diff --git a/plugins/source/gcp/policies/queries/sql/sqlserver_trace_flag_on.sql b/plugins/source/gcp/policies/queries/sql/sqlserver_trace_flag_on.sql
index 186f94003f71f2..2953585473c8c9 100644
--- a/plugins/source/gcp/policies/queries/sql/sqlserver_trace_flag_on.sql
+++ b/plugins/source/gcp/policies/queries/sql/sqlserver_trace_flag_on.sql
@@ -5,19 +5,20 @@
 --     OR settings_database_flags ->> '3625' != 'off'
 --     OR settings_database_flags ->> '3625' IS NULL);
 
-
+-- In the original document in CIS GCP v1.2.0, it describes the configuration should be 'off', but it is a typo.
+-- This constraint has been updated on CIS GCP v1.3.0, this flag should be 'on'.
 INSERT INTO gcp_policy_results (resource_id, execution_time, framework, check_id, title, project_id, status)
 SELECT gsi.name                                                                                                 AS resource_id,
        :'execution_time'::timestamp                                                                             AS execution_time,
        :'framework'                                                                                             AS framework,
        :'check_id'                                                                                              AS check_id,
-       'Ensure "3625 (trace flag)" database flag for Cloud SQL SQL Server instance is set to "off" (Automated)' AS title,
+       'Ensure "3625 (trace flag)" database flag for Cloud SQL SQL Server instance is set to "on" (Automated)'  AS title,
        gsi.project_id                                                                                           AS project_id,
        CASE
            WHEN
                        gsi.database_version LIKE 'SQLSERVER%'
                    AND (f->>'value' IS NULL
-                   OR f->>'value' != 'off')
+                   OR f->>'value' != 'on')
                THEN 'fail'
            ELSE 'pass'
            END                                                                                                  AS status
diff --git a/website/pages/docs/plugins/sources/gcp/policies.md b/website/pages/docs/plugins/sources/gcp/policies.md
index c6f5398d08ed0e..2725c063bcbe6a 100644
--- a/website/pages/docs/plugins/sources/gcp/policies.md
+++ b/website/pages/docs/plugins/sources/gcp/policies.md
@@ -106,7 +106,7 @@ GCP CIS v1.2.0 performs the following checks:
   - Ensure "user connections" database flag for Cloud SQL SQL Server instance is set as appropriate (Automated)
   - Ensure "user options" database flag for Cloud SQL SQL Server instance is not configured (Automated)
   - Ensure "remote access" database flag for Cloud SQL SQL Server instance is set to "off" (Automated)
-  - Ensure "3625 (trace flag)" database flag for Cloud SQL SQL Server instance is set to "off" (Automated)
+  - Ensure "3625 (trace flag)" database flag for Cloud SQL SQL Server instance is set to "on" (Automated)
   - Ensure that the "contained database authentication" database flag for Cloud SQL on the SQL Server instance is set to "off" (Automated)
   - Ensure that the Cloud SQL database instance requires all incoming connections to use SSL (Automated)
   - Ensure that Cloud SQL database instances are not open to the world (Automated)