Standardise
PricingSupportSign inGet started

Evidence Collection

Upload, track, and manage audit evidence with file integrity checks, encrypted storage, and control mapping for ISO 27001 compliance.

Overview

Evidence collection is essential for demonstrating that your ISMS controls are implemented and effective. During internal and external audits, you will be asked to produce evidence that specific controls are operating as intended. The Evidence module in Standardise provides a centralised repository for uploading, organising, and retrieving audit evidence with built-in integrity verification and encrypted storage.

File Upload and Validation

Evidence files can be uploaded via a drag-and-drop interface or traditional file picker. The following constraints are enforced:

  • Maximum file size — 25 MB per file.
  • Allowed file types — 16 MIME types are accepted, including PDF, Word documents, Excel spreadsheets, images (PNG, JPEG), plain text, CSV, and common archive formats.
  • SHA-256 checksum — A cryptographic hash is calculated on upload and stored alongside the file. This allows you to verify that evidence has not been tampered with since it was collected — a critical requirement for audit integrity.

Encrypted Storage

Uploaded files are stored in AWS S3 with SSE-KMS (Server-Side Encryption using AWS Key Management Service) with a customer-managed encryption key. This means your evidence files are encrypted at rest in the S3 bucket, and access is controlled by IAM policies. For local development, files are stored on the local filesystem as a fallback.

When downloading evidence, Standardise generates a time-limited presigned URL that provides temporary access to the file without exposing your S3 credentials. URLs expire after a short window, ensuring that shared links do not grant permanent access.

Metadata and Control Mapping

Each evidence item includes metadata fields to help you organise and retrieve evidence during audits:

  • Title — A descriptive name for the evidence item.
  • Description — Context about what the evidence demonstrates and how it was collected.
  • Control mapping — Link evidence to specific Annex A controls, making it easy to produce all evidence related to a particular control during an audit.
  • Collection date — When the evidence was gathered, which is important for demonstrating ongoing compliance rather than point-in-time snapshots.

CSV Export

The evidence register can be exported to CSV, providing a summary of all evidence items with their metadata, file details, checksums, and control mappings. This is useful for creating an evidence index to share with auditors ahead of an audit engagement.

ISO 27001 Mapping

Evidence collection supports two clauses in ISO 27001:2022: Clause 7.5 (Documented Information) requires that evidence and records be maintained as documented information, with appropriate controls for storage, preservation, and retrieval. Clause 9.1 (Monitoring, Measurement, Analysis and Evaluation) requires the organisation to retain documented information as evidence of monitoring and measurement results. Together, these clauses mandate a systematic approach to collecting and preserving evidence of ISMS effectiveness.

Related Articles

ISMS Modules
Document Management
Create, version, and approve ISMS documents using 27 ISO 27001 templates, a WYSIWYG editor, and structured approval workflows.
ISMS Modules
Internal Audits
Plan and conduct internal ISMS audits, track findings, manage corrective actions, and demonstrate continual improvement.
ISMS Modules
Statement of Applicability
Manage all 93 Annex A controls across four categories, track applicability and implementation status, and export your SoA for auditors.
← Back to Help Center