Evidence handling protocol

Start with the situation. Share evidence only after scope is agreed.

Cyber evidence can expose systems, suppliers, contracts, customers, incidents, and internal decisions. NIS2 Advisory starts with context and boundaries before any sensitive material moves.

Ask about evidence handling

Operating sequence

The safe route from pressure to evidence.

Evidence work should move in order. The sequence prevents accidental over-sharing, vague claims, and uncontrolled document chasing.

Explain the pressure

Start with the buyer, insurer, authority, board, tender, or NIS2 question creating urgency.

Agree scope and purpose

Decide what output is needed before any sensitive material is requested or reviewed.

Classify evidence sensitivity

Separate public, internal, operationally sensitive, and customer-facing material.

Request only what is needed

Ask for relevant proof from approved owners, MSPs, providers, or internal teams.

Mark evidence status

Label evidence as ready, partial, missing, owner-dependent, MSP-dependent, or review-needed.

Separate proof from wording

Keep internal evidence distinct from customer-safe answers, summaries, and external claims.

Evidence classification

Different proof needs different handling.

A public process summary is not the same as an access export or incident record. We classify material before using it, summarising it, or turning it into customer-facing wording.

Public / low sensitivity

Website statements, standard process summaries, public policy extracts.

Useful for context, but still checked before reuse.

Internal business material

Risk notes, internal policies, owner decisions, supplier lists, action plans.

Reviewed for scope, owner approval, date, and whether it should remain internal.

Sensitive operational evidence

Screenshots, access lists, tool exports, vulnerability outputs, incident records, architecture.

Requested only after scope and handling rules are agreed. Not used in public AI tools by default.

Customer-facing material

Approved answers, evidence summaries, disclosure notes, tender or insurer wording.

Written from verified proof and reviewed to avoid overclaiming or oversharing.

Boundaries

What we do not do.

The work is evidence readiness support. It is not a legal opinion, audit opinion, certification, managed security service, or technical remediation project.

We do not need admin access.

We do not make system changes.

We do not provide legal advice.

We do not certify NIS2 compliance.

We do not submit regulator filings.

We do not invent customer answers.

AI-assisted, human-reviewed

AI may help structure drafts. Sensitive evidence is not entered into public AI tools by default.

AI can assist with drafting, summarising, and organising non-sensitive material. Client-sensitive evidence is handled under agreed rules, and final outputs are reviewed by a human before use.

Scope first Evidence classified Human reviewed Claims tied to proof

Not sure what is safe to share?

Start with the pressure, deadline, and likely evidence sources.

Use the first conversation to explain the situation. Sensitive material comes later, only after scope, purpose, and handling rules are agreed.

Ask about evidence handling