Evidence Pack

    A period-based, auditor-ready export of the evidence behind your framework

    What is the evidence pack?

    The evidence pack is the export you hand to an auditor. Where the Statement of Applicability records what applies, the evidence pack shows the proof. For every applicable framework requirement it collects the four layers an auditor actually asks for:

    • Design - the controls mapped to the requirement, with their description, frequency and test script, so the auditor can judge whether the control is designed to meet the requirement.
    • Governance - the policies that mandate each control, including the published version label, plus the systems and business processes the control protects.
    • Operating effectiveness - the control tests completed inside the audit period: result, tester, reviewer sign-off by a second user, the evidence text and the attached files.
    • Exceptions - the issues raised by failed tests, with severity, status, assignee and resolution, so the follow-up trail is visible alongside the passes.

    Requirements you marked not applicable appear with their justification only, exactly as on the Statement of Applicability.

    The audit period

    Every export covers an explicit audit period. By default Anzen uses the last 12 months; you can set any custom range when you export. The period is inclusive and interpreted in UTC: it runs from 00:00 UTC on the start date through 23:59:59 UTC on the end date, and it is printed on the front page of the pack so there is never any doubt about which window the evidence covers. Tests, issues and tickets outside the period are left out.

    The ZIP bundle

    The PDF is the readable report; the ZIP bundle is the same pack with the actual artifacts included. It unpacks into a fixed layout an auditor can navigate without ever opening Anzen:

    • index.pdf at the root - the full evidence-pack report.
    • One folder per requirement reference (for example A.5.1), with a subfolder per control.
    • The original evidence files attached to each test, stored under the control they belong to.
    • evidence.txt per control - the complete, untruncated test log (the PDF shortens long evidence text and points here).
    • MISSING.txt - present only when a file could not be included (for example removed from storage, or over the size limit), naming each file and the reason.

    The report contains a manifest with a SHA-256 checksum for every file in the bundle, so anyone can verify that no file was altered after export.

    ITSM tickets as operating evidence

    Because Anzen runs your service desk and your compliance work in one platform, the pack can use day-to-day operations as evidence. Incidents, problems and change requests from the audit period that touch a control's systems are listed under that control - real operational records that show the control living in practice, such as the change requests behind a patch-management control. Each control lists up to ten tickets plus a total count, and the section only appears for controls that have such tickets; nothing is padded.

    Document branding

    The pack is rendered on your own letterhead: a workspace superadmin can set a header name and upload a logo (PNG or JPEG) under Workspace Settings. The same branding applies to policy exports and the Statement of Applicability PDF; invoices are not affected. Without it, documents fall back to your company name in plain text.

    Pricing

    The evidence pack (PDF and ZIP) and the Statement of Applicability PDF export are part of the Anzen Compliance add-on (€79 / month), activated from the Add-ons page. Viewing and maintaining your Statement of Applicability, the readiness dashboard and the whole compliance journey stay free on every plan.