Skip to content
All posts

What is inside a NANOTESTING compliance evidence pack

1 min readcompliance · evidence-pack · product · audit

"Evidence pack" gets thrown around loosely, so here is exactly what ours contains and, just as important, what it deliberately does not claim.

Scope and as-of date

The pack opens with the assessment date (the completion time of the latest scan, in UTC), the hosts in scope, and how many target scans the posture reflects. An auditor's first two questions are always "as of when?" and "against what?". The pack answers them on page one instead of leaving "generated now" as the only timestamp.

Per-control status, honestly bucketed

Each control shows one of three states: at risk (an open finding maps to it), assessed with no open signal (a check ran and found nothing), or not assessed (no external-scan signal can reach it). The third bucket is the one most tools hide. Physical, administrative, and policy controls are not visible from the public internet, so we label them, rather than count them as passing.

The evidence chain

For ISO 27001 and SOC 2 controls, the pack lists the positive observations that support the status: what was seen (for example "TLS 1.3 supported, weak versions disabled"), the source tool, the affected URL, and the date last seen. A control claim that traces to a concrete, timestamped observation is evidence. One that traces to nothing is decoration.

A methodology note and a disclaimer

Finally, the pack explains how to read the statuses and states plainly that it is evidence support, not a certification or attestation, and that NANOTESTING is not an auditor. That honesty is the feature. A pack that overclaims is worse than no pack, because the first thing an auditor does is try to break your strongest claim.

Related posts