Compliance Last updated: 29 March 2026 · 4 min read

Attestations & Compliance Declarations

Attestations are formal declarations where individuals confirm they have read, understood, and are complying with specific policies, controls, or requirements. Unlike simple policy acknowledgements, attestations carry a stronger compliance weight — they represent a personal commitment to ongoing adherence rather than a one-time receipt of a document.

Attestations are essential for frameworks such as SOC 2, ISO 27001, and GDPR, where auditors expect to see documented evidence that employees and contractors have actively confirmed their compliance obligations.

1. What attestations are

An attestation in PolicySuite is a structured compliance declaration that includes a title, a description of what is being attested to, specific requirements the individual must confirm, and a due date. When an employee completes an attestation, they are making a formal statement that they meet the stated requirements as of that date.

Common use cases include:

Acceptable use declarations — employees confirm they are following IT acceptable use policies
Conflict of interest disclosures — staff attest they have no undeclared conflicts
Data handling confirmations — team members confirm they are following data classification and handling procedures
Annual security recertifications — employees re-confirm security awareness and compliance each year

2. Creating an attestation

To create an attestation, navigate to Attestations from the main sidebar and click Create Attestation. You will need to provide:

Title — a clear name for the attestation (e.g. "Q1 2026 Data Handling Recertification")
Description — context explaining what the individual is attesting to and why it matters
Requirements — the specific statements or conditions the individual must confirm. Each requirement appears as a checkbox the employee must tick before submitting
Due date — the deadline by which all assigned individuals must complete the attestation

Write requirements in clear, unambiguous language. Each requirement should represent a single, verifiable statement. Avoid combining multiple obligations into a single requirement — split them so employees know exactly what they are confirming.

3. Assigning attestations

Once your attestation is created, assign it to the people who need to complete it. You can assign attestations to:

Individual employees — select specific people from your team directory
Employee groups — assign to an entire group (e.g. all engineering staff, all managers) so everyone in that group receives the attestation automatically

Assigned individuals receive an email notification with a direct link to complete the attestation. They can also see their pending attestations when they log in to the employee portal.

4. Recurring attestations

Many compliance frameworks require periodic recertification — not just a one-time confirmation. PolicySuite supports recurring attestations on the following schedules:

Quarterly — attestation is re-issued every three months
Semi-annual — every six months
Annual — once per year, common for security awareness and conflict of interest declarations

When a recurring attestation is due, PolicySuite automatically creates a new attestation cycle, notifies the assigned individuals, and begins tracking completions against the new due date. Previous cycles are preserved as historical records.

Tip: Set up recurring attestations at the start of your compliance calendar year. This ensures you have a full year of evidence when audit season arrives, rather than scrambling to backfill records.

5. Tracking completion

The attestation dashboard gives you a real-time view of completion status across your organisation. For each attestation, you can see:

Completion rate — percentage of assigned individuals who have submitted
Pending — individuals who have not yet completed the attestation
Overdue — individuals who missed the due date
Completed — individuals who have submitted, including their completion timestamp

Overdue attestations are flagged prominently so compliance admins can follow up with non-completers before an audit. You can also configure automatic reminders to nudge employees as the due date approaches.

6. Exporting attestation records for audits

When an auditor requests evidence of employee compliance declarations, export your attestation records directly from PolicySuite. Open any attestation and click Export to download a CSV containing:

Employee name and email
Attestation title and description
Each requirement and whether it was confirmed
Completion date and timestamp
Status (completed, pending, or overdue)

These exports provide the documented evidence auditors need to verify that your organisation maintains active, ongoing compliance — not just paper policies sitting in a folder.

Still need help?

Email our support team at support@policy-suite.com — we typically respond within 24 hours.