PolicyCo offers an in-platform approach to documenting your compliance efforts. Collecting evidence is a clearly defined way to show that you are doing what you say you're going to do. Some organizations will call this a control test. For the purposes of this article, we will use the term "evidence." By default, PolicyCo will associate the labels as Evidence. However, this label is dynamic and can be updated to Control Test in the Settings to meet industry terminology standards.
Roles Associated with Gathering Evidence
The author of the evidence template is in charge of defining the Name, Description, Assignee, Reviewer and optionally establishing the period required for gathering evidence. An author has the permissions to define and edit the criteria of the evidence template.
The assignee is responsible for gathering the evidence and ensuring any periods set are populated with logs, screenshots, files or links as applicable. If the period is defined, tasks associated with gathering evidence will appear in an assignee's 'My Tasks' list. Assignees cannot modify the criteria in the evidence template.
The reviewer is responsible for reviewing and approving evidence that has been uploaded. A Reviewer can determine if the evidence is acceptable, or if remediation is necessary.
Management Action Plan (MAP) Author
The MAP author is in charge of defining and authoring a MAP (when applicable.)
To Set Up Evidence Gathering
Click on Evidence from the left menu
Click Add New (You must be an Owner or Manager to perform this task)
Click Add New button
Tip: Before creating a new place to gather evidence, we recommend you searching for existing evidence templates to ensure the same information is not already being gathered. If you find that it is, there is no need to duplicate efforts; instead, use the existing instance and link the existing template to multiple procedures.
Add a Name
This is a short, descriptive name that describes the nature of the evidence.
Example: AWS Backup Logs
Define Period (Optional)
Adding periods are not required. If you do not create a period, PolicyCo will create a single unassigned folder for documentation to be uploaded to.
If you plan to gather evidence periodically, check the Define Period checkbox and choose your period. Common selections include:
Monthly - Frequency: Month, Repeat every: 1
Quarterly - Frequency: Month, Repeat every, 3
Yearly - Frequency: Month, Repeat every, 12
Semi-Monthly if evidence needs to be gathered on the 1st and 15th of each month
There is the option to set an end date; however, it is best practice to leave this blank to ensure notifications do not cease.
Note: When defining a period, that period will close 2 periods past the date and evidence will no longer accepted. For example, if set to monthly, July evidence period will close after September will no longer be accepted. For daily, if the evidence is due Monday, the period will close after Wednesday and no longer be accepted.
Understanding Your Evidence Template
Adjusting Authors, Assignees and Reviewers
By default, if you created the evidence template, you will be defined as the author. You may choose to adjust authors from the drop down menu, but be careful not to confuse this with the assignee.
By default, if you created the evidence template, you will also be defined as an assignee. If you are not the individual responsible for collecting evidence, you may add (and remove) users as applicable. You may choose to adjust assignees by adjusting users from the drop down menu
By default, if you created the evidence template, you will also be defined as an assignee. If you are not the individual responsible for reviewing evidence, you may add (and remove) users as applicable. You may choose to adjust reviewers by adjusting users from the drop down menu
Management Action Plan (MAP) Author
When a MAP is necessary, an Author must be assigned by the Reviewer to write this management action plan to be approved by the Reviewer.
If you did not define a period
Your evidence template will contain one purple folder for gathering and uploading your documentation if you did not define a period.
If you defined a period
Your evidence template will contain multiple folders for gathering and uploading evidence if you defined a period. Future periods will be created automatically by PolicyCo, as they are coming due. You will also notice that PolicyCo always creates an Unassigned folder. This can be used for documentation that may be relevant, but it not tied to a specific period. The folders are color coded by status:
Purple - Evidence is populated and current (or it is an unassigned folder)
Yellow - Evidence is Coming Due
Red - Evidence is Past Due
The filter can be used to limit the list of periods to your filter contents. Typing in "May" will filter the list to all May periods. Typing in 2020 will show all periods for the year 2020.
If you wish to add or remove a period once an Evidence Template is created, you may click the three-dot hamburger menu and select the option to adjust.
Linking a Evidence to a Procedure
It's more than likely that your evidence collection is the result of a Procedure(s) and, PolicyCo allows you to link your Procedure(s) directly to your evidence to create the relationship. You can link an Evidence template to a Procedure(s) two ways:
Linking From The Evidence Template
Click on the Evidence Template
Click the + icon next to Procedures
Check the box(es) next to the applicable Procedures
To remove the association, click the three dot hamburger menu and click "Unlink Procedure"
Important Note: Prior to December 2021, PolicyCo allowed relationship linking of Evidence directly to external framework controls. If you linked an Evidence template to a Framework control in the past, it will remain linked. Based on user feedback, it is more applicable to link directly to a Procedure (which is linked to a Policy Article, which is then linked to a Framework Control.) We agreed with our clients, and made the change. If you have the bandwidth, you can adjust your old associations, otherwise they will remain linked, but no new direct linking can be made from Evidence to Framework Control.
Linking From The Procedure Editor
Click Procedures from he left menu
Click on the procedure you want to link to highlight purple
Click the + icon below Evidence
Choose the Evidence Templates you want to link to this Procedure
To remove the association, click the three dot hamburger menu and click "unlink Evidence"
To Identify Evidence Due
Click on My Tasks
Filter as applicable
To Upload Evidence
Navigate to Evidence Template
Choose the desired folder
There are two ways to upload evidence:
Upload a file
Click the menu to associate a URL / hyperlink instead of a file (in the event you store evidence in an external source)
Click Submit for Review
Evidence can be uploaded once the pre-determined period has ended. To add evidence set to be uploaded monthly, once the previous month has ended, the evidence folder will allow for upload. For example, to add October's evidence to the October folder, you'll log in on November 1st to upload the evidence.
To Review Evidence
When reviewing evidence, the reviewer may approve, mark as incomplete, or fail review period.
To approve evidence uploaded, click Approve button
To mark evidence uploaded as incomplete, click Incomplete button
Incomplete evidence will show on the Assignee's task list
To fail review period, click drop down on the Incomplete button and choose Fail Review
A failed review will generate an action plan assignment
An author must be set
A due date must be set for the written plan
A description must be provided of why this evidence has failed
A due date must be provided for resolution / completion of the written plan
A description must be provided for the plan
A resolution must be provided before clicking Complete button
To approve evidence that has completed an action plan, click Approve button
Managing Uploaded Evidence
The evidence is timestamped when uploaded and is viewable in the list by clicking on each item. PolicyCo can display images, text files and pdfs in the viewer. Other types of documents cannot be displayed but can be downloaded. Evidence may also be deleted.
To download evidence individually, click the hamburger menu to the right of the evidence and choose Download
To download all evidence for a given period, click the hamburger menu to the right of the period folder and choose Download all Evidence
Once uploaded, evidence cannot be deleted.
Procedures That Do Not Require Evidence Collection
There may be instances in which a procedure does not require an associated evidence template. By default, the procedure-evidence link is disabled. This will become most important when updating your Home snapshot.
To Enable Linking
By default, linking is disabled; however you can update the toggle to allow the procedure to be linked to the appropriate Evidence template.
Navigate to the procedure that requires evidence collection
Click on the toggle to the left of the + icon under Evidence