Evidence
Reusable proof of control coverage — owned, reviewed on a cadence, and collected manually or by an automation.
Overview
Evidence is reusable, first-class proof that your controls are actually in place. A single piece of evidence — an access-review export, a penetration-test report, a signed policy acknowledgement — can demonstrate coverage for many controls at once, so you record it once and reference it everywhere it applies.
Each evidence item is owned by a responsible person, signed off by an approver, and reviewed on a recurring cadence so it never silently goes stale. Evidence is identified by a short, human-friendly code such as EV-001.
Core Functionality
We provide a central register for every proof your compliance program relies on. Each entry carries a title, an optional description, a status, an optional category, and the people accountable for it. From the detail view you can link the evidence to controls and policy sections, attach files, and configure how it is collected.
Evidence moves through a simple status flow as work progresses:
| Status | Meaning |
|---|---|
To do | Identified but not yet collected. |
In progress | Being gathered or prepared. |
Done | Collected and current. |
Failed | Collection or a check did not pass. |
Archived | Retired; kept for history but no longer active. |
Owner and approver
Every evidence item has an owner — the business role responsible for keeping it current — and an approver who signs it off. Approval stamps the evidence with who approved it and when, giving you a clear sign-off trail.
Review cadence
Evidence is reviewed on a recurring frequency so it stays trustworthy. Choose Monthly, Quarterly, Semi-annual, Annual, or Continuous. The platform tracks the last reviewed date and computes the next review date; items past their next-review date are flagged as overdue. Marking an item reviewed advances the cadence.
Mapping to controls and policies
- Controls — link evidence to a control to record it as coverage evidence. Linking evidence does not automatically change a control's coverage status; it documents the proof behind the assessment you make.
- Policies — associate evidence with a policy section to show which written policy the proof supports. This is a plain association, not a coverage claim.
Attachments
Attach the underlying files — reports, exports, screenshots — directly to an evidence item. Files are stored securely and can be downloaded by your team whenever the proof is needed.
Automation
Evidence can be collected manually or associated with an automation. When tied to an integration action, the proof is gathered automatically on its schedule instead of by hand, reducing the manual effort of keeping recurring evidence fresh.
Categories
Group evidence into categories — an editable, per-organization taxonomy — to keep large registers organized and filterable.
Best Practices
- Assign a clear owner and approver to every evidence item so accountability is never ambiguous.
- Set a review frequency that matches how quickly the underlying proof goes stale.
- Reuse one evidence item across every control and policy it genuinely demonstrates instead of duplicating proof.
- Prefer automation for recurring evidence to cut manual collection effort.
- Keep attachments current and archive evidence you no longer rely on rather than deleting its history.
How is this guide?