Controls are what you do; evidence is what proves you did it. Auditors test evidence, so knowing exactly what they’ll ask for — and collecting it as you go — is the difference between a smooth examination and a painful one. Here’s a practical, area-by-area checklist.
Access and identity
- A current access review record showing who has access to key systems and a keep/revoke/modify decision for each person.
- Evidence that MFA is enforced (config screenshots or identity-provider policy exports).
- Onboarding/offboarding records showing access granted on hire and removed on exit.
- A sample of access requests/approvals.
Change management
- A sample of pull requests / change tickets showing review and approval before merge.
- Evidence of testing and a controlled deployment process.
System operations
- Logging and monitoring configuration and a sample alert.
- Vulnerability scan results and evidence of remediation within your stated timeframe.
- A backup configuration and evidence of a restore test.
Risk and vendors
- A risk assessment and a living risk register with owners and treatments.
- A vendor inventory with criticality tiers and review records for critical vendors.
Governance
- Your approved policies, dated, with evidence of communication to staff.
- Security awareness training completion records.
- Incident response plan and evidence of any tests or tabletop exercises.
- Management review notes if you run them.
The two rules that make evidence painless
- Capture as you go. The best time to record an access review is when you do it, not the week before fieldwork. Reconstructed evidence is weak evidence.
- Map every artifact to a control. A screenshot in a folder is useless if no one knows which criterion it supports. Tie each piece of evidence to the control (and therefore the framework clauses) it satisfies.
Freshness matters
Auditors care that evidence is current. An access review from 14 months ago doesn’t cover this year’s window. Build a cadence — quarterly access reviews, periodic vendor reviews, regular scans — so evidence renews itself instead of expiring.
How Keel helps
In Keel, evidence attaches to controls once and automatically counts toward every framework those controls satisfy. Access reviews generate their own evidence record on completion. Vendor reviews and control ownership have cadences, so stale items get surfaced instead of forgotten. When fieldwork comes, you hand the auditor a clean, mapped evidence set instead of a folder of screenshots.
Start free and start collecting the right evidence from day one. Pair this with our 12-week audit prep plan.