Control Attestation vs Continuous Controls Monitoring

KrithikaV
Tera Expert

yesterday

Hi,

From the ServiceNow documentation, I see that control attestation is to just confirm that the control is in place.

However, it seems to me at times that  control attestations are made to  perform the same functionality of continuous controls monitoring.

 

Let us take an example: 
Control: Access Reviews are performed quarterly
Here, what would be the control attestation ?
1. Attest that there is a control (procedure) to perform access reviews every quarter or 
2. The  manager confirming that access review is complete for the specified quarter (as explained in the post: https://www.servicenow.com/community/grc-forum/how-attestation-and-indicators-are-different/m-p/3365...

Thanks,
Krithika

 

0 Helpfuls
  • 281 Views
4 REPLIES 4

Hemanth M1
Giga Sage
Giga Sage

yesterday

Hi @KrithikaV ,

 

These two are distinct but complementary approaches.

 

Control Assessment/Attestation : is a periodic survey/Assessment based process where control owners manually confirm that controls are implemented correctly - More of a Manual way

 

Continuous control Monitoring: Is an automated, ongoing process that uses indicators to continuously assess and validate control compliance through system data

 

Let's take your example:

Control: Access Reviews are performed quarterly.

 

1)As the control owner, every three months you will be assigned an assessment to confirm whether Access Reviews are in place or not. This is known as Control Attestation. (You can provide evidence here, but we can't fully rely on this alone.)

 

2)On the other side, an indicator will be set up to run every three months, which will check your AD or wherever your access logs are available to perform a review.

  • If it passes, the control is compliant.
  • If it fails, your control becomes non-compliant, resulting in an issue.
  • You can also run this on-demand. (There are different ways to set up indicators: basic, manual or scripted.)

I tried to keep it simple here. Hope this helps, if so

 

 

Accept and hit Helpful if it helps.

Thank you,
Hemanth
Certified Technical Architect (CTA), ServiceNow MVP 2024, 2025
0 Helpfuls

Matthias Ferstl
Mega Guru

yesterday

Hi.

 

Control attestation:

you confirm that there is something to check compliance, e.g. : there is a control implemented to check if your fridge got the right temperature: Thermometer is implemented.

 

This is the „attest“ state.

 

After review you are in „monitor“ state to check if the temperature is within the correct parameters with help of your indicators and indicator tasks.

this can be done manually, with data from instance or scripted.

 

another thing is audit, where for example an auditor checks if the control and indicator are sufficient. 

it is NOT „manually“ (attest) or „automatically“ (indicator) as other people said.

Please mark answers (not only mine) as helpful if they were
and "accepted solutions"This motivates others to take part, post solutions and find answers. Thanks! - Mat
0 Helpfuls

Hemanth M1
Giga Sage
Giga Sage
In response to Matthias Ferstl

6 hours ago

Hi @Matthias Ferstl ,

 

Hey, it’s not just about Manual vs. Automation- it’s about the purpose each serves.

Attestation is more about getting your consent or confirmation on whether a control is compliant or not. For example, I can still say my fridge temperature is normal, but how can you actually monitor it? You can attach evidence, but  can't rely on that completely.

 

Indicators, on the other hand, actually check and indicate whether your control is truly compliant and they’re backed by data or automation (using basic or Script types). Here, we can set up an integration to automatically retrieve the actual temperature on a regular basis to monitor this control.

 

So its not Manual vs Automation!

 

 

Accept and hit Helpful if it helps.

Thank you,
Hemanth
Certified Technical Architect (CTA), ServiceNow MVP 2024, 2025
0 Helpfuls

Matthias Ferstl
Mega Guru
In response to Hemanth M1

5 hours ago

Nope.

Please check Documentation and Learning Courses, there are enogh examples.

 

Attestation is IF it is implemented but doesnt say something about if it is compliant.
(No implementation means "not compliant", but it is not a check if a control is compliant but implemented).
This is checkt by indicators, where also manual indicator tasks are used.


 

This is exactly the reason why the attest state ist right before monitor state.
You cant monitor something that is not implemented. Monitor is the state where indicator tasks are generated (automatically or manually) for a manual ckeck, or automated ckecks take place by scripted or basic indicators with data

Please mark answers (not only mine) as helpful if they were
and "accepted solutions"This motivates others to take part, post solutions and find answers. Thanks! - Mat
0 Helpfuls