Compliance evidence packs
Evidence packs prepare documentation for audit review. They do not by themselves guarantee compliance.
Last updated 4/4/2026
Evidence packs collect the artifacts an auditor typically needs for a control review — alerts, investigations, approvals, briefs and timeline events — mapped to specific control IDs.
Frameworks supported out of the box
- SOC 2 Type II
- ISO 27001 (Annex A)
- PCI DSS (event-monitoring controls)
- NIST CSF (Detect and Respond)
What a pack contains
- A control mapping (e.g. SOC 2 CC7.3 → list of investigations + approvals in scope)
- Underlying evidence references that are immutable and timestamped
- An export trail showing who downloaded the pack and when
What evidence packs are not
- They are not an attestation of compliance. They are a curated set of records that supports an auditor's review.
- They do not replace the customer's compliance program, control owners or external auditor.
- They do not modify the underlying evidence — packs are read-only views on top of audit records.
Related articles