Evidence
Evidence proves your controls are implemented and operating. This guide explains evidence expectations and how to manage evidence in ForgeComply.
What Is Evidence?
Evidence is documentation that demonstrates your security controls are real, not just written policies.
Evidence answers the auditor's question: "Prove it."
Examples:
- Screenshot of MFA configuration in your identity provider
- Export of access review showing who reviewed what
- Training completion report from your LMS
- Incident ticket showing your response process
- Configuration export from your security tools
Why Evidence Matters
Auditor Verification
Auditors don't take your word for it. They sample evidence to verify claims.
Gap Identification
Missing evidence often reveals implementation gaps.
Audit Trail
Evidence creates a record of your compliance at a point in time.
Framework Requirements
Both SOC 2 and ISO 27001 require evidence of operating controls.
Evidence vs. Policies
| Policies | Evidence |
|---|---|
| What you commit to doing | Proof you're doing it |
| Written documents | Screenshots, exports, records |
| Intent | Reality |
| Relatively stable | Changes over time |
You need both. Policies without evidence look theoretical. Evidence without policies looks ad-hoc.
Types of Evidence
Design Evidence
Shows how controls are configured.
Examples:
- System configuration screenshots
- Architecture diagrams
- Access control lists
- Security tool settings
Primary for: Type I, Stage 1
Operating Evidence
Shows controls functioning over time.
Examples:
- Access review records (quarterly)
- Security training completions
- Incident response tickets
- Change management records
- Audit logs
Primary for: Type II, Stage 2
Evidence by Audit Type
SOC 2 Type I
Focus: Control design at a point in time
Evidence emphasis:
- Configuration screenshots
- Policy documents
- Current state exports
SOC 2 Type II
Focus: Control effectiveness over 6-12 months
Evidence emphasis:
- Periodic review records
- Consistent log samples
- Multiple instances over time
- Trend data
ISO 27001 Stage 1
Focus: Documentation readiness
Evidence emphasis:
- ISMS documentation
- Risk assessment records
- Policy framework
- Management commitment
ISO 27001 Stage 2
Focus: Implementation verification
Evidence emphasis:
- Operating records
- Internal audit results
- Management review minutes
- Corrective actions
The Evidence Page
Navigate to Evidence in the sidebar to manage all evidence.
Evidence List
Each item shows:
- File name
- Linked control(s)
- Upload date
- Review status
- Uploader
Filtering
Filter by:
- Review status (Pending, Approved, Rejected)
- Control
- Date range
Uploading Evidence
From the Evidence Page
- Click Upload Evidence
- Select or drag files
- Link to relevant control(s)
- Add description (optional)
- Submit
From a Control
- Open the control detail
- Find the Evidence section
- Upload directly to that control
Supported Formats
- Images (PNG, JPG, GIF)
- Documents (PDF, DOCX)
- Spreadsheets (XLSX, CSV)
- Text files
File Size
Maximum file size: 25MB per file
Evidence Review
Evidence goes through a review process before being considered complete.
Review Statuses
| Status | Meaning |
|---|---|
| Pending Review | Uploaded, awaiting review |
| Approved | Reviewed and accepted |
| Rejected | Reviewed and found insufficient |
Who Reviews?
Typically:
- Security lead
- Compliance manager
- Control owner
- Designated reviewer
Review Criteria
Good evidence is:
- Relevant — Actually demonstrates the control
- Recent — From the audit period
- Clear — Readable and understandable
- Complete — Shows what's needed
- Authentic — Real, not fabricated
Evidence Freshness
Evidence should be recent and relevant to your audit period.
Type I / Stage 1
Evidence should reflect current state (within weeks/months).
Type II / Stage 2
Evidence should span the audit period (6-12 months).
Example: If your audit period is January-June, evidence from December of the prior year may be stale.
Refresh Evidence
Update evidence when:
- Audit period changes
- Systems change
- Auditor requests
- Evidence expires
What Auditors See
When auditors access your reports:
They Can See
- Evidence linked to controls in reports
- File names and descriptions
- Upload dates
- Review status
They Cannot See
- Evidence not linked to reports
- Internal notes
- Draft or rejected evidence
- Upload history
Evidence access is controlled. Auditors see what you include in reports.
Evidence Best Practices
Be Systematic
Don't wait until audit time. Collect evidence as you go.
Be Clear
Name files descriptively: MFA-Config-Okta-2025-01.png not screenshot.png
Be Complete
Show the full picture. Cropped screenshots raise questions.
Be Current
Old evidence suggests controls may have changed.
Be Organized
Link evidence to the right controls. Unlinked evidence is hard to find.
Preserve Context
Add descriptions explaining what the evidence shows.
Common Evidence Mistakes
Aspirational Evidence
Showing how things should work, not how they do work.
Outdated Evidence
Evidence from before significant system changes.
Incomplete Evidence
Screenshots that don't show the relevant settings.
Over-Redaction
Redacting so much that the evidence loses meaning.
Missing Evidence
Claiming a control is implemented without proof.
Wrong Control
Evidence linked to the wrong control creates confusion.
Evidence and Reports
When you generate reports, the Evidence Index includes:
- All approved evidence
- Linked controls
- Upload metadata
This creates an auditor-ready index for evidence sampling.
Frequently Asked Questions
How much evidence do I need?
Quality over quantity. One clear screenshot beats ten confusing ones.
Can I delete evidence?
Yes, but be cautious. Deleted evidence is no longer available for reports.
What if an auditor wants more?
They may request additional evidence. Be prepared to provide it.
Can I update evidence after uploading?
Upload new versions rather than editing. This preserves history.
Does ForgeComply validate evidence?
ForgeComply manages evidence. Validation is your responsibility.
Is evidence stored securely?
Yes. Evidence is stored encrypted and accessed via secure, time-limited URLs.
Next Steps
- Controls Documentation — Connecting evidence to controls
- Reports & Auditor Access — How evidence appears in reports
- Security & Privacy — How evidence is protected