What is inside
Eight evidence categories to check before you chase documents.
This checklist is not a legal scope assessment, audit, or certification tool. It is a practical starting point for finding evidence, identifying gaps, and deciding what to do next.
1. Ownership and governance
- Named person or group responsible for cyber decisions
- Management awareness of key cyber risks
- Record of major decisions or actions
- Owner for customer security responses
2. Risk and policy
- Cyber or information security policy
- Risk register or risk notes
- Acceptable use or staff security expectations
- Policy review date and owner
3. Assets and suppliers
- List of key systems and services
- List of important suppliers and providers
- MSP or IT provider contract/service summary
- Supplier security evidence where available
4. Access and identity
- MFA status for key systems
- User access review evidence
- Joiner/mover/leaver process
- Privileged access notes
5. Backup and continuity
- Backup approach and owner
- Backup success evidence or reports
- Restore test evidence if available
- Continuity or recovery plan notes
6. Incident handling
- Incident contact list
- Escalation process
- Record of previous incidents or tests if relevant
- MSP or provider incident support details
7. Security checks
- Patch or update routine evidence
- Security tool summary if available
- Vulnerability scan or review evidence if available
- Action tracking for known issues
8. Customer-safe evidence
- Approved wording for common cyber questions
- Evidence that can be shared externally
- Evidence that should stay internal
- Questions requiring legal, audit, MSP, or management review