Policies people actually read — with an attestation trail auditors accept

A policy no one has attested to isn't a policy — it's a document. ISO-STANDARD.app publishes your policies, requests attestation from every relevant role, chases the overdue, and gives you a defensible audit trail: who signed which version, when.

Why 'we sent it round' isn't enough

Auditors, buyers and regulators all ask the same question about your policies: how do you know your people have read them? A distribution list and a Slack post don't answer that. A signed attestation, timestamped against a specific policy version, does.

Attestation isn't just an ISO 27001 clause — it's the mechanism that makes policy a management tool, not a shelf artifact.

What's in the box

Publish with versioning

Draft, review, approve, publish — with prior versions preserved for audit.

Target by role, group or team

Attestation lists are dynamic — new joiners in scope get the request automatically.

Automated reminders

Overdue attestations chase themselves. Escalation to the line manager after a defined interval.

Attestation ledger

Every signature timestamped against the exact policy version — the artifact your certifier signs off on.

Re-attestation on change

Publish a new version and reset attestations for affected groups automatically.

Reporting for auditors and buyers

One click: current attestation rate per policy, per team, per role — with drill-down.

Why attestations matter beyond audit

v-locked
Signatures tied to a specific policy version
Auto
Chase-ups and manager escalation
By role
Dynamic scope — new joiners captured automatically
1 click
Attestation rate report for your auditor

How buyers verify you — in minutes, not weeks

An attestation trail is one of the fastest ways to prove your ISMS/QMS/SMS is more than paperwork.

  1. Step 1

    Publish a new policy version

    Reviewer sign-off in-app; on publish, the attestation clock starts for every user in scope.

  2. Step 2

    Chase-ups run automatically

    Reminder cadence configured per policy; manager escalation kicks in when needed. No one owns the chase manually.

  3. Step 3

    Auditor pulls the report

    Attestation rate per policy, per team, per role, per version. Sign-off ledger exportable as CSV.

  4. Step 4

    Buyer asks 'how do you enforce policy?'

    Answer with a screenshot of the attestation dashboard, backed by a defensible ledger.

The artifacts buyers actually ask for

Every artifact below is generated inside the workspace, versioned, timestamped and shareable via a signed link — no last-minute PDF assembly, no "wait, which version did I send them?"

Attestation ledger per policy version (CSV)
Coverage report by team / role / geography
Overdue and escalation history
Policy version history with approver
New-joiner attestation compliance dashboard
Re-attestation trigger log on policy change
Manager attestation drill-down
Auditor-ready attestation summary pack

Who it's for

ISMS lead preparing for ISO 27001

Pain: Auditor asks for evidence that everyone has read the Information Security Policy. All you have is an email thread.

With ISO-STANDARD.app: A defensible ledger per policy version, per user, per date — attestation coverage becomes a KPI.

HR / People lead onboarding at pace

Pain: New joiners land, and there's no consistent policy-attestation moment on day one.

With ISO-STANDARD.app: Onboarding-scoped attestation packs assigned automatically on user creation.

Compliance lead in a regulated business

Pain: Board wants proof that policy is more than a document library.

With ISO-STANDARD.app: Coverage dashboards by team and role, escalation on lapse, and reporting the board can act on.

Deal-close moment
"The audit finding on 'policy communication' that hit us last year didn't come up this year. Coverage went from 40% to 98% inside a quarter."
ISMS Lead, Health-tech scale-up

Answers buyers, procurement and auditors want

How is attestation captured legally?+

By authenticated in-app confirmation against a specific policy version, timestamped and linked to the user account — the standard 'read and understood' equivalent auditors accept.

Does it work outside the workspace?+

Users attest inside the workspace after signing in. This is what auditors accept as identity-bound attestation.

Can I re-attest only affected users?+

Yes — publish a change; select who should re-attest (by role, geography, team) and the platform handles the rest.

What about contractors and partners?+

Contractors can be invited as workspace users for the duration of an engagement; their attestations are captured the same way.

Does it help me sell?+

Yes — buyers routinely ask 'how do you enforce your policies?'. A dashboard answer wins the point on the first call.

Related

Pair with the evidence vault and audit log. See how it supports ISO 27001.

Turn policy into a management tool

Publish, target, chase, evidence — make attestation the operational muscle that keeps your management system real.

Prefer a conversation? Email hello@iso-standard.app — a practitioner responds within one business day.

MM
Michael McCarroll
Founder · 25+ years
IT governance · Information security · AI
Why this platform exists

Enterprise-grade governance — built for the SMEs and consultants enterprise GRC forgets.

I've spent 25 years in corporate governance — aligning technology, controls and compliance with what the business is actually trying to do. Time and again, the same pattern: the organisations that win new clients aren't the ones with the biggest GRC budget. They're the ones who can demonstrate trust on demand. This platform is the tool I wanted for the SMEs and consultants I've worked with — institutional-grade governance without an institutional price tag, built on the way audits and buyer reviews actually happen.