Skip to main content

Governance intelligence for access, cloud, and SaaS. Now in early access

Nuxari
Compliance & Readiness

Evidence collection

What evidence is, evidence types, the evidence lifecycle, expiration, renewal, and role-based access for evidence collection and review.

Last updated: June 2026

What evidence is and why it matters

Evidence is the documentation that demonstrates a control is operating as designed. During a SOC 2 or ISO 27001 audit, external auditors will request evidence for each control in scope. Without accepted evidence, a control cannot be considered operating — regardless of what your policies or procedures say.

Nuxari organizes evidence collection around your control library. Each control specifies which evidence types are required. As you collect and accept evidence, control statuses advance.

Evidence types

Audit log export

Exported records from Nuxari's tamper-evident audit trail, covering platform actions over a defined period.

Access review completion

Documentation that a formal access review campaign was completed, with findings and decisions recorded.

Policy document

An approved information security policy with approval date, approver identity, and version.

Vulnerability scan report

Results from a periodic vulnerability assessment with remediation status.

Penetration test report

Findings from a third-party penetration test with scope, results, and remediation actions.

Vendor security review

Documentation of a completed vendor risk assessment including data access level, DPA status, and risk rating.

Training completion record

Records of security awareness training completion by required staff.

Incident record

Documentation of a security incident or near-miss with timeline, impact assessment, and lessons learned.

Configuration baseline

System configuration snapshot demonstrating security hardening baseline.

Evidence lifecycle

Every piece of evidence moves through a defined lifecycle:

  • Pending. Evidence has been submitted but not yet reviewed.
  • Collected. Evidence has been received and is awaiting formal review.
  • Reviewed. A reviewer has examined the evidence but not yet made a final decision.
  • Accepted. Evidence is complete and valid. The control counts this evidence toward its readiness status.
  • Rejected. Evidence was reviewed and found insufficient or incorrect. A new submission is required.

Evidence expiration and renewal

Evidence has a validity period. Access review evidence is typically valid for 90 days. Policy approvals are valid until the next required review date. When evidence expires, the control linked to it reverts and a new evidence collection cycle is required. Nuxari notifies the assigned collector and control owner when evidence is approaching expiration.

Accepted evidence that expires will revert the control to a blocked or implemented state. Plan evidence renewal schedules before your audit observation period begins to avoid gaps.

Role-based evidence access

Evidence collection and review are role-controlled:

  • Governance Operator. Can collect and submit evidence for assigned controls.
  • Client Security Admin. Can collect, review, and accept or reject evidence for security controls.
  • Client Owner and Client Admin. Can review and accept evidence across all controls.
  • Client Compliance Auditor. Can view and export evidence. Cannot collect or accept.
  • Requester and Readonly Viewer. No access to the compliance evidence module.

Related docs

Control library

How controls use evidence to advance status

Audit packages

Export evidence packages for external auditors

Access reviews

Access review evidence

Compliance roles

Who can collect and review evidence

Was this page helpful?