Tips for evidence submission

Screenshots

Screenshots should be complete images of your system, showing the date and time stamp, URLs, and evidence of logged-in user ID when relevant.

Contoso security awareness training document with company name, version controls, and policy approvals in red boxes.

Policy documents

The entire policy document must be submitted when providing evidence. Per industry best practices polices should undergo an annual review to ensure they are up to date. All policies should include version controls, dates, and approvals.

Contoso security awareness training policy document with company name, version controls, and policy approvals in red boxes.

Sub-controls

Many of the controls include sub-controls that must be satisfied. You are required to upload evidence for each of these sub-controls.

Screen grab of Control No. 13 description including multiple sub controls.

File submission

Screenshots should be provided as word/PDF documents with a detailed description of purpose and context. This will help simplify the certification review process, making sure the control shown is correctly assessed against the control’s purpose.

Document showing the control criteria, description of screenshot, and screenshot highlighted in red boxes.

Please refer to the sample evidence guide for comprehensive instructions on aligning your documentation with the criteria for potential evidence.

  • Last updated on