Configure Standard Requirements
Requirements are the individual obligations within a compliance programme. When a site adopts a standard, each requirement must be configured with evidence, assigned roles, and review schedules so the system can track whether the site is meeting its obligations. Requirements that are not configured correctly will show gaps and prevent the standard from going live.
What requirements are
A standard is made up of a tree of requirements. Some requirements are actionable items that the site must fulfil—they need evidence, owners, and periodic reviews. Others are section headers that group related requirements together for easier reading. Only the actionable requirements affect compliance scoring and setup progress.
When a site adopts a standard, the requirement tree appears on the standard detail page. During the adopting phase, you configure each requirement so it shows as ready. Once the standard is active, the tree shows compliance health for each requirement.
Configuring evidence for a requirement
Evidence tells the system how the site will prove it is meeting the requirement. Each requirement can specify what evidence is expected:
Documents — a published policy or procedure that the site must link.
Distributions — a form or document that has been sent to staff for acknowledgment.
Risk assessments — a current risk assessment that covers the relevant area.
Work schedules — preventive or inspection work from operations that demonstrates ongoing compliance.
Files — uploaded evidence such as certificates or test results.
Manual confirmations — a written confirmation recorded specifically for this requirement.
You can also add supplementary evidence that is not required for compliance but is useful for context. The requirement tree shows how many required evidence slots are linked and warns you when any are missing.
For step-by-step instructions on adding open slots, specific slots, and alternative groups, see Build evidence requirements in standards.
Assigning roles to a requirement
Roles define who is accountable for a requirement. Common roles include Owner, Supplier, or Data Protection Officer. When you define roles in the standard template, every site that adopts the standard will need to assign people to those roles. For how to define roles and attestation in the standard template, see Set up roles and attestation for a draft requirement.
The requirement tree shows whether all required roles are assigned. If a requirement has an owner role but no one is assigned, the requirement cannot be marked as ready and will show a setup gap.
Setting attestation
Attestation adds a periodic review to a requirement. When enabled, the requirement must be reviewed at a regular interval—such as every three months, six months, or one year. The review interval is set in the standard definition, and each site links its own review policy and recipients after adoption. For how to set the review interval and roles in the standard definition, see Set up roles and attestation for a draft requirement.
Admins can now also set up attestation review directly on an individual requirement by mapping it to an existing review policy or creating a new one while editing the requirement details. For step-by-step instructions, see Set up attestation review for a standard requirement.
Attestation helps ensure compliance does not go stale. A requirement with overdue attestation will show as a compliance gap even if the underlying evidence is still present.
Using classifications
Classifications are labels that help organise and filter requirements across standards. They include fields such as discipline, obligation, topic, and health-and-safety clause identifiers. Classifications make it easier to find related requirements in the Standards Library and to compare standards side by side.
How requirements appear on the site
After a standard is adopted, the requirement tree on the standard detail page shows the status of each requirement:
Evidence link status — whether the required evidence slots are linked and healthy.
Role assignment status — whether all required roles are filled.
Attestation health — whether the periodic review is up to date, due soon, or overdue.
Requirements that are out of scope for the site are visually de-emphasised and do not affect the compliance score. For how to change a requirement’s scope, see Mark a requirement as in scope or out of scope.
When a requirement is ready
During the adopting phase, a requirement is considered ready when all required evidence slots are linked and all required roles are assigned. Attestation is expected to be configured but is not yet actively tracked until the standard goes live. The standard cannot be activated until every in-scope requirement is ready.