All Collections
Platform User Guide & Support
The Editor
Evidence
Set up, Gather, and Approve Evidence
Set up, Gather, and Approve Evidence

Learn how to manage evidence gathering.

Updated over a week ago

PolicyCo offers an in-platform approach to documenting your compliance efforts. Collecting evidence is a clearly defined way to show that you are doing what you say you're going to do. Some organizations will call this a control test. For the purposes of this article, we will use the term "evidence." By default, PolicyCo will associate the labels as Evidence. However, this label is dynamic and can be updated to Control Test in the Settings to meet industry terminology standards.

Roles Associated with Gathering Evidence

Author

The author of the evidence template is in charge of defining the Name, Description, Assignee, Reviewer and optionally establishing the period required for gathering evidence. An author has the permissions to define and edit the criteria of the evidence template.

Assignee

The assignee is responsible for gathering the evidence and ensuring any periods set are populated with logs, screenshots, files or links as applicable. If the period is defined, tasks associated with gathering evidence will appear in an assignee's 'My Tasks' list. Assignees cannot modify the criteria in the evidence template.

Reviewer

The reviewer is responsible for reviewing and approving evidence that has been uploaded. A Reviewer can determine if the evidence is acceptable, or if remediation is necessary.


Management Action Plan (MAP) Author

The MAP author is in charge of defining and authoring a MAP (when applicable.)

To Set Up Evidence Gathering

  • Click on Evidence from the left menu

  • Click Add New (You must be an Owner or Manager to perform this task)

  • Click Add New button 

    Tip: Before creating a new place to gather evidence, we recommend you searching for existing evidence templates  to ensure the same information is not already being gathered. If you find that it is, there is no need to duplicate efforts; instead, use the existing instance and link the existing template to multiple procedures.

  • Add a Name

    • This is a short, descriptive name that describes the nature of the evidence.

      • Example: AWS Backup Logs

  • Define Period (Optional)

    • Adding periods are not required. If you do not create a period, PolicyCo will create a single unassigned folder for documentation to be uploaded to.

    • If you plan to gather evidence periodically, check the Define Period checkbox and choose your period. Common selections include:

      • Monthly - Frequency: Month, Repeat every: 1

      • Quarterly - Frequency: Month, Repeat every, 3

      • Yearly - Frequency: Month, Repeat every, 12

      • Semi-Monthly if evidence needs to be gathered on the 1st and 15th of each month

    • There is the option to set an end date; however, it is best practice to leave this blank to ensure notifications do not cease.

  • Click Configure

    Note: When defining a period, that period will close 2 periods past the date and evidence will no longer accepted. For example, if set to monthly, July evidence period will close after September will no longer be accepted. For daily, if the evidence is due Monday, the period will close after Wednesday and no longer be accepted.

Understanding Your Evidence Template

Adjusting Authors, Assignees and Reviewers

  • Author
    By default, if you created the evidence template, you will be defined as the author. You may choose to adjust authors from the drop down menu, but be careful not to confuse this with the assignee.

  • Assignee(s)
    By default, if you created the evidence template, you will also be defined as an assignee. If you are not the individual responsible for collecting evidence, you may add (and remove) users as applicable. You may choose to adjust assignees by adjusting users from the drop down menu

  • Reviewer(s)
    By default, if you created the evidence template, you will also be defined as an assignee. If you are not the individual responsible for reviewing evidence, you may add (and remove) users as applicable. You may choose to adjust reviewers by adjusting users from the drop down menu

  • Management Action Plan (MAP) Author
    When a MAP is necessary, an Author must be assigned by the Reviewer to write this management action plan to be approved by the Reviewer.

If you did not define a period

Your evidence template will contain one purple folder for gathering and uploading your documentation if you did not define a period.

If you defined a period

Your evidence template will contain multiple folders for gathering and uploading evidence if you defined a period. Future periods will be created automatically by PolicyCo, as they are coming due. You will also notice that PolicyCo always creates an Unassigned folder. This can be used for documentation that may be relevant, but it not tied to a specific period. The folders are color coded by status:

  • Purple - Evidence is populated and current (or it is an unassigned folder)

  • Yellow - Evidence is Coming Due

  • Red - Evidence is Past Due

The filter can be used to limit the list of periods to your filter contents. Typing in "May" will filter the list to all May periods. Typing in 2020 will show all periods for the year 2020.

