Working with Requirements

Reviews and Attestation in Standards

Attestation keeps your compliance programme current by requiring periodic reviews of individual requirements. When a requirement needs regular confirmation—such as an annual policy review or a quarterly risk assessment—attestation tracks whether that review is up to date, approaching its due date, or overdue.

Why attestation matters

Standards are not one-off checklists. Many requirements need ongoing verification to stay valid. Attestation lets you set a review interval for each requirement, then tracks whether the review has been completed on schedule. This creates an audit trail and helps compliance officers spot gaps before they become violations.

How attestation is set up

Attestation is configured on a requirement when the standard is being authored or edited. For each trackable requirement, you can enable Require Periodic Attestation and set a review interval—such as three months, six months, or one year. This interval is part of the standard definition, so every site that adopts the standard inherits the same review schedule.

After a site adopts the standard, the site manager links the requirement to an actual review policy and assigns the recipients who will perform the review. The interval you set at the definition level determines how often those recipients must confirm the requirement is still met.

Understanding attestation health

Each requirement with attestation enabled shows a health indicator in the requirement tree. The indicator tells you the current review state at a glance:

Health label

What it means

What to do

Up to Date

The latest review has been completed and the next review is not yet due.

No action needed.

Due Soon

The next review is approaching its due date.

Prepare the review or remind the assigned owner.

Overdue

The review has passed its due date without being completed.

Complete the review immediately. This is a compliance gap.

Initial Review Due

The standard is active but the first review has never been completed.

Complete the initial review to bring the requirement up to date.

Not Configured

The requirement calls for attestation but no review policy has been linked at the site.

Link a review policy and assign recipients in the requirement settings.

How health is determined

The system compares the requirement’s attestation interval against the linked review policy and the last completed review date:

  1. If no review policy is linked, the state is Not Configured.

  2. If the standard is active but no review has ever been completed, the state is Initial Review Due.

  3. If the next review date has passed, the state is Overdue.

  4. If the next review date is approaching within the due-soon window, the state is Due Soon.

  5. Otherwise, the state is Up to Date.

The system also warns you if the linked review policy’s interval is less frequent than the standard requires. For example, if the standard demands a six-month review but the linked policy only runs annually, the requirement will flag a gap even if the latest review is technically up to date.

What you see during adoption

While a standard is in the Adopting state, the health indicators are softened because the programme is not yet live:

  • Not Configured appears with a warning tone rather than an error tone.

  • Due Soon and Initial Review Due appear with a success tone rather than a warning tone.

  • Up to Date is displayed as Attestation: Configured.

  • The last review date is shown as Not yet started.

  • The next review date is shown as Starts when standard is activated.

This tells you that attestation is set up correctly without creating false alarms before the standard goes live.

Hovering an indicator

When you hover over an attestation indicator in the requirement tree, a summary card appears with details such as:

  • The required review interval

  • Whether a review policy is mapped

  • The next review due date

  • The date of the last completed review

If the standard is still adopting, the card may show Not yet started or Starts when standard is activated instead of actual dates.

What is next

To set up attestation review directly on a requirement, see Set up attestation review for a standard requirement. For broader requirement configuration, see the Configure Standard Requirements. For an introduction to the Standards module, see the Standards Overview.

Was this helpful?