Can You Use an IT Ticketing Platform for your GRC Program?

We recently published a paper, “Which Platform is the Best Fit for Your Use Case? Comparing Salesforce, ServiceNow and Rsam.” Since then we’ve gotten questions pertaining to the value of using an IT System, like ServiceNow, for GRC activities. Most people seem to have a primary motivating for taking this route, which is to leverage their existing platform investment.

While that’s understandable, you may solve one concern and create many more. It’s true you can potentially save dollars by  not purchasing a new platform. On the flip side, you can end up in the likely situation of realizing your existing IT ticket platform doesn’t deliver the functionality really need for GRC and/or takes too much effort and money to retrofit.

Here is a quick comparison of the main differences between purpose-built GRC platforms and those that have morphed from their original purpose, like ServiceNow’s IT ticketing platform. It’s not an exhaustive list but gives you food for thought.

Business value IT Ticketing Platform Purpose-Built GRC Platform
GRC-related Content Limited or none Cross-mapped OOTB content as well as specific areas like ISO, SOX, PCI, HIPAA, FISMA, NIST, HITRUST, COBIT, BITS, CSA, GLBA, FFIEC, FERPA, NERC, and more.


Risk & Compliance Designed originally for issue tracking, an IT tactical function. No relevance to risk and control frameworks, largely managed by InfoSec, Compliance and Risk groups.


Designed to manage risk, compliance and security operations.
Risk Analytics Requires a lot of configuration and development to incorporate risk analytics.


Native capabilities for risk analytics, scoring, normalization etc.
Vulnerability Management Lacks the sophistication required and integrations necessary to gain insights into vulnerabilities.


Incorporates intelligence through integrations with vulnerability management systems.
Enterprise Risk Management No ERM capability


Supports a top-down and bottom-up ERM process.
Strategy & Roadmap Unknown or unclear since it is not a core business focus.


3-5 year roadmap depicting vision and product evolution.