Control attestation

jaikellaila
Tera Contributor

Hello,

What happens if I check 'not applicable' in the control attestation? will the indicators attached to the control put as not applicable run? 

Best regards

7 REPLIES 7

Wael Tarhouni
ServiceNow Employee
ServiceNow Employee

Hi,

 

I'm not sure if I got the question right, is it whether the indicators will run for a control which is having a compliance status set to "Not applicable" ? Is it's the case, the answer will be yes.

Attestations and Indicators come in various phases during the control lifecycle. These are respectively the control phases throughout its lifecycle : 
- Draft

- Attest (When the control owner will be attesting the control implementation)

- Review

- Monitor (When the indicators will come to play)

- Retired

 

Therefore, if you attest a control to "Not applicable" during the "Attest" phase and then during the "Monitor" phase, an indicator task will be created and assigned .i.e to the control owner, it will be updating the contorl status to the indicator result.

 

I hope it helps!

Community Alums
Not applicable

Hi @jaikellaila ,

Can you attach a screenshot here, where you are marking  'not applicable' in the control attestation!!

But, if you are not attesting the control, then Yes, indicators attached to the control put as not applicable run.

 

Community Alums
Not applicable

Hi Jaikellaila,

The best answer is to create a sample control test and try to attest using the "Not applicable" answer. If you answer "Yes" to the question, the control will automatically change the status to Compliant. If you answer "No", the control will automatically change the status to Non-Compliant. If you say "Not applicable", the status of the control will be "Not applicable". 

RafC_0-1708426184636.png

RafC_3-1708426589589.png

 

 

You need to understand attestation and indicators they look similar but they are part of different stages in the lifecycle. The indicators are continuous monitoring and the control attestation is the declaration they have a method to enforce the objective. 

1697203280398.jpg

What should happen if you notice that the control owner/attestation respondent selected "Yes" but the control is not being implemented/in place. When they select "yes" it gets marked as compliant without there being an acceptance or request for revision option. If you notice that they respondent should have selected no, what is the appropriate procedure to move forward to change the status to non-compliant? Should you create an "Issue" under that specific control and then work with the respondent to resolve the issue?