Hi @KrithikaV ,

These two are distinct but complementary approaches.

Control Assessment/Attestation : is a periodic survey/Assessment based process where control owners manually confirm that controls are implemented correctly - More of a Manual way

Continuous control Monitoring: Is an automated, ongoing process that uses indicators to continuously assess and validate control compliance through system data

Let's take your example:

Control: Access Reviews are performed quarterly.

1)As the control owner, every three months you will be assigned an assessment to confirm whether Access Reviews are in place or not. This is known as Control Attestation. (You can provide evidence here, but we can't fully rely on this alone.)

2)On the other side, an indicator will be set up to run every three months, which will check your AD or wherever your access logs are available to perform a review.

• If it passes, the control is compliant.
• If it fails, your control becomes non-compliant, resulting in an issue.
• You can also run this on-demand. (There are different ways to set up indicators: basic, manual or scripted.)

I tried to keep it simple here. Hope this helps, if so