Governance Evidence Requirements
Per-control evidence requirements for demonstrating compliance with the 14 governance controls. Evidence classified by type, frequency, and criticality.
14
Controls Covered
87
Total Evidence Items
33
Document Evidence
54
Record Evidence
Legend
Document
Formal policy, procedure, plan, or framework document
Record
Meeting minutes, reports, logs, attestations, or tracking records
Required
Must be produced for compliance
Expected
Strongly recommended for maturity
| Type | Evidence Item | Frequency | Criticality |
|---|---|---|---|
| Document | Approved Cyber Risk Strategy document with executive/Board sign-off | Reviewed annually | Required |
| Document | Business strategy-to-cyber risk strategy alignment mapping or traceability matrix | Updated with each strategy revision | Required |
| Document | Technology strategy-to-cyber risk strategy alignment mapping | Updated with each strategy revision | Required |
| Record | Board or Executive Committee meeting minutes documenting strategy review and approval | Per review cycle (at least annually) | Required |
| Record | Strategy communication records (distribution emails, briefing attendance, intranet publication) | Per strategy update | Expected |
| Record | Annual strategy refresh documentation showing threat landscape and business change inputs | Annually | Expected |
| Type | Evidence Item | Frequency | Criticality |
|---|---|---|---|
| Document | Complete Cyber Risk Framework document with all component elements | Reviewed annually | Required |
| Document | Approved Risk Appetite Statement with defined thresholds | Reviewed annually | Required |
| Document | Risk Taxonomy document with categorization scheme | Reviewed annually | Required |
| Document | Policy and standards inventory showing all framework component documents with review dates | Maintained continuously | Required |
| Document | Risk management process documentation (identification, assessment, treatment, monitoring, reporting) | Reviewed annually | Required |
| Record | Framework version history showing updates for emerging threats and technologies | Per update | Expected |
| Record | Emerging threat watch list with review records | Quarterly | Expected |
| Type | Evidence Item | Frequency | Criticality |
|---|---|---|---|
| Document | Defined review schedule for strategy and framework | Established annually | Required |
| Document | Regulatory Compliance Register with all applicable requirements mapped to framework components | Updated quarterly | Required |
| Record | Review meeting agendas, minutes, and attendance records | Per review | Required |
| Record | Gap analysis reports with findings, remediation plans, and owners | Per review | Required |
| Record | Remediation tracking showing closure of identified gaps | Monthly until resolved | Required |
| Record | Updated strategy/framework documents with version control showing review-driven revisions | Per revision | Expected |
| Record | Legal and compliance team participation records in review activities | Per review | Expected |
| Type | Evidence Item | Frequency | Criticality |
|---|---|---|---|
| Document | Annual Cyber Risk Program Plan with risk-based project prioritization | Annually | Required |
| Document | Risk-based prioritization methodology and scoring criteria | Reviewed annually | Required |
| Document | Budget documentation linking allocations to identified risks and compliance requirements | Annually | Required |
| Record | Risk assessment outputs used as planning inputs (risk register extracts, threat intelligence summaries) | Per planning cycle | Required |
| Record | Mid-cycle reprioritization decisions with documented rationale | As occurred | Expected |
| Record | Executive reports showing investment-to-risk-reduction alignment | Quarterly | Expected |
| Type | Evidence Item | Frequency | Criticality |
|---|---|---|---|
| Document | Executive appointment letter, Board resolution, or charter naming the responsible executive | Updated upon change | Required |
| Document | Role charter defining mandate, authority, responsibilities, and reporting lines | Reviewed annually | Required |
| Record | Organizational chart showing the cyber risk executive position and reporting structure | Current | Required |
| Record | Board and Executive Committee meeting minutes showing regular cyber risk briefings | Per meeting (at least quarterly) | Required |
| Record | Executive/Board cyber risk awareness activities (briefing materials, tabletop exercise records) | At least annually | Required |
| Record | Board Risk Committee terms of reference including cyber risk oversight responsibilities | Reviewed annually | Expected |
| Type | Evidence Item | Frequency | Criticality |
|---|---|---|---|
| Document | Complete set of cyber risk policies with approval signatures, effective dates, and version control | Reviewed per policy schedule | Required |
| Document | RACI or responsibility matrix mapping cyber risk roles to individuals/positions | Reviewed annually | Required |
| Record | Policy acknowledgment records with staff and contractor signatures and dates | Annual re-acknowledgment | Required |
| Record | Policy distribution and communication records | Per policy update | Required |
| Record | Non-compliance enforcement actions demonstrating consistent application of consequences | Per incident | Expected |
| Record | Policy review and update records showing periodic refresh | Per policy review cycle | Expected |
| Type | Evidence Item | Frequency | Criticality |
|---|---|---|---|
| Document | Framework documentation with clear three lines of defence delineation | Reviewed annually | Required |
| Document | RACI matrix for cyber risk activities across all three lines | Reviewed annually | Required |
| Document | Internal Audit charter referencing cyber risk coverage and independence mandate | Reviewed annually | Required |
