Evidence Collection

Evidence links your security posture to ISM controls. QuantAssure collects evidence automatically from pipeline runs and allows you to add manual evidence for controls that aren't covered by integrations.

Evidence Types

Automated Evidence

How Findings Link to Controls

• Pipeline runs collect findings from your integrations
• AI enrichment maps findings to specific ISM controls
• Linked findings appear automatically on the control detail page
• Run scans regularly to keep evidence current

Policy Evidence

• Policies synced from Google Drive provide documentary evidence
• Link policies to your compliance framework
• Policies are referenced by AI during assessment

Manual Evidence

When to Add Manual Evidence

• Physical security controls (building access, server room)
• Procedural controls (hiring processes, training records)
• Third-party attestations (vendor security certifications)
• Configuration screenshots not captured by integrations

Adding Evidence

1. Navigate to the ISM control detail page
2. Scroll to the Evidence section
3. Enter a title (e.g., "MFA configuration screenshot")
4. Add a description explaining what the evidence demonstrates
5. Optionally add a URL linking to the source document
6. Click Add Evidence

Evidence Freshness

System Boundaries

• Evidence is collected against registered systems and their assets
• If a system isn't registered, its findings won't appear
• If an asset isn't in scope, evidence won't link to controls
• Register all in-scope systems before running assessments

Learn more about asset registration →