Evidence kitevidence-register.md
Top level

Evidence register

A single index of every control, the artifact that proves it, where it lives, who owns it, and when it was last refreshed — the one file an auditor or buyer asks for first.

The evidence register is the index of your whole compliance program: one row per control, pointing at the artifact that proves it. When an auditor sends a PBC (Provided By Client) list or a buyer sends a security questionnaire, you answer from this table instead of starting a scavenger hunt.

Keep it in your private evidence repo next to the populated evidence-folder-template/. The controls-map.md tells you what evidence each control needs; this register tracks the actual artifacts you have and their freshness.

Columns

Column What goes here
control Control ID + name from controls-map.md (e.g. 1.1 MFA enforcement)
system The system/account the evidence covers (e.g. AWS prod, GitHub org, Cloud SQL)
owner Named person accountable for refreshing it (not a team — a person)
artifact The file/export that proves it (e.g. 01-access-controls/mfa-enforcement.md)
source Where it was exported from — console path, CLI command, or dashboard URL
cadence How often it must be refreshed (Quarterly, Annually, Per release)
last_refreshed ISO date the artifact was last regenerated (2026-06-30)
status current, stale, missing, or n/a

Status rule of thumb: mark a row stale once last_refreshed is older than its cadence window. A quick way to spot the backlog before an auditor does is to sort by status.

Example (fictional Series B SaaS)

control system owner artifact source cadence last_refreshed status
1.1 MFA enforcement Google Workspace A. Okada 01-access-controls/mfa-enforcement.md Admin → Security → 2-step verification Quarterly 2026-06-12 current
1.2 Least-privilege IAM AWS prod A. Okada 01-access-controls/iam-quarterly-review.md aws iam get-account-authorization-details Quarterly 2026-04-02 stale
2.1 Audit logging AWS prod R. Mensah 02-logging-monitoring/audit-log-config.md CloudTrail org-trail config export Quarterly 2026-06-20 current
3.1 Branch protection GitHub org R. Mensah 03-cicd-change-management/branch-protection.md gh api repos/acme/app/branches/main/protection Quarterly 2026-06-18 current
4.3 Secret scanning GitHub org R. Mensah 04-vulnerability-secrets/secret-scanning.md gh api orgs/acme --jq '.security_and_analysis' Quarterly 2026-06-18 current
5.2 Restore test Cloud SQL L. Favre 05-backups-recovery/restore-test.md Quarterly DR drill report Quarterly 2026-03-30 stale
6.1 Model endpoint auth Vertex AI L. Favre 06-ai-workload-controls/endpoint-auth.md gcloud ai endpoints describe <id> Quarterly missing

CSV version

If you'd rather track this in a spreadsheet or pipe it into a script, the same schema as CSV — copy this into evidence-register.csv:

control,system,owner,artifact,source,cadence,last_refreshed,status
1.1 MFA enforcement,Google Workspace,,01-access-controls/mfa-enforcement.md,Admin > Security > 2-step verification,Quarterly,,missing
1.2 Least-privilege IAM,,,01-access-controls/iam-quarterly-review.md,,Quarterly,,missing
1.3 Service-account key inventory,,,01-access-controls/iam-quarterly-review.md,,Quarterly,,missing
2.1 Audit logging,,,02-logging-monitoring/audit-log-config.md,,Quarterly,,missing
2.2 Log retention,,,02-logging-monitoring/retention-policy.md,,Annually,,missing
2.3 Alert routing,,,02-logging-monitoring/alert-routing.md,,Annually,,missing
3.1 Branch protection,,,03-cicd-change-management/branch-protection.md,,Quarterly,,missing
3.2 Deploy approvals,,,03-cicd-change-management/deploy-approvals.md,,Quarterly,,missing
3.4 Release evidence,,,03-cicd-change-management/release-evidence.md,,Quarterly,,missing
4.1 Dependency scanning,,,04-vulnerability-secrets/dependency-scanning.md,,Quarterly,,missing
4.2 Image scanning,,,04-vulnerability-secrets/image-scanning.md,,Quarterly,,missing
4.3 Secret scanning,,,04-vulnerability-secrets/secret-scanning.md,,Quarterly,,missing
5.1 Backup config,,,05-backups-recovery/backup-config.md,,Quarterly,,missing
5.2 Restore test,,,05-backups-recovery/restore-test.md,,Quarterly,,missing
5.3 Incident runbook,,,05-backups-recovery/incident-runbook.md,,Annually,,missing
6.1 Model endpoint auth,,,06-ai-workload-controls/endpoint-auth.md,,Quarterly,,missing
6.2 Prompt/tool-call logging,,,06-ai-workload-controls/prompt-tool-call-logging.md,,Annually,,missing
6.3 Spend caps,,,06-ai-workload-controls/spend-caps.md,,Quarterly,,missing
6.4 Data retention,,,06-ai-workload-controls/data-retention.md,,Annually,,missing

Fill in system, owner, source, and last_refreshed as you collect each artifact, and flip status to current. Rows that stay missing are your readiness backlog.

Book fit call