Evidence Index
Document ID: EVID-001
Document owner: Jan Marc Castlunger (ISO)
Classification: Confidential
Version: 1.0
Last updated: March 2026
Next review: Quarterly
Purpose
This index catalogues all evidence artefacts required for ISO 27001 and SOC 2 audits. It serves as a single reference for auditors to locate evidence efficiently.
How to Use This Index
Ref — Evidence reference numberEvidence — Description of the artefactFramework — Which audit framework requires this evidenceControl Ref — ISO 27001 or SOC 2 control referenceLocation — Where the evidence is storedFrequency — How often the evidence is generated or updatedStatus — Current availability
Governance & Policy Evidence
Ref
Evidence
Framework
Control Ref
Location
Frequency
Status
E-GOV-01
Signed Information Security Policy
Both
ISO 5.1 / CC1.1
ISMS repo: policies/
Annual
✅ Available
E-GOV-02
Management review minutes
Both
ISO 9.3 / CC1.2
Google Drive > Security > Reviews
Annual
📋 Pending (initial review 21 March 2026)
E-GOV-03
Risk register with assessment
Both
ISO 6.1.2 / CC3.2
ISMS repo: registers/
Annual
✅ Available
E-GOV-04
Statement of Applicability
ISO 27001
ISO 6.1.3
ISMS repo: iso27001/
Annual
✅ Available
E-GOV-05
Internal audit reports
Both
ISO 9.2 / CC4.1
Google Drive > Security > Audits
Annual
📋 Pending (first audit 30 March 2026)
E-GOV-06
Corrective action log
Both
ISO 10.2 / CC4.2
Google Drive > Security > CAs
Ongoing
📋 Pending
E-GOV-07
ISMS scope document (incl. Clause 4.1 context)
ISO 27001
ISO 4.1, 4.2, 4.3
ISMS repo: iso27001/
Annual
✅ Available
E-GOV-08
ISMS objectives
ISO 27001
ISO 6.2
ISMS repo: iso27001/
Annual
✅ Available
E-GOV-09
Management review agenda (March 2026)
Both
ISO 9.3 / CC1.2
ISMS repo: iso27001/
Annual
✅ Available
E-GOV-10
Internal audit plan (March 2026)
Both
ISO 9.2 / CC4.1
ISMS repo: iso27001/
Annual
✅ Available
E-GOV-11
Legal & regulatory register
Both
ISO A.5.31 / CC2.2
ISMS repo: registers/
Annual
✅ Available
E-GOV-12
Communication plan
Both
ISO 7.4 / CC2.2
ISMS repo: procedures/
Annual
✅ Available
E-GOV-13
Competence records (CVs)
ISO 27001
ISO 7.2
Google Drive > HR > CVs
Per hire
✅ Available
E-GOV-14
DPIA — Quick-ID document verification
Both
GDPR Art. 35 / P1.1
ISMS repo: registers/
Annual
✅ Available
E-GOV-15
Tabletop exercise record
Both
ISO A.5.24 / CC7.3
ISMS repo: procedures/
Annual
📋 Scheduled 21 March 2026
E-GOV-16
EU AI Act risk classification
Both
EU AI Act / CC2.2
ISMS repo: registers/
Annual
✅ Available (in legal register)
Access Control Evidence
Ref
Evidence
Framework
Control Ref
Location
Frequency
Status
E-ACC-01
Azure AD user list with role assignments
Both
ISO 5.15 / CC6.1
Azure Portal > Azure AD
Quarterly
✅ Available
E-ACC-02
Quarterly access review records
Both
ISO 5.15 / CC6.1
Google Drive > Security > Access Reviews
Quarterly
📋 Pending (first Q2 2026)
E-ACC-03
Azure RBAC role assignments (PIM planned Q3 2026)
Both
ISO 8.2 / CC6.1
Azure Portal > IAM > Role Assignments
Quarterly
✅ Available
E-ACC-04
MFA enforcement configuration
Both
ISO 8.5 / CC6.1
Azure AD / Google Admin
Continuous
✅ Available
E-ACC-05
