Client Guide

Completing Policy Documents

Each control finding on the Audit punch list links to a pre-built document with guided fields. Fill those fields to describe how the control is implemented — then attach a typed evidence artifact from the control page's Evidence panel so an auditor can verify it.

TL;DR

Go to Audit punch list, expand a finding, click Upload evidence (or Fix artifact type / Refresh evidence depending on the failure mode). Fill the document fields to describe the implementation, then use the control's Evidence panel to attach a typed artifact (policy, log, config snapshot, …). The finding resolves automatically once the artifact type and scope match the requirement.

Step 1 — Pick a finding from the Audit punch list

The Audit punch list tab shows every control bucketed by how it would fail an audit. Start at the top of the Will fail bucket — those are the controls a CAB auditor will write up as non-conformities. Controls tagged KEY carry the most weight.

Audit punch list overview showing WILL FAIL AT RISK and READY buckets with a list of findings grouped by failure mode — Pick findings from the Will fail bucket first — those are the ones that would land as audit non-conformities today.

Step 2 — Open the linked document

Click a finding to expand it. You'll see the list of missing evidence and a prescriptive action button (e.g. Upload evidence). Clicking the button takes you straight to the control's document with the evidence section pre-focused.

Expanded finding for DE.AE-03.1 showing two missing-evidence bullets and a blue Upload evidence action button — Each finding spells out what's missing and gives you exactly one button to fix it.

Step 3 — Fill in the guided fields

The document opens in view mode with all its guided fields ready to fill. Each field shows its label, which control it satisfies (as a badge), and scope buttons to specify whether it applies to the whole organisation or a specific group.

Backup and Recovery Policy document in view mode showing section headings, dropdown fields for Backup solution and Backup frequency, and scope buttons labelled whole org and employees — Each field shows which control it satisfies — fill in the value, choose the scope, then click Save.

Select fields

Many fields offer a dropdown with predefined options. Click the dropdown to see all choices — pick the one that matches your organisation's setup.

Backup solution dropdown open showing options: Select, Veeam, Acronis, Azure Backup, AWS Backup, Backblaze, Time Machine plus external, Other — Select fields show a dropdown with options — choose the closest match or select "Other" to type a custom value.

After saving

Once saved the value appears in read mode with a scope label and an Add another option for scoped overrides per group. The page version increments automatically.

Backup solution field saved showing Veeam with Whole organisation scope label and Add another button — Saved values show in read mode. Use "Add another" if different groups use different tools.

Step 4 — Attach a typed evidence artifact

Filled fields describe the implementation in words, but an auditor needs proof — a policy document, a log export, a config snapshot, a training record. Scroll to the control's Evidence panel and click Attach evidence. The modal asks for the artifact's type, source (upload, wiki page, or external URL), scope, and valid-until date — all four are what a CAB auditor checks.

Full walkthrough: Attach evidence — typed artifacts with scope & expiry.

Findings resolve automatically

Once a typed artifact matches the control's required type and scope, the finding moves out of Will fail. The Audit punch list percentage recalculates immediately — no manual sign-off step.

The Reports tab shows your overall readiness across all function areas — it updates in real time as evidence is attached and findings resolve.

← Audit punch list Add evidence →