Compliance How-To Guide

Managing Policies and Attestations

Last updated: May 18, 2026 3 min read Intermediate

Policies and Attestations

Creating a Policy

  1. Navigate to Compliance > Policies.
  2. Click Add.
  3. Enter the policy name and description.
  4. Write the policy content using the rich text editor.
  5. Set the effective date and review date.
  6. Set the attestation threshold (the percentage of assigned users who must attest for the policy to be considered compliant).
  7. Click Save. The policy is created in draft status as version 1.

Version Control

Policies support full version control. Draft policies can be edited freely. Once published, a policy is locked. To make further changes, create a new draft version from the detail page. Publishing the new draft supersedes the previous version, and the full history is preserved.

Assigning Policies to User Groups

  1. Create user groups in Compliance > User Groups (for example, “Engineering” or “Finance”). An “All Staff” group is automatically created by the scaffolding templates with the relevant policies already assigned.
  2. On the policy detail page, click Assign.
  3. Pick one or more user groups and optionally set a due date.
  4. Save.

Members of the assigned groups will be asked to attest to the policy once it is published.

Publishing and the Attestation Cycle

Publishing a policy does more than flip its status. When a draft policy is published, ISO Mate creates an attestation record for every user in every assigned user group, bound to the newly published version. Users see the policy in their attestation queue immediately.

If the policy is already published and you publish a new draft version, attestation records are regenerated against the new version so every assigned user must acknowledge the updated content. Attestations for the previous version are retained for the audit trail.

Attestation Workflow

  1. Users navigate to Compliance > My Compliance to see policies requiring their attestation.
  2. Click Attest on a policy.
  3. Review the policy content and confirm attestation.
  4. The attestation is recorded against the current published version with the user, date, and timestamp.

Administrators can monitor attestation status across all users and groups from the policy detail page. The progress view shows signed, outstanding, and overdue counts, plus whether the policy has reached its configured attestation threshold.

Attestation Thresholds

Each policy carries an attestation threshold (default 90%). A policy is considered compliant when the percentage of assigned users who have signed the current version meets or exceeds the threshold. Compliance status updates automatically as attestations are recorded.

Account Scoping

Attestation records are scoped to the account that owns the policy. Users who belong to multiple accounts only see attestations for policies in their active account, and administrators only see attestation records for policies they manage.

Was this article helpful?