GitHub access and token audit
Both
ISO 5.15 / CC6.1
GitHub Admin > Audit Log
Quarterly
✅ Available
E-ACC-06
Offboarding completion records
Both
ISO 6.5 / CC6.3
Google Drive > HR > Offboarding
Per event
📋 Template ready
Technical Control Evidence
Ref
Evidence
Framework
Control Ref
Location
Frequency
Status
E-TEC-01
Azure Security Center compliance score
Both
ISO 8.16 / CC7.2
Azure Portal > Security Center
Continuous
✅ Available
E-TEC-02
Vulnerability scan reports
Both
ISO 8.8 / CC7.1
Azure Portal > Defender
Monthly
✅ Available
E-TEC-03
TLS configuration (SSL Labs report)
Both
ISO 8.24 / CC6.7
SSL Labs scan
Quarterly
✅ Available
E-TEC-04
Azure Key Vault access logs
Both
ISO 8.24 / CC6.7
Azure Portal > Key Vault
Continuous
✅ Available
E-TEC-05
Azure Monitor log retention settings
Both
ISO 8.15 / CC7.2
Azure Portal > AKS + Caddy logs
Continuous
✅ Available
E-TEC-06
NSG and firewall rules
Both
ISO 8.20 / CC6.6
Azure Portal > Networking
Continuous
✅ Available
E-TEC-07
GitHub branch protection rules
Both
ISO 8.25 / CC8.1
GitHub > Settings > Branches
Continuous
✅ Available
E-TEC-08
CI/CD pipeline configuration
Both
ISO 8.25 / CC8.1
GitHub > Actions
Continuous
✅ Available
E-TEC-09
SAST scan results
Both
ISO 8.25 / CC8.1
GitHub > Security > Code scanning
Per PR
✅ Available
E-TEC-10
Penetration test report
Both
ISO 8.29 / CC8.1
Google Drive > Security > Pentests
Annual
📋 Planned Q2 2026
E-TEC-11
Device encryption verification
Both
ISO 7.8 / CC6.4
Google Drive > Security > Devices
Quarterly
📋 Pending
Operational Evidence
Ref
Evidence
Framework
Control Ref
Location
Frequency
Status
E-OPS-01
Incident register
Both
ISO 5.24 / CC7.3
Google Drive > Security > Incidents
Ongoing
📋 Template ready
E-OPS-02
Backup restore test results
Both
ISO 5.29 / A1.3
Google Drive > Security > DR Tests
Semi-annual
📋 Pending (first Sep 2026)
E-OPS-03
Change log / PR history
Both
ISO 8.32 / CC8.1
GitHub > Pull Requests
Continuous
✅ Available
E-OPS-04
Training completion records
Both
ISO 6.3 / CC1.4
Google Workspace > HR > Training
Annual
✅ Available
E-OPS-05
Background check records
Both
ISO 6.1 / CC1.4
Google Drive > HR > Background Checks
Per hire
📋 Process formalising
E-OPS-06
Supplier DPAs and certifications
Both
ISO 5.19 / CC9.2
Google Drive > Legal > Suppliers
Annual
✅ Available
E-OPS-07
Azure capacity and cost reports
SOC 2
A1.1
Azure Portal > Cost Management
Monthly
✅ Available
E-OPS-08
GDPR data subject request log
SOC 2
P5.1
Google Drive > Legal > DSARs
Ongoing
📋 Template ready
Evidence Collection Calendar
Month
Evidence to Collect/Refresh
Monthly Vulnerability scans (E-TEC-02), Azure cost reports (E-OPS-07)
Quarterly Access reviews (E-ACC-02), RBAC role assignments (E-ACC-03), GitHub audit (E-ACC-05), SSL Labs (E-TEC-03), Device encryption (E-TEC-11)
Semi-annually Backup restore tests (E-OPS-02)
Annually Management review (E-GOV-02), Internal audit (E-GOV-05), Penetration test (E-TEC-10), Training records (E-OPS-04), Supplier review (E-OPS-06)
Status Summary
Status
Count
✅ Available
18
📋 Pending / Template Ready
10
Total 28
March 9, 2026
March 9, 2026