Approval Center

Ce contenu n’est pas encore disponible dans votre langue.

The Approval Center is where authorised reviewers check completed assessments and either approve or reject them. It enforces a core compliance principle — separation of duties — so the person who writes an assessment isn’t the one who signs it off.

There are two ways in:

Across all your workspaces — every assessment awaiting review in any workspace where you’re an approver.
Within one audit — only the assessments in that audit.

What reaches the queue

A requirement reaches the queue automatically — there’s no manual submission step. As soon as it has both a self-assessment score and supporting evidence, it appears in the Approval Center for everyone with approval rights, showing the requirement reference and name, the recorded result, how much evidence is attached and when it became ready (plus the workspace, on the all-workspaces view).

Reviewing

Open an assessment to see the recorded result and score, the analyst’s observations, and all attached evidence. Then decide:

Approve — optionally add a comment. The item is marked approved and leaves the queue.
Reject — add a comment explaining what to fix. The item is marked rejected and the people responsible for the requirement are notified (see below).

Both decisions support comments, which stay with the assessment so approvers and analysts can communicate without leaving the platform.

What happens after a decision

Rejected requirements

When a requirement is rejected:

Everyone assigned to it receives an in-platform notification — shown on the notification bell in the top bar — telling them it was rejected and why (the reviewer’s comment).
The requirement stays in the rejected state until its owner updates it. It does not quietly slip back into the queue on its own.
As soon as the owner makes a change (a new score, an updated result, or revised evidence), it leaves the rejected state and is automatically queued for approval again.

Approved requirements that change later

Approval reflects a specific version of an assessment. If an approved requirement is later modified — its result, score, observation or evidence — the approval no longer applies, so the requirement is automatically sent back for re-approval and reappears in the Approval Center. This guarantees that what’s approved always matches what’s actually recorded.

The flow

Draft
  ↓  (score + evidence added)
Awaiting approval
  ↓  (Approve)                      ↓  (Reject)
Approved                            Rejected  → owner notified
  ↓  (modified later)                 ↓  (owner updates it)
Awaiting approval (re-approval)     Awaiting approval

Notifications

Notifications are entirely in-platform — there are no emails. The bell in the top navigation shows a count of unread notifications; opening it lists them, and selecting one takes you straight to the requirement that needs attention. Notifications can be marked read individually or all at once.

Locked audits

Locking an audit only prevents editing of assessment fields — the Approval Center stays fully available, so reviews can continue.

Who can do what

Action	Admin	Domain Manager	Analyst	Approver	Auditee	Reader
View the queue	✓	✓	✗	✓	✗	✗
Approve / reject	✓	✓	✗	✓	✗	✗
Receive rejection notifications	✓	✓	✓	—	✓	✗

Separation of duties

The workflow keeps responsibilities apart by design: analysts write assessments but can’t approve them, while approvers sign off but don’t write assessments. For ISO 27001 or NIS2 certification, make sure each workspace has a dedicated approver who isn’t also writing the assessments.