Welcome to Community Week 2025! Join us to learn, connect, and be recognized as we celebrate the spirit of Community and the power of AI. Get the details  

Control Attestation vs Continuous Controls Monitoring

Go to solution
KrithikaV
Tera Expert

a week ago

Hi,

From the ServiceNow documentation, I see that control attestation is to just confirm that the control is in place.

However, it seems to me at times that  control attestations are made to  perform the same functionality of continuous controls monitoring.

 

Let us take an example: 
Control: Access Reviews are performed quarterly
Here, what would be the control attestation ?
1. Attest that there is a control (procedure) to perform access reviews every quarter or 
2. The  manager confirming that access review is complete for the specified quarter (as explained in the post: https://www.servicenow.com/community/grc-forum/how-attestation-and-indicators-are-different/m-p/3365...

Thanks,
Krithika

 

0 Helpfuls
  • 587 Views
2 ACCEPTED SOLUTIONS

Go to solution
Hemanth M1
Giga Sage
Giga Sage

a week ago

Hi @KrithikaV ,

 

These two are distinct but complementary approaches.

 

Control Assessment/Attestation : is a periodic survey/Assessment based process where control owners manually confirm that controls are implemented correctly - More of a Manual way

 

Continuous control Monitoring: Is an automated, ongoing process that uses indicators to continuously assess and validate control compliance through system data

 

Let's take your example:

Control: Access Reviews are performed quarterly.

 

1)As the control owner, every three months you will be assigned an assessment to confirm whether Access Reviews are in place or not. This is known as Control Attestation. (You can provide evidence here, but we can't fully rely on this alone.)

 

2)On the other side, an indicator will be set up to run every three months, which will check your AD or wherever your access logs are available to perform a review.

  • If it passes, the control is compliant.
  • If it fails, your control becomes non-compliant, resulting in an issue.
  • You can also run this on-demand. (There are different ways to set up indicators: basic, manual or scripted.)

I tried to keep it simple here. Hope this helps, if so

 

 

Accept and hit Helpful if it helps.

Thank you,
Hemanth
Certified Technical Architect (CTA), ServiceNow MVP 2024, 2025

View solution in original post

Go to solution
Matthias Ferstl
Mega Guru

a week ago

Hi.

 

Control attestation:

you confirm that there is something to check compliance, e.g. : there is a control implemented to check if your fridge got the right temperature: Thermometer is implemented.

 

This is the „attest“ state.

 

After review you are in „monitor“ state to check if the temperature is within the correct parameters with help of your indicators and indicator tasks.

this can be done manually, with data from instance or scripted.

 

another thing is audit, where for example an auditor checks if the control and indicator are sufficient. 

it is NOT „manually“ (attest) or „automatically“ (indicator) as other people said.

Please mark answers (not only mine) as helpful if they were
and "accepted solutions"This motivates others to take part, post solutions and find answers. Thanks! - Mat

View solution in original post

0 Helpfuls
7 REPLIES 7

Go to solution
Hemanth M1
Giga Sage
Giga Sage
In response to Matthias Ferstl

a week ago

We can talk all day long on this!

 

Simply put - Indicators are the second line of defense: make sure to monitor the status of control implementation!

 

@KrithikaV : Let us know what questions you have after reading all of this - Lets resolve your queries first.

 

 

 

 

Accept and hit Helpful if it helps.

Thank you,
Hemanth
Certified Technical Architect (CTA), ServiceNow MVP 2024, 2025
0 Helpfuls

Go to solution
KrithikaV
Tera Expert

Tuesday

Hi @Hemanth M1 ,
If control attestation evaluates the control - checks if access review was performed, then when the control moves to the Monitor stage - what is it expected it monitor? 

Suppose, if one has not implemented continuous controls management, then they might not have set up indicator templates or indicators. In that case, what will happen in the 'Monitor' state?

Thanks in advance,
Krithika

 

0 Helpfuls

Go to solution
Matthias Ferstl
Mega Guru
In response to KrithikaV

Tuesday

I cite from training-material (GRC: IRM Implementation Participant Guide) which you also should use:

State attest: "Control Owners are assigned ... to attest that a control is implemented"

 

Also check this one (read about the whole lifecycle):
https://learning.servicenow.com/nowcreate?id=nc_asset&asset_id=771f64aa479a66d019dfe23c326d43e7&nc_s...

 


State monitor: "In monitor indicators monitor the controls status and evaluate an organizations compliance".

 

 

Please mark answers (not only mine) as helpful if they were
and "accepted solutions"This motivates others to take part, post solutions and find answers. Thanks! - Mat
0 Helpfuls