Evidence & Audit Log Tracker

Property	Value
Document ID	RISK-005
Version	1.0
Status	Draft
Owner	Compliance Manager
Last Updated	2026-01-11
Next Review	2027-01-11
Related Controls	SOC 2: All / ISO 27001: All

1. Purpose

This tracker documents evidence collected to demonstrate compliance with SOC 2 and ISO 27001 controls. It serves as the central repository for audit artifacts and ensures complete evidence coverage.

2. Evidence Collection Schedule

Category	Collection Frequency	Owner
Access Reviews	Quarterly	Security Team
System Configurations	Quarterly	DevOps
Training Records	Annually	HR
Vulnerability Scans	Weekly	Security Team
Penetration Tests	Annually	Security Team
Incident Reports	Per occurrence	Security Team
Change Records	Monthly	IT Operations
Backup/DR Tests	Monthly/Annually	DevOps
Vendor Assessments	Annually	Procurement
Policy Reviews	Annually	CISO

3. Evidence Register

Template for Each Evidence Entry

Field	Description
Evidence ID	Unique identifier (EVD-YYYY-XXX)
Title	Descriptive name of evidence
Control(s)	SOC 2 and/or ISO 27001 controls addressed
Description	What the evidence demonstrates
Type	Document, Screenshot, Log, Report, Ticket, Config
Date Collected	When evidence was gathered
Period Covered	Time range the evidence covers
Owner	Person responsible for evidence
Location	Where evidence is stored
Status	Collected, Pending, Expired
Tags	Keywords for search

4. Evidence Log

Q1 2026 Evidence

ID	Title	Controls	Type	Collected	Period	Owner	Location	Status
EVD-2026-001	Information Security Policy (Signed)	CC1.1, A.5.1	Document	2026-01-11	Current	CISO	SharePoint/Policies	Collected
EVD-2026-002	Access Control Policy (Signed)	CC6.1, A.5.15	Document	2026-01-11	Current	CISO	SharePoint/Policies	Collected
EVD-2026-003	Q1 User Access Review	CC6.2, A.5.18	Report	Pending	Q1 2026	Security	GRC Platform	Pending
EVD-2026-004	MFA Enrollment Report	CC6.6, A.8.5	Report	Pending	Q1 2026	IT	Okta Export	Pending
EVD-2026-005	IdP Password Policy Config	CC6.6, A.5.17	Screenshot	Pending	Current	IT	Evidence Store	Pending
EVD-2026-006	TLS Configuration Scan	CC6.7, A.8.24	Report	Pending	Q1 2026	Security	SSL Labs	Pending
EVD-2026-007	Vulnerability Scan Report	CC7.1, A.8.8	Report	Weekly	Week 1	Security	Nessus/Snyk	Pending
EVD-2026-008	SIEM Alert Rules	CC7.2, A.8.16	Screenshot	Pending	Current	Security	SIEM Console	Pending
EVD-2026-009	Sample Security Alerts	CC7.3, A.5.25	Export	Pending	Q1 2026	Security	SIEM	Pending
EVD-2026-010	Incident Tickets (if any)	CC7.4, A.5.26	Tickets	Per incident	Q1 2026	Security	Ticketing	Pending

Q2 2026 Evidence

ID	Title	Controls	Type	Period	Owner	Status
EVD-2026-016	Q2 User Access Review	CC6.2, A.5.18	Report	Q2 2026	Security	Pending
EVD-2026-017	Privileged Access Review	CC6.2, A.8.2	Report	Q2 2026	Security	Pending
EVD-2026-018	Penetration Test Report	CC7.1, A.8.8	Report	Annual	Security	Pending
EVD-2026-019	DR Test Results	A1.3, A.5.30	Report	Q2 2026	DevOps	Pending
EVD-2026-020	SOC 2 Report Review (Vendors)	CC9.2, A.5.22	Document	Annual	Procurement	Pending

5. Evidence by Control Area

Access Control Evidence (CC6)

