Evidence Management
Collect, organize, and manage compliance evidence for audits.
Overview
Evidence Management helps you:
- Collect evidence for compliance controls
- Organize documents by framework and control
- Track evidence freshness and expiration
- Prepare for audits with complete documentation
Evidence Types
Document Evidence
Upload files as evidence:
- Policies and procedures (PDF, DOCX)
- Screenshots (PNG, JPG)
- Spreadsheets (XLSX, CSV)
- Configuration exports (JSON, YAML)
- Log files (TXT, LOG)
File limits:
- Maximum file size: 50 MB
- Maximum files per control: 25
Automated Evidence
CyberOrigen automatically collects evidence from:
- Scan Results: Vulnerability assessments
- Configuration Checks: Security settings verification
- Access Reviews: User permission audits
- System Logs: Audit trail exports
External Links
Link to external evidence sources:
- Cloud provider consoles
- Documentation sites
- Ticketing systems
- Version control
Uploading Evidence
Single Upload
- Navigate to Evidence Management
- Click Upload Evidence
- Select or drag files
- Choose associated control(s)
- Add description
- Set collection date
- Click Upload
Bulk Upload
- Click Bulk Upload
- Select multiple files
- Map files to controls
- Click Upload All
From Findings
Attach evidence directly from findings:
- Open a finding
- Click Attach Evidence
- Upload or link evidence
- Evidence links to associated controls
Organizing Evidence
By Framework
View evidence organized by compliance framework:
SOC 2 Type II
├── CC1 - Control Environment
│ ├── CC1.1 - Board Oversight
│ │ ├── board_charter.pdf
│ │ └── meeting_minutes_q4.pdf
│ └── CC1.2 - Management Philosophy
│ └── code_of_conduct.pdf
├── CC6 - Logical Access
│ ├── CC6.1 - Access Controls
│ │ ├── access_policy.pdf
│ │ ├── user_access_review.xlsx
│ │ └── [scan] access_config_check.json
│ └── ...
└── ...By Control
View all evidence for a specific control:
- Go to Control Library
- Select a control
- View Evidence tab
- See all associated documents
By Date
Filter evidence by collection period:
- Last 30 days
- Last quarter
- Last year
- Custom range
Evidence Lifecycle
Collection
Evidence is collected through:
- Manual upload: User uploads documents
- Automated scan: System generates evidence
- Integration: Pulled from connected systems
- Scheduled: Recurring evidence collection
Review
Review evidence for accuracy:
- Open evidence item
- Review content
- Mark as Reviewed or Needs Update
- Add reviewer notes
Approval
Approve evidence for audit use:
- Evidence marked as reviewed
- Approver reviews
- Mark as Approved
- Evidence is audit-ready
Expiration
Evidence can expire based on:
- Age: Document older than threshold
- Date: Specific expiration date
- Event: Triggered by system changes
Configure expiration alerts in Settings.
Evidence Status
| Status | Description |
|---|---|
| Draft | Uploaded but not reviewed |
| Under Review | Being reviewed |
| Approved | Ready for audit |
| Expired | Past expiration date |
| Needs Update | Marked for refresh |
Automated Collection
Scan-Based Evidence
CyberOrigen automatically generates evidence from scans:
| Scan Type | Evidence Generated |
|---|---|
| Vulnerability Scan | Assessment report, findings list |
| Compliance Scan | Control status, gaps identified |
| Configuration Check | Settings verification |
Scheduled Collection
Set up recurring evidence collection:
- Go to Evidence → Automation
- Click Add Schedule
- Configure:
- Evidence type
- Collection frequency
- Target controls
- Click Save
Integration Evidence
Pull evidence from connected systems:
- Jira: Ticket resolution evidence
- GitHub: Code review evidence
- Cloud Providers: Configuration exports
Audit Preparation
Evidence Packages
Create evidence packages for auditors:
- Go to Evidence → Packages
- Click Create Package
- Select framework and controls
- Choose evidence items
- Add cover sheet and index
- Click Generate
Package includes:
- Table of contents
- Control descriptions
- Evidence documents
- Collection metadata
Auditor Access
Grant auditors read-only access:
- Go to Organization → Members
- Invite auditor with Viewer role
- Optionally restrict to specific frameworks
Professional Feature
Viewer roles require Professional or Enterprise plan.
Evidence Requests
Respond to auditor requests:
- Auditor submits request via portal
- You receive notification
- Upload or link requested evidence
- Auditor reviews and acknowledges
Search & Filter
Search
Search across all evidence:
- By filename
- By description
- By control ID
- By uploader
Filters
| Filter | Options |
|---|---|
| Framework | SOC 2, PCI-DSS, ISO 27001, etc. |
| Status | Draft, Approved, Expired |
| Type | Document, Scan, Screenshot |
| Date | Collection date range |
| Uploader | Team member |
Reporting
Evidence Coverage
View evidence coverage by framework:
SOC 2 Type II Evidence Coverage
Criteria Controls With Evidence Coverage
CC1 - Environment 12 10 83%
CC2 - Communication 8 8 100%
CC3 - Risk 6 4 67%
CC6 - Access 15 15 100%
CC7 - Operations 10 8 80%
─────────────────────────────────────────────────────
Total 51 45 88%Expiring Evidence
View evidence approaching expiration:
| Evidence | Control | Expires | Days Left |
|---|---|---|---|
| access_review.xlsx | CC6.1 | Jan 15 | 13 |
| pen_test_report.pdf | CC7.1 | Jan 20 | 18 |
Activity Report
Track evidence management activity:
- Uploads per period
- Reviews completed
- Approvals granted
- Expirations handled
API Access
bash
# List evidence
GET /api/v1/evidence?framework=soc2
# Upload evidence
POST /api/v1/evidence
Content-Type: multipart/form-data
# Get evidence details
GET /api/v1/evidence/{evidence_id}
# Update evidence
PATCH /api/v1/evidence/{evidence_id}
{
"status": "approved",
"notes": "Reviewed and approved"
}See API Reference for full documentation.
Best Practices
- Organize Early: Set up folder structure before collecting
- Name Consistently: Use clear, consistent file naming
- Collect Continuously: Don't wait until audit time
- Review Regularly: Keep evidence current
- Automate When Possible: Use scheduled collection
- Track Expiration: Monitor and refresh aging evidence
- Maintain Metadata: Add descriptions and context