| Record | Second line oversight reports demonstrating independent review and challenge | Quarterly | Required |
| Record | Internal audit reports on cyber risk covering first and second line effectiveness | Per audit cycle | Required |
| Record | Organizational governance documentation showing reporting lines preserving independence | Current | Expected |
| Type | Evidence Item | Frequency | Criticality |
|---|---|---|---|
| Document | KRI/KPI Register with definitions, data sources, thresholds, and risk appetite alignment | Reviewed semi-annually | Required |
| Document | Risk Appetite Statement showing explicit linkage to KRI thresholds | Reviewed annually | Required |
| Record | Dashboards or reports showing current indicator values against thresholds | Monthly/Quarterly | Required |
| Record | Escalation records demonstrating threshold breach response actions | Per breach event | Required |
| Record | Indicator review and recalibration records | Semi-annually | Expected |
| Record | Trend analysis reports showing indicator movement over time | Quarterly | Expected |
| Type | Evidence Item | Frequency | Criticality |
|---|---|---|---|
| Document | Cyber Risk Register with assessment dates, priority rankings, owners, and treatment status | Maintained continuously | Required |
| Document | Risk escalation criteria and pathway documentation | Reviewed annually | Required |
| Record | Quarterly risk review meeting minutes with attendance and documented decisions | Quarterly | Required |
| Record | Executive risk reports or Board dashboards showing prioritized risks in business context | Quarterly | Required |
| Record | Escalation records demonstrating material risks were raised appropriately | Per escalation event | Required |
| Record | Risk treatment plans with milestones, owners, and progress tracking | Per treatment plan | Required |
| Type | Evidence Item | Frequency | Criticality |
|---|---|---|---|
| Document | Second line review program charter or plan with scope, methodology, and schedule | Reviewed annually | Required |
| Record | Completed second line review reports with findings, ratings, and recommendations | Per review | Required |
| Record | First line response records to second line findings (remediation plans, corrective actions) | Per finding | Required |
| Record | Governance committee meeting records showing second line reporting on first line effectiveness | Quarterly | Required |
| Record | Trend analysis of review findings over time and remediation rates | Annually | Expected |
| Record | Evidence of second line independence (reporting structure, mandate documentation) | Reviewed annually | Expected |
| Type | Evidence Item | Frequency | Criticality |
|---|---|---|---|
| Document | Background check policy defining screening requirements by role sensitivity tier | Reviewed annually | Required |
| Record | Completed background check records for employees and contractors (redacted appropriately) | Per hire/engagement | Required |
| Record | Third-party contracts containing background screening requirements | Per contract | Required |
| Record | Third-party screening compliance attestations | Annually per provider | Required |
| Record | Periodic rescreening completion records for high-sensitivity personnel | Per rescreening cycle | Expected |
| Record | Process documentation showing access provisioning gated by screening completion | Reviewed annually | Expected |
| Type | Evidence Item | Frequency | Criticality |
|---|---|---|---|
| Document | Risk acceptance policy or procedure defining process, authority levels, and documentation standards | Reviewed annually | Required |
| Record | Completed risk acceptance forms with analysis, justification, compensating controls, and approvals | Per acceptance | Required |
| Record | Risk Acceptance Register showing all current acceptances with review dates and status | Maintained continuously | Required |
| Record | Governance reporting showing acceptance metrics (volume, risk levels, aging, overdue reviews) | Quarterly | Required |
| Record | Risk acceptance review records showing renewal, remediation, or escalation decisions | Per review date | Required |
| Record | Evidence that acceptance authority aligned with residual risk level per authority matrix | Per acceptance | Expected |
| Type | Evidence Item | Frequency | Criticality |
|---|---|---|---|
| Document | Resource and skills gap assessment with findings and recommendations | Annually | Required |
| Document | Cyber risk organizational chart showing filled roles, vacancies, and reporting structure | Current | Required |
| Document | Budget documentation showing dedicated funding for cyber risk personnel, tools, and services | Annually | Required |
| Record | Training and certification records for cyber risk personnel | Tracked continuously | Required |
| Record | Workforce planning documentation addressing succession and knowledge transfer | Reviewed annually | Expected |
| Record | Role-based competency requirements and job descriptions for cyber risk positions | Reviewed annually | Expected |
| Type | Evidence Item | Frequency | Criticality |
|---|---|---|---|
| Document | Critical asset inventory with classification, business impact ratings, and risk owners | Reviewed semi-annually | Required |
| Document | Control mapping documentation showing CIA controls assigned to each critical asset | Reviewed annually | Required |
| Document | Critical asset identification criteria and classification methodology | Reviewed annually | Required |
| Record | Control review records demonstrating regular assessment of control effectiveness | Per review schedule | Required |
| Record | Testing results: vulnerability scans, penetration tests, DR tests for critical assets | Per test schedule | Required |
| Record | Remediation tracking for control deficiencies identified through review and testing | Per finding | Required |
| Record | Annual control effectiveness summary reported to executive governance | Annually | Expected |