Evidence
Evidence refers to some compelling piece of information that serves to prove that an objective is being met.
An Objective can have 1 or more evidences added, and will start out with no evidence added. If there is no evidence, or no valid evidence, then the objective will be marked as non-compliant automatically.
If there is at least 1 valid evidence, and none of the invalid evidences (if any) are marked as mandatory, then the objective will be marked as compliant automatically.
Adding Evidence
To add an evidence, click the "Add Evidence" button above the objective.
Once you click that, the Evidence form will pop-up:
Here we show the different types of evidence that our platform supports:
- Policy/Procedure: This lets you select a policy or procedure in an existing article in the system. This is the most "active" evidence type, as it will use the performance data from the policy to determine if the evidence is valid. That means that if you link to a procedure, and it detects that checklist is not being used, then it will invalidate the evidence (and explain why) - saving the auditor considerable time.
- Attachment: If the evidence is in an external document, it can be attached as a file here. If you have multiple documents, they should be zipped up into a single file first.
- Document (URL): If the evidence is in an external website, then the URL to the evidence should be provided here.
- Asset Performance: This lets you link to a predefined asset's instrumentation value. You can set a minimum and maximum threshold. If the value falls between those thresholds then the evidence will be valid, otherwise it will be marked as invalid.
- Mitigated Risk: This lets you link to a risk mitigation. If the mitigation is valid, then the evidence will be valid, otherwise it will be invalid.
- Other: Specify the details of the evidence in the Notes section as an alternative to picking from one of the above types.
The Policy/Procedure type is particularly powerful way the system will automatically check for compliance. It can allow all aspects of your operations to come together giving you the confidence that the objective is being fully complied with.
For example, if you have a compliance objective that reads "Allow anonymous reporting of incidents" (as is required in SOC2), you can link this to the Whistleblower policy in your site, and set a performance threshold that requires all users to have attested to it every year. Better still, you can make that attestation require a quiz to have been passed, to prove they have understood the content. This will give the auditor considerable confidence that the evidence provided is sufficient to be compliant with that particular requirement.
Policy To Compliance Links
If you are a Risk / Compliance Analyst user, when viewing a policy that is used in a compliance objective evidence, you will see a link at the top to click to view all such links. It will appear as a link like this:
This will appear for both risk and compliance links, as a convenient way to reference the objectives and mitigations that rely on this article.