Attaching Evidence
Compliance audits require more than automated check results. Auditors expect to see documented evidence that controls are operating effectively -- policies, procedures, screenshots, test results, and other artefacts that demonstrate compliance.
Guardian Pro's evidence management feature allows you to attach supporting documentation directly to compliance controls, creating a centralised, audit-ready compliance package.
Why Evidence Matters
While Guardian Pro's automated checks cover the technical aspects of compliance, many compliance frameworks include requirements that cannot be fully evaluated through infrastructure scanning alone:
- Organisational policies -- Security policies, acceptable use policies, data handling procedures
- Process documentation -- Incident response procedures, change management processes, access review records
- Training records -- Security awareness training completion, role-based training certifications
- Third-party assessments -- Penetration test reports, vendor risk assessments, external audit results
- Manual verification -- Screenshots of console configurations, approval records, meeting minutes
By attaching this evidence to the relevant controls in Guardian Pro, you create a single location where auditors can review both automated results and supporting documentation.
Attaching Evidence to a Control
To attach evidence to a compliance control:
- Navigate to the Compliance Dashboard.
- Find the control you want to add evidence to (this can be a passing, failing, or excepted control).
- Click on the control to open its detail view.
- Click Add Evidence.
- Fill in the evidence form:
| Field | Description | Required |
|---|---|---|
| Title | A descriptive name for the evidence (e.g., "Q4 2025 Access Review Report") | Yes |
| Description | Additional context about what the evidence demonstrates | No |
| Document | Upload the evidence file | Yes |
| Effective date | The date the evidence was created or became effective | No |
- Click Upload to attach the evidence.
Evidence documents are stored securely and encrypted at rest. Only users with appropriate permissions can view, upload, or delete evidence. See Security and Privacy for details on how Guardian Pro protects your data.
Types of Evidence
Automated Evidence
Guardian Pro's scan results themselves serve as automated evidence for technical controls. When your automated checks pass, the scan history and compliance scores provide timestamped proof that technical controls were operating effectively.
You do not need to manually attach evidence for controls that are fully covered by automated checks -- the scan results serve this purpose automatically.
Manual Evidence
For controls that require documentation beyond automated checks, you can attach:
| Evidence Type | Example | Relevant Controls |
|---|---|---|
| Policies | Information security policy, data classification policy | SOC 2 CC1.x, GDPR Article 24 |
| Procedures | Incident response plan, backup recovery procedures | SOC 2 CC7.x, Well-Architected REL |
| Access reviews | Quarterly IAM access review reports | CIS 1.x, SOC 2 CC6.x |
| Training records | Security awareness training completion records | SOC 2 CC1.4, GDPR Article 39 |
| Assessment reports | Penetration test results, vulnerability scan reports | SOC 2 CC4.x, GDPR Article 32 |
| Approval records | Change approval records, risk acceptance forms | SOC 2 CC8.x, Well-Architected OPS |
| Vendor assessments | Third-party risk assessment reports | SOC 2 CC9.x, GDPR Article 28 |
| Architecture diagrams | Network diagrams, data flow diagrams | All frameworks |
| Configuration screenshots | Console screenshots showing specific settings | Any technical control |
When attaching evidence for procedural controls, include the date the evidence was created or last updated. Auditors need to verify that your processes are current, not just that they existed at some point.
Managing Evidence
Viewing Attached Evidence
To view evidence attached to a control:
- Open the control's detail view from the Compliance Dashboard.
- Scroll to the Evidence section.
- Click on any evidence item to view its details or download the document.
The evidence section shows:
- Document title and description
- Upload date
- Effective date (if specified)
- Who uploaded the document
Updating Evidence
As documents are updated (for example, an annual policy review), you can upload new versions:
- Open the control's detail view.
- In the Evidence section, you can either:
- Add new evidence alongside existing documents (recommended for audit trail)
- Delete outdated evidence and upload the updated version
Consider keeping previous versions of evidence rather than replacing them. This creates a historical record that demonstrates ongoing compliance over time, which is particularly valuable for SOC 2 Type II audits.
Deleting Evidence
To remove evidence from a control:
- Open the control's detail view.
- In the Evidence section, find the evidence item you want to remove.
- Click the delete option.
- Confirm the deletion.
Deleting evidence is permanent. If you may need the document in the future, consider keeping it attached rather than deleting it.
Evidence in Compliance Reports
When you export a compliance report, the report includes a summary of evidence attached to each control:
- PDF reports list attached evidence by title and description for each control
- JSON reports include evidence metadata that can be processed programmatically
- CSV reports include a column indicating whether evidence is attached to each control
This ensures that exported reports provide a complete picture of your compliance posture, including both automated results and supporting documentation.
Evidence Strategy for Common Frameworks
CIS AWS Foundations Benchmark
The CIS benchmark is primarily technical, so most controls are covered by automated checks. Evidence is most useful for:
- Access key rotation policies and procedures
- Password policy documentation
- Incident response procedures related to monitoring alerts
SOC 2
SOC 2 audits expect extensive documentation. Prioritise evidence for:
- Security policies and procedures (Common Criteria CC1.x)
- Risk assessment documentation (CC3.x)
- Change management procedures (CC8.x)
- Vendor management policies (CC9.x)
- Business continuity and disaster recovery plans (A1.x)
GDPR
GDPR requires demonstrable accountability. Key evidence includes:
- Data Processing Impact Assessments (DPIAs)
- Records of processing activities (Article 30)
- Data Processing Agreements with third parties (Article 28)
- Privacy policies and consent mechanisms
- Data Subject Access Request (DSAR) procedures
AWS Well-Architected
Well-Architected reviews benefit from:
- Architecture decision records (ADRs)
- Operational runbooks and playbooks
- Game day and disaster recovery test results
- Cost optimisation review records
Best Practices
Organise Evidence Consistently
Use clear, consistent naming conventions for evidence documents. Include the date and version in the title (e.g., "Information Security Policy v3.0 - March 2025").
Keep Evidence Current
Set a reminder to review and update evidence periodically. Stale evidence can raise concerns during audits. Many policies require annual review at minimum.
Cover the Gaps
Focus your evidence effort on controls that are not fully covered by automated checks. Guardian Pro's automated results handle the technical controls -- invest your documentation effort in procedural and organisational controls.
Prepare Before the Audit
Do not wait until an audit is scheduled to start collecting evidence. Build the habit of attaching evidence as documents are created or updated. This reduces audit preparation stress and ensures nothing is missed.
Permissions
Uploading and managing evidence requires appropriate permissions. Typically, users with compliance, security, or administrative roles have access to evidence management. See Users and Permissions for details.