How to setup Evidence for Compliance Framework Controls

Last updated: May 22, 2025

To complete compliance checks without integration, you must provide evidence for each of the following items:

  1. Risk assessment: Review and approve the risk register at risk register.

  2. Requesting and approving access: Provide a screenshot of your access request and approval process (e.g., Slack channel or ticketing system).

  3. SSL/TLS: Perform a test on SSL Labs and upload the results.

  4. Disaster recovery testing: Complete the provided simulation exercise (duration: 30-60 minutes).

  5. Security event logging: Provide a screenshot of your security logging tool.

  6. Source control: Provide a screenshot of your version control tool (e.g., GitHub).

  7. Security event review: Provide a screenshot of your security event review system (e.g., post-mortem on Notion).

  8. Cyber insurance: Provide proof of your cyber insurance or explain the reason for not having it.

  9. Incident tracking: Provide a screenshot of your incident tracking tool.

  10. Separation of environments: Provide evidence of separation between development and production environments.

  11. Agile process: Provide evidence of recurring meetings (e.g., calendar invites).

  12. Role-based access control (RBAC): Provide documentation showcasing RBAC setup.

  13. Restricted production access: Provide screenshots showing the process for requesting production access.

  14. Penetration testing: Provide penetration test results.

  15. Employee performance reviews: Provide an anonymized template or example.

  16. Change Management Approvals : Screenshot of your code versioning tool.

  17. Architecture diagram: Provide a screenshot of your architecture diagram.

  18. Board oversight: Provide meeting records of board meetings or meetings with founders.

  19. Published job descriptions: Provide a screenshot or URL of your job postings.

  20. Infrastructure as code: Provide an example of Terraform configurations or CI setup.

  21. Least-privilege access : Provide documentation showcasing RBAC setup.

  22. Master Services Agreement: Include the relevant section of a client contract.

  23. Change Management Tooling : Screenshot of your code versioning tool.

  24. System description: Use the template provided by Bastion to describe your system.

  25. Password management tool: Provide proof of using a password management tool.

  26. Public privacy policy : URL of your public privacy policy.

  27. Terms of Use : URL of your Terms of Use or Terms & Conditions.