but is not involved in the relational mapping of control objectives and policies.
In summary, Citation provides the necessary linkage between control objectives and the authoritative sources that demand them. It ensures traceability and strengthens compliance management within the GRC framework. That’s why B is the correct answer.
What is the main reason to create Entity Classes in ServiceNow?
A. To define relationships between objects or tables that aren’t already linked in the platform
B. To assign risk statements that automatically generate risks for each entity in the class
C. To assign to control objectives and auto-generate controls for each associated entity
D. To map entities directly to policies and citations
Answer: A
Explanation:
Entity Classes in ServiceNow serve a very specific function in the Governance, Risk, and Compliance (GRC) ecosystem. Their main purpose is to define and represent groups of business entities—such as departments, services, systems, or locations—that share a common trait. These classes allow users to model complex relationships between these entities when no default or native linkage exists in the platform.
Answer A is correct because Entity Classes are primarily used to establish custom relationships between tables or objects that the standard ServiceNow data model doesn’t support directly. In large enterprise environments, organizations often need to track and analyze associations between different data types, such as mapping business services to specific locations or processes to certain applications. Entity Classes allow you to organize and manage such non-obvious, custom connections in a structured, reusable way.
Why the other options are incorrect:
B. While risks can be associated with specific entities, Entity Classes themselves do not directly generate risks by being assigned to risk statements. Risk creation is typically handled through risk registers and assessments, not via the simple assignment of an entity class.
C. Similarly, Entity Classes are not responsible for generating controls when linked to control objectives. Controls are usually created manually or based on policy/control frameworks, and while they may target specific entities, the class itself doesn’t drive that generation process.
D. Though Entity Classes can help track relationships across various GRC elements, they are not designed to directly map entities to policies or citations. That kind of mapping typically occurs through other tables or workflows that manage policy and regulatory compliance documentation.
Entity Classes bring value by filling in gaps in ServiceNow’s data model, giving users the power to define custom scopes or sets of data that are important for risk, compliance, and audit processes. This modular flexibility is especially useful in organizations with complex IT or business architectures where governance cannot rely solely on predefined relationships. Thus, the correct answer is clearly A.
Question 7:
What is the outcome of using "Tablename.config" in the ServiceNow platform?
A. Opens the configuration list view in a new browser tab
B. Shows the table’s list view within the Content Frame
C. Displays the table's list view in a separate browser tab
D. Presents the configuration list view of the table inside the Content Frame
Correct Answer: D
Explanation:
In ServiceNow, the URL suffix .config appended to a table name (i.e., Tablename.config) is used to access the configuration interface for that specific table. When entered, this link directs users to the configuration list view of the specified table, and this view appears within the Content Frame, which is the main working area of the ServiceNow interface.
This behavior is consistent across modules and is particularly helpful for administrators or developers who need to access configuration settings related to a table. These settings may include field definitions, form layout, list layout, security rules, and other properties that define how data in that table behaves or is presented to users.
Option D is correct because it accurately reflects that using Tablename.config will load the configuration view (not the standard data list view) and will do so within the Content Frame, not in a separate tab or browser window. The Content Frame is part of the main ServiceNow UI layout, and it allows users to manage configurations without navigating away from the interface.
Let’s break down why the other options are incorrect:
A. This option wrongly states that the configuration view opens in a new browser tab. ServiceNow does not default to opening configuration views in external tabs unless specifically customized.
B. While this choice mentions the Content Frame, it confuses the configuration view with a generic list view. The .config URL does not display table records—it accesses the table’s structure and configuration.
C. This is incorrect because, like option A, it suggests behavior (opening a new browser tab) that isn’t standard when using .config URLs in ServiceNow.
In conclusion, using Tablename.config in ServiceNow is a powerful shortcut for opening the configuration layout of a table within the existing user interface. It gives administrators immediate access to fields, controls, and metadata relevant to the table structure. This function improves navigation efficiency and simplifies administrative workflows. Therefore, the correct answer is D.
Question 8:
Within the Governance, Risk, and Compliance (GRC) structure in ServiceNow, which object is designed to extend directly from 'Items'?
A. Citation
B. Controls
C. Issue
D. Policy
Correct Answer: A
Explanation:
In the ServiceNow Governance, Risk, and Compliance (GRC) application, the structure is modular, with different entities designed to represent and manage specific compliance components. One of the foundational elements in this framework is the concept of "Items." Items serve as a base object type, from which other GRC-related components can extend to inherit functionality and relationships.
The object that extends directly from Items in this architecture is the Citation. Citations are references to external regulatory standards, frameworks, or authoritative sources—such as ISO, NIST, or HIPAA. These references help justify or validate specific policies, controls, and compliance requirements in an organization’s GRC program.
Why A is correct:
Citations are linked to controls and policies but are technically derived from the base “Item” record type. This relationship allows Citations to retain core properties of Items while incorporating unique attributes relevant to compliance references, such as legal text, source documents, and applicable frameworks. Because they extend from Items, Citations can leverage consistent metadata, tagging, lifecycle states, and relationships with other GRC components.
Let’s explore why the other options are incorrect:
B. Controls: While Controls are essential to GRC and often interact with Citations and Policies, they do not directly extend from Items. Instead, Controls exist in their own object structure and are associated through relationships rather than direct inheritance.