If you wish to add or remove a period once an Evidence Template is created, you may click the three-dot hamburger menu and select the option to adjust.

Linking a Evidence to a Procedure

It's more than likely that your evidence collection is the result of a Procedure(s) and, PolicyCo allows you to link your Procedure(s) directly to your evidence to create the relationship. You can link an Evidence template to a Procedure(s) two ways:


Linking From The Evidence Template

  • Click on the Evidence Template

  • Click the + icon next to Procedures

  • Check the box(es) next to the applicable Procedures

  • Click Close

  • To remove the association, click the three dot hamburger menu and click "Unlink Procedure"

Important Note: Prior to December 2021, PolicyCo allowed relationship linking of Evidence directly to external framework controls. If you linked an Evidence template to a Framework control in the past, it will remain linked. Based on user feedback, it is more applicable to link directly to a Procedure (which is linked to a Policy Article, which is then linked to a Framework Control.) We agreed with our clients, and made the change. If you have the bandwidth, you can adjust your old associations, otherwise they will remain linked, but no new direct linking can be made from Evidence to Framework Control.

Linking From The Procedure Editor

  • Click Procedures from he left menu

  • Click on the procedure you want to link to highlight purple

  • Click the + icon below Evidence

  • Choose the Evidence Templates you want to link to this Procedure

  • Click Close

  • To remove the association, click the three dot hamburger menu and click "unlink Evidence"

Gathering Evidence

To Identify Evidence Due

  • Click Home

  • Click on My Tasks

  • Filter as applicable

To Upload Evidence

  • Navigate to Evidence Template

  • Choose the desired folder

  • There are two ways to upload evidence:

    • Upload a file

    • Click the menu to associate a URL / hyperlink instead of a file (in the event you store evidence in an external source)

  • Click Submit for Review

Evidence can be uploaded once the pre-determined period has ended. To add evidence set to be uploaded monthly, once the previous month has ended, the evidence folder will allow for upload. For example, to add October's evidence to the October folder, you'll log in on November 1st to upload the evidence.

To Review Evidence

When reviewing evidence, the reviewer may approve, mark as incomplete, or fail review period.

  • To approve evidence uploaded, click Approve button

  • To mark evidence uploaded as incomplete, click Incomplete button

    • Incomplete evidence will show on the Assignee's task list

  • To fail review period, click drop down on the Incomplete button and choose Fail Review

    • A failed review will generate an action plan assignment

    • An author must be set

    • A due date must be set for the written plan

    • A description must be provided of why this evidence has failed

    • A due date must be provided for resolution / completion of the written plan

    • A description must be provided for the plan

    • A resolution must be provided before clicking Complete button

To approve evidence that has completed an action plan, click Approve button

Managing Uploaded Evidence

The evidence is timestamped when uploaded and is viewable in the list by clicking on each item. PolicyCo can display images, text files and pdfs in the viewer. Other types of documents cannot be displayed but can be downloaded. Evidence may also be deleted.

  • To download evidence individually, click the hamburger menu to the right of the evidence and choose Download

  • To download all evidence for a given period, click the hamburger menu to the right of the period folder and choose Download all Evidence

  • Once uploaded, evidence cannot be deleted.

Procedures That Do Not Require Evidence Collection

There may be instances in which a procedure does not require an associated evidence template. By default, the procedure-evidence link is disabled. This will become most important when updating your Home snapshot.

To Enable Linking

By default, linking is disabled; however you can update the toggle to allow the procedure to be linked to the appropriate Evidence template.

  • Navigate to the procedure that requires evidence collection

  • Click on the toggle to the left of the + icon under Evidence


Related Articles
User Roles
Events and Notifications
Creating, Reviewing, and Approving Procedures
Action Plans
Public API
Did this answer your question?