Collecting evidence

Collecting evidence

We have presented how you can decompose conformance goals into sub-goals and requirements. The next step is to extend it further with evidence. Usually you will require a convincing evidence to be provided to demonstrate that a given requirement is satisfied. In some cases we know in advance what evidence is to be provided and we can give a title for it, for example “Security Policy”. In other cases we should let the users to decide what and how many evidence they plan to deliver.

Evidence can be provided for any specified conformance requirement. Any number of documents, files or links can be listed for any requirement. We will demonstrate extending the “backup” checklist (described in section 2) with evidence.

Conformance evidence

Evidence can be any information, document or asset you want to use to demonstrate that a given requirement is met. It can a PDF document, a photograph or a result of a measurement. It is useful to have evidence that can be verified online but physical assets can be used as evidence as well. Please note that some information can be restricted and access available in specific locations for authorized persons only.

You can store evidence in:

  • NOR-STA internal repository,
  • SharePoint repository,
  • any other type of a repository with web access,
  • any other place when it’s a physical asset and describe it in NOR-STA to allow the assessor to judge if a given evidence is sufficient to state that the requirements is satisfied.

When you use electronic evidence you cannot add it directly to NOR-STA.

managing conformance evidence

Use of evidence allows you to implement the conformance management process.

use of evidence in conformance process

Free NOR-STA DEMO project
for a selected standard

ISO 27001

Free NOR-STA Trial
for 30 days