- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a week ago
They seem to have same purpose that is providing evidence for particular control.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a week ago - last edited a week ago
| Source of evidence | People (subjective response) | Data/system (objective, measurable) |
| Use case | Formal confirmation, surveys, approvals | Continuous monitoring, automated evidence |
| Trigger | Manual / scheduled campaign | Scheduled job or real-time metric |
| Example | "Manager confirms access review complete" | "Report shows 10 users without review approval" |
✅Summary:
Attestation = human-driven, subjective confirmation.
Indicator = system/data-driven, objective measurement.
They complement each other: some controls require human attestation, while others can (and should) be monitored by indicators for continuous assurance.
Hope it helps!
Shashank Jain – Software Engineer | Turning issues into insights
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a week ago
imagine you are sitting in a car and driving down the highway.
The thing you need to check (your control) is "dont exceed speedlimit" of 100 m/h.
An attestation now just states if there is something that "helps" you with not exceeding the speed limit -> Control is implemented in your car. (Answer "yes there is something to help me to ckeck that control objective")
But this doesnt say something about your speed.
This actutally is your indicator task -> check the speedometer based on the indicator spedometer.
There you check if you not have something to ckeck your speed, but also if you are compliant with speedlimit.
Hope that helps you out.
Kind regards
and "accepted solutions"This motivates others to take part, post solutions and find answers. Thanks! - Mat
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a week ago - last edited a week ago
| Source of evidence | People (subjective response) | Data/system (objective, measurable) |
| Use case | Formal confirmation, surveys, approvals | Continuous monitoring, automated evidence |
| Trigger | Manual / scheduled campaign | Scheduled job or real-time metric |
| Example | "Manager confirms access review complete" | "Report shows 10 users without review approval" |
✅Summary:
Attestation = human-driven, subjective confirmation.
Indicator = system/data-driven, objective measurement.
They complement each other: some controls require human attestation, while others can (and should) be monitored by indicators for continuous assurance.
Hope it helps!
Shashank Jain – Software Engineer | Turning issues into insights
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Saturday
I disagree here in some points.
Even course and documentation say otherwise.
While an attestation should state if a control is implemented (which can not be subjective)
an indicator (which can be also human driven -> indicator task) measures its "is it in its boundaries".
Means: Every control should pass an attestation (human oversight), if there IS an implementation of something to monitor it (attestation also requires evidence OOB).
"Yes, there is a thermometer in my refigerator".
But it doesnt say something about the temperature, which then can be automated or conducted by a human.
Kind regards
and "accepted solutions"This motivates others to take part, post solutions and find answers. Thanks! - Mat
