0
0 Comments

🟦 1. What is the IRM architecture in ServiceNow?

Answer:
IRM architecture in ServiceNow is built around five core layers:

  1. Authority Documents (UCF, ISO, NIST, PCI, SOX)

  2. Control Objectives

  3. Controls

  4. Risks

  5. Issues / Remediation

Supporting layers:

  • Profiles / Entity Types

  • Policy & Compliance Workspace

  • Continuous Monitoring (CCM)

  • Indicators (KPIs)

  • Assessments

This architecture helps map Requirements β†’ Controls β†’ Risks.

🟦 2. Explain the relationship between Authority Documents, Objectives, Controls, and Risks.

Answer:

Layer
Purpose

Authority Document
External/regulatory requirement (ISO, NIST, UCF)

Control Objective
High-level expectation from the regulation

Control
Specific internal check/action performed to comply

Risk
Threat that arises if the control fails

Flow:
Authority Document β†’ Control Objective β†’ Control β†’ Risk

🟦 3. What is Entity Scoping in IRM?

Answer:
Entity Scoping decides where risks and controls apply.

Components:

  • Entity Types (Business Unit, Department, Location)

  • Profile Types

  • Profiles (Instances of the entity)

IRM filters which controls are relevant using:

  • Scoping Conditions

  • In-Scope Flags

  • Entity Hierarchy

🟦 4. What is a Risk Framework?

A Risk Framework defines the methodology for risk calculation.

Includes:

  • Risk scoring formula

  • Safe/Medium/High threshold rules

  • Impact/Likelihood definitions

  • Assessment models

  • Indicator calculation

Custom scoring often uses:

<span class="hljs-title class_">Risk</span> <span class="hljs-title class_">Score</span> = <span class="hljs-title class_">Likelihood</span> Γ— <span class="hljs-title class_">Impact</span>

🟦 5. What are three types of Risk Assessments in IRM?

  1. Qualitative Assessment

  2. Quantitative Assessment

  3. Automated Assessment (CCM)

Assessment models define:

  • Questions

  • Weightage

  • Scoring logic

🟦 6. What is CCM (Continuous Control Monitoring)?

Answer:
CCM automatically validates controls using data sources:

  • Scripted checks

  • MetricBase

  • Logs

  • Integrations

It reduces manual testing.

Components:

  • Data Sources

  • Indicators

  • Tests

  • Control Monitoring Jobs

🟦 7. What are Profile Types & Profiles?

  • Profile Type β†’ Template for entity (e.g., "Business Unit")

  • Profile β†’ Instance of the template (e.g., "Finance Dept")

Controls and risks are scoped to Profiles.

🟦 8. How does IRM calculate Residual Risk?

Residual Risk = Inherent Risk - Control Effectiveness

OR

Residual Risk = Inherent Impact Γ— Inherent Likelihood Γ— (1 - Control Effectiveness)

🟦 9. What is the difference between Findings, Issues, and Remediation Tasks?

Term
Meaning

Finding
Result from an audit or assessment

Issue
A failed control, compliance breach, or risk gap

Remediation Task
Action taken to fix the issue

Issues can have:

  • Root Cause

  • Impact

  • Priority

  • Tasks

🟦 10. What is the role of the Policy & Compliance Workspace?

Answer:
Workspace provides:

  • Control Testing

  • Advanced Workflows

  • Risk Dashboards

  • Policy creation & lifecycle

  • Evidence requests

  • Offline control testing support

🟦 11. How do IRM and SecOps integrate?

Integration points:

  • Risk information into SecOps (Vulnerability Risk, Threat Risk)

  • Issues generated from Vulnerability data

  • Playbook automation for mitigation

🟦 12. What is UCF and why is it important?

Answer:
UCF = Unified Compliance Framework
It provides:

  • Standardized mapping of regulations

  • Ready-made Authority Documents

  • Automated updates via content packs

This avoids duplicate regulatory work.

🟦 13. What is Risk Register vs Control Register?

Register
Contains

Risk Register
All enterprise risks (strategic, operational, technical)

Control Register
All controls across the enterprise

🟦 14. What automation tools does IRM provide?

  • Assessments

  • CCM Jobs

  • Scripted Data Sources

  • Workflow Designer

  • Indicator Workflow

  • Playbook Designer

  • Flow Designer for tasks

🟦 15. How does control testing work in IRM?

Control testing consists of:

  1. Test Plan

  2. Test Assignment

  3. Evidence Collection

  4. Review

  5. Issue Creation (if control fails)

Workflows can automate:

  • Evidence reminders

  • Review approvals

  • Issue generation

🟦 16. How do you build a custom Risk Scoring engine?

Use:

  • Script Includes (scoring logic)

  • MetricBase or Indicators (for dynamic scores)

  • Risk Methodologies (impact/likelihood mapping)

🟦 17. How are risks linked to controls?

Through table:

<span class="hljs-attribute">sn_risk_risk_control</span>

Allows:

  • Many-to-many mapping

  • Automated residual risk updates

🟦 18. What are the main IRM/GRC tables?

Core tables:

  • sn_risk_risk

  • sn_risk_assessment

  • sn_compliance_control

  • sn_compliance_authority_document

  • sn_compliance_control_objective

  • sn_compliance_issue

  • sn_compliance_evidence_request

  • sn_grc_profile

  • sn_grc_profile_type

🟦 19. How does IRM handle multi-level inheritance?

IRM supports entity hierarchy like:

Company
└── Division
<span class="hljs-code"> └── Department
└── Team
</span>

Controls and risks propagate downward depending on:

  • Entity scoping

  • Control applicability

  • Profile in-scope rules

🟦 20. How do you migrate large IRM implementations?

Best practices:

  • Use Update Sets only for UI & configuration

  • Move data with Import Sets + Transform Maps

  • For frameworks: use Content Packs

  • For Profiles & Risks: use XML export/import

  • For dashboards: use Content-Packaging Framework

Top IRM / GRC Architecture Interview Questions & Answers
Working Code Edited question November 18, 2025
Sorry, you do not have permission to read comments.