Add custom manual evidence records to list
under review
G
Gorka
We'd like to manually add evidence records to prove that we're actually generating "records of access request issues tracked". Since Secfix doesn't provide Clickup integration yet and we can't turn some ticketing-system-related tasks green, we would then add proof for that on the manual evidence list.
I'm referring to the automated tasks called "Records of access requests issues tracked" and "Records of security issues being tracked" in my example.
Created by Lucas Backes
Ghada Shebl
under review
Ghada Shebl
Merged in a post:
Ability to add evidence (or link) directly to a control
M
Michael N.
Users should be able to add evidence not only via the manual evidence feature but also attach it directly to a control.
Context:
In some cases, auditors are looking to see more than just a policy as evidence in security reports; especially on day 2 of the audit when they look at all the technological controls in Appendix 8.
Just a 📁 icon next to the control in the Security Report which allows attaching .jpeg, .png, .pdf, or a link (etc) to a specific control would be sufficient.
Grigory Emelianov
Hi Michael N. thank you for your feedback. I'd love to review this for you. Can you please provide 2-3 specific examples of links or files that you wanted to add to the security report under A8 (Tech Controls)? Thank you
M
Michael N.
Grigory Emelianov absolutely!
Here goes:
8.1 - Screenshot of password complexity rules in MDM
8.4 - Screenshot that shows git users are specific to a project
8.23 - Screenshot of router blacklist, VPN blacklist
8.24 - Screenshot of ssl checker like ssllabs.com
8.25 - Screenshot showing there is an approval process in Git
This is what I can remember; Now that we had our first audit it is evident that the auditor can have different views on what needs more detailed evidence, so the ability to add and update arbitrary evidence on a per control basis (on top of the templates in manual evidence) would be beneficial.
Grigory Emelianov
Michael N.: Thank you, now it's loud and clear. I completely understand. You’re right—every auditor has their own approach, and it’s challenging to predict what additional evidence they might request.
Based on your feedback, I have a suggestion: Would it help if we allowed you to add custom evidence, be it a link or a document, in the Manual Evidence page and map it to the relevant framework controls? This way, you could centralize all additional evidence, and it would automatically appear in each security report, even across multiple standards.
M
Michael N.
Grigory Emelianov that would be perfect - as long as I can look for a certain control by its number and then add evidence to that. Right now, the control number can only be seen when hovering over the standard "pill" which makes it kinda hard to find the right section in manual evidence. scrolling down, hovering over each pill to find 8.24 is pretty cumbersome. That's how the auditor works though, he goes through all the controls by their number. So being able to find an evidence by its control number is crucial