C. Issue: Issues typically represent gaps, non-conformities, or violations discovered during audits or assessments. They are event-driven records and are not based on the Item object structure. Their purpose is corrective or investigative rather than referential like Citations.
D. Policy: Policies define rules or directives but do not extend from Items. Like Controls, they exist independently but can be associated with Citations and other elements. Policies have their own schema and lifecycle and are not a child object of Items.
To summarize, Citations are specifically designed to extend from Items in ServiceNow’s GRC model. This inheritance allows them to function as documented references tied to regulatory or policy-driven requirements, enabling traceability and compliance mapping across various elements in the GRC system. Thus, the correct answer is A.
What is the outcome when you assign a Risk Statement to an Entity Type in ServiceNow?
A. An assessment is automatically launched for each Entity within the Entity Type
B. A risk assessment is instantly created for every Entity in the Entity Type
C. A separate risk entry is generated for each Entity under the specified Entity Type
D. The Entity displays a risk score and has controls linked to it
Correct Answer: C
Explanation:
In ServiceNow's Governance, Risk, and Compliance (GRC) module, a Risk Statement represents a general description of a potential issue or threat that could negatively impact the organization. An Entity Type, on the other hand, groups similar types of operational units, such as departments, applications, or infrastructure components. By linking a Risk Statement to an Entity Type, the system can automatically propagate this risk across all entities classified under that type, allowing more efficient and standardized risk tracking.
When a Risk Statement is assigned to an Entity Type, the platform doesn’t wait for manual intervention—it proactively generates individual risk records for each entity under that Entity Type. This means that for every application, system, or unit within that type, a corresponding risk is created. These new risk records are now actionable and can be individually assessed, scored, mitigated, and monitored.
Let’s break down the other options:
A. Although risk assessments can be associated with risks, they are not automatically launched just by assigning a Risk Statement to an Entity Type. Assessments require separate configuration or scheduling.
B. This is a common misconception. Assigning a Risk Statement doesn't trigger a full assessment cycle. It only creates the risk entries; assessments are typically performed later as part of the evaluation workflow.
D. While risk scores and controls can be associated with individual risk records, merely linking a Risk Statement to an Entity Type doesn’t automatically assign controls or generate a score. Those attributes are applied based on subsequent evaluation and control mapping activities.
In essence, ServiceNow uses this automation to ensure that potential risks are not overlooked across different parts of the organization. By automatically generating a risk for every relevant entity, organizations can scale their risk management processes and ensure coverage without manually defining each risk instance.
Therefore, the correct answer is C: A separate risk is automatically generated for each Entity listed under the assigned Entity Type.
Under what condition is there a direct relationship between an Entity Class and an Entity Type?
A. When both contain the same Entity Types
B. When no formal link exists between them
C. When they share identical Entities
D. When they appear together in reporting dashboards
Correct Answer: A
Explanation:
In ServiceNow’s GRC data architecture, Entity Classes and Entity Types help define and organize business components for the purposes of risk tracking, compliance auditing, and policy enforcement. Understanding their relationship is vital for setting up an efficient and scalable risk framework.
An Entity Class serves as a broader categorization that includes various Entity Types. Think of it as a parent category—like “Applications” or “Infrastructure”—while Entity Types are more specific classifications under that umbrella, such as “Web Apps,” “Databases,” or “Cloud Servers.”
A direct relationship exists between an Entity Class and an Entity Type when they share the same Entity Types. That is, the linkage is established by the common use or assignment of Entity Types that fall under a given Entity Class. For example, if the Entity Class "Business Services" includes the Entity Type "Customer Portals," and both are aligned in classification and use, they are directly related.
Let’s evaluate the incorrect answers:
B. It’s incorrect to say there is no direct relationship. In ServiceNow, Entity Classes and Entity Types are often mapped to ensure consistency across modules like Risk, Compliance, and Audit. Their relationship is a foundational part of how entities are grouped and managed.
C. Sharing the same entities doesn’t define the type of relationship between a class and a type. Two entities might appear in multiple classes or types, but this overlap doesn’t confirm a formal or direct linkage.
D. Reporting can utilize both classes and types, but appearing together in a report is an output of data structure—not an indication of a direct system-level relationship between the two.
In summary, the direct relationship is determined by the structural alignment of Entity Types within an Entity Class. This ensures uniformity in how data is categorized and reported across risk-related modules. It helps organizations consistently apply controls, evaluations, and risk assessments across similar types of entities.
Therefore, the correct answer is A: A direct relationship exists when both share the same Entity Types.
Top ServiceNow Certification Exams
Site Search:
SPECIAL OFFER: GET 10% OFF
Pass your Exam with ExamCollection's PREMIUM files!
SPECIAL OFFER: GET 10% OFF
Use Discount Code:
MIN10OFF
A confirmation link was sent to your e-mail.
Please check your mailbox for a message from support@examcollection.com and follow the directions.
Download Free Demo of VCE Exam Simulator
Experience Avanset VCE Exam Simulator for yourself.
Simply submit your e-mail address below to get started with our interactive software demo of your free trial.