The type of evidence required is completely dependent on the control being assessed. For example, if you are assessing security policy then a copy of the security policy would be adequate evidence. If you are assessing firewall configurations, then a screenshot of the configuration would be adequate evidence.
We advise all partners to spend time building a shortlist of required documentation that can be passed to the client ahead of the assessment. This allows the client adequate time to find these resources, and saves the analyst time while on-site. This documentation can be stored in the Documents tab or attached locally in the assessment.In general, you will want to ask for any security policies they have, especially in the following areas:
Security Committee Charter
On average, the review of evidence takes between 2 and 3 hours. We advise analyst to review evidence before and after collecting assessment response. For assessment updates, the review of evidence takes between 45 minutes to an hour. You will want to verify any changes in policy that the client reports.