Evidence Needed	Frequency	Owner	Status
Access request tickets	Continuous	IT	Collected
User access review reports	Quarterly	Security	Pending
Privileged access review	Monthly	Security	Pending
Termination tickets	Continuous	IT/HR	Collected
IdP configuration screenshots	Quarterly	IT	Pending
RBAC documentation	Annually	Security	Pending

Logging & Monitoring Evidence (CC7.2)

Evidence Needed	Frequency	Owner	Status
SIEM configuration	Quarterly	Security	Pending
Log retention settings	Quarterly	Security	Pending
Sample log entries	Quarterly	Security	Pending
Alert rule documentation	Quarterly	Security	Pending
Alert response examples	Quarterly	Security	Pending

Incident Response Evidence (CC7.3-7.4)

Evidence Needed	Frequency	Owner	Status
Incident response plan	Annually	Security	Collected
Incident tickets	Per incident	Security	As needed
Post-incident reviews	Per incident	Security	As needed
Tabletop exercise records	Annually	Security	Pending
Contact list updates	Quarterly	Security	Pending

Change Management Evidence (CC8.1)

Evidence Needed	Frequency	Owner	Status
Change request tickets	Monthly	IT	Pending
CAB meeting minutes	Monthly	IT	Pending
Deployment logs	Monthly	DevOps	Pending
Code review evidence	Monthly	Dev	Pending
Emergency change records	Per incident	IT	As needed

Vulnerability Management Evidence (CC7.1)

Evidence Needed	Frequency	Owner	Status
Vulnerability scan reports	Weekly	Security	Pending
Remediation tickets	Weekly	DevOps	Pending
SLA compliance reports	Monthly	Security	Pending
Penetration test report	Annually	Security	Pending

Vendor Management Evidence (CC9.2)

Evidence Needed	Frequency	Owner	Status
Vendor inventory	Quarterly	Procurement	Pending
Security assessments	Annually	Security	Pending
SOC 2 reports (critical vendors)	Annually	Security	Pending
Contract review evidence	Annually	Legal	Pending

6. Evidence Collection Checklist

Pre-Audit Preparation (30 days before)

Review evidence requirements with auditor
Identify any gaps in evidence collection
Collect all outstanding evidence
Organize evidence in audit folder structure
Verify evidence covers audit period
Prepare evidence index/list for auditor
Test access to evidence locations
Identify evidence owners for interview

Audit Execution Support

Provide evidence access to auditors
Respond to additional evidence requests
Facilitate interviews with control owners
Document any findings or gaps
Track remediation of findings

7. Evidence Storage Guidelines

Requirement	Standard
Location	Secure, access-controlled repository
Access	Limited to compliance and audit team
Naming	EVD-YYYY-XXX_ControlArea_Description
Format	PDF for documents, PNG for screenshots
Retention	Duration of certification + 1 year
Backup	Included in standard backup

Folder Structure

Evidence/
├── 2026/
│   ├── Q1/
│   │   ├── Access-Control/
│   │   ├── Authentication/
│   │   ├── Change-Management/
│   │   ├── Incident-Response/
│   │   ├── Logging-Monitoring/
│   │   ├── Vulnerability-Management/
│   │   └── Vendor-Management/
│   ├── Q2/
│   ├── Q3/
│   └── Q4/
├── Policies/
├── Penetration-Tests/
└── Audit-Reports/

8. Evidence Quality Checklist

For each piece of evidence, verify:

Evidence is dated within audit period
Evidence clearly shows what is claimed
Screenshots show system name/URL
Reports are complete (not truncated)
Sensitive data is appropriately redacted
Evidence is in readable format
Evidence filename follows convention

9. Audit Finding Tracker

Finding ID	Source	Date	Description	Severity	Owner	Due Date	Status	Remediation

Finding Severity Levels

Severity	Description	Remediation Timeline
Critical	Control failure, significant risk	Immediate
High	Control weakness, material gap	30 days
Medium	Control improvement needed	90 days
Low	Best practice recommendation	180 days

10. Related Documents

11. Version History

Version	Date	Author	Changes
1.0	2026-01-11	Compliance Team	Initial release

This document is classified as INTERNAL. Unauthorized distribution is prohibited.