How attestation and indicators are different ?

gourav_aggarwal
Tera Contributor

They seem to have same purpose that is providing evidence for particular control.

1 ACCEPTED SOLUTION

Shashank_Jain
Kilo Sage

@gourav_aggarwal ,

 

Feature                                                   Attestation                                                                   Indicator
Source of evidencePeople (subjective response)Data/system (objective, measurable)
Use caseFormal confirmation, surveys, approvalsContinuous monitoring, automated evidence
TriggerManual / scheduled campaignScheduled job or real-time metric
Example"Manager confirms access review complete""Report shows 10 users without review approval"

✅Summary:

  • Attestation = human-driven, subjective confirmation.

  • Indicator = system/data-driven, objective measurement.

They complement each other: some controls require human attestation, while others can (and should) be monitored by indicators for continuous assurance.

Hope it helps!

 

If this works, please mark it as helpful/accepted — it keeps me motivated and helps others find solutions.
Shashank Jain – Software Engineer | Turning issues into insights

View solution in original post

7 REPLIES 7

Matthias Ferstl
Kilo Guru

Hi @gourav_aggarwal 

 

imagine you are sitting in a car and driving down the highway.
The thing you need to check (your control) is "dont exceed speedlimit" of 100 m/h.
An attestation now just states if there is something that "helps" you with not exceeding the speed limit -> Control is implemented in your car. (Answer "yes there is something to help me to ckeck that control objective")

 


But this doesnt say something about your speed.
This actutally is your indicator task -> check the speedometer based on the indicator spedometer.
There you check if you not have something to ckeck your speed, but also if you are compliant with speedlimit.

Hope that helps you out.

Kind regards

Please mark answers (not only mine) as helpful if they were
and "accepted solutions"This motivates others to take part, post solutions and find answers. Thanks! - Mat

Shashank_Jain
Kilo Sage

@gourav_aggarwal ,

 

Feature                                                   Attestation                                                                   Indicator
Source of evidencePeople (subjective response)Data/system (objective, measurable)
Use caseFormal confirmation, surveys, approvalsContinuous monitoring, automated evidence
TriggerManual / scheduled campaignScheduled job or real-time metric
Example"Manager confirms access review complete""Report shows 10 users without review approval"

✅Summary:

  • Attestation = human-driven, subjective confirmation.

  • Indicator = system/data-driven, objective measurement.

They complement each other: some controls require human attestation, while others can (and should) be monitored by indicators for continuous assurance.

Hope it helps!

 

If this works, please mark it as helpful/accepted — it keeps me motivated and helps others find solutions.
Shashank Jain – Software Engineer | Turning issues into insights

I disagree here in some points.

Even course and documentation say otherwise.


While an attestation should state if a control is implemented (which can not be subjective) 
an indicator (which can be also human driven -> indicator task) measures its "is it in its boundaries".

Means: Every control should pass an attestation (human oversight), if there IS an implementation of something to monitor it (attestation also requires evidence OOB).
"Yes, there is a thermometer in my refigerator".
But it doesnt say something about the temperature, which then can be automated or conducted by a human.

 

Kind regards

Please mark answers (not only mine) as helpful if they were
and "accepted solutions"This motivates others to take part, post solutions and find answers. Thanks! - Mat