Building an ISO 27001 Evidence Library Your Team Will Maintain
Most evidence libraries decay within months of certification. The fix is designing one that produces evidence as a byproduct of normal work.
By Kellwick Team · July 12, 2026 · 5 min read
Every company preparing for an ISO 27001 audit builds an evidence library. Most of them watch it rot within a few months. The screenshots go stale, the access reviews stop happening, and by the time the surveillance audit comes round someone is scrambling to reconstruct a year of proof in a weekend. The problem is almost never effort. It is design. This post is about building a library your team maintains without heroics.
Why evidence libraries decay
The typical evidence library is a folder of point-in-time artefacts, gathered by hand in the run-up to an audit. Screenshots of settings. Exported user lists. A CSV of tickets. Someone spends two intense weeks collecting it, the auditor is satisfied, and everyone exhales.
Then normal work resumes and nobody touches the folder again. This fails for structural reasons:
- It is manual. Anything that depends on a person remembering to take a screenshot every quarter will lapse the moment that person is busy, on leave, or gone.
- It is point-in-time. A screenshot proves a setting was correct on one day. ISO 27001 cares whether controls operate continuously, which a single snapshot cannot show.
- It is disconnected from the work. The evidence lives apart from the systems and processes that generate it, so keeping it current is pure overhead with no other payoff.
An evidence library built this way is a debt that comes due at every audit. The alternative is to make evidence a byproduct of work you already do.
Evidence as a byproduct, not a task
The core principle: the best evidence is generated automatically by the systems and processes you already run. If a control operates through a tool, the tool's own records are the evidence. You should be harvesting, not manufacturing.
Consider access control. The weak approach is a quarterly screenshot of your identity provider's user list. The strong approach is that joiners, movers and leavers flow through a defined process in your HR and identity systems, and those systems retain the log of who was granted what and when. The evidence already exists as a natural output of the process. You are not creating it for the auditor; you are pointing at what the process produced.
The same logic applies across most controls:
- Change management evidence lives in your version control and CI/CD history: pull requests, reviews, approvals, deploy logs.
- Vulnerability management evidence lives in your scanner and ticket history: findings, triage, remediation dates.
- Incident response evidence lives in your incident tooling and post-incident write-ups.
- Access reviews produce a signed-off record each cycle, retained where the review is run.
When evidence is a natural output of a running process, maintaining the library becomes a matter of knowing where the outputs live, not remembering to produce them.
Map controls to evidence sources once
The high-value exercise is done once, up front. For every control in your Statement of Applicability, write down three things:
- What proves this control operates?
- Which system or process produces that proof?
- Who owns it, and how often is it generated?
The result is a map from each control to a living source of evidence. This map is more valuable than any folder of artefacts, because it tells anyone, at any time, where to look. When an auditor asks how you manage privileged access, you do not go hunting. You go to the row in the map and pull the current record from the system named there.
Building this map also exposes your real gaps. If a control has no clear evidence source, you have not found a documentation problem. You have found a control that may not actually be operating. That is exactly what you want to discover months before an audit, not during one.
Design for the surveillance audit, not just certification
Certification is a single event. Surveillance audits recur, and continued certification depends on showing that controls kept operating in the interval. This is where snapshot-based libraries fall apart, because a screenshot from eighteen months ago says nothing about the twelve months since.
Design for the recurring case from the start. Favour evidence that accumulates continuously over evidence you capture on demand:
- A log that records every access change over the year beats a snapshot of current access.
- A ticket history showing vulnerabilities found and fixed beats a clean scan on one date.
- A record of each quarterly access review, retained as it happens, beats a promise that reviews occur.
The test to apply to any piece of evidence is simple. If the auditor asks not "is this control in place today" but "did this control operate throughout the last twelve months," can you answer from what the systems already retain? If yes, the library will survive between audits with little effort. If no, you are rebuilding it every cycle.
Keep the human parts lightweight and scheduled
Some evidence genuinely requires a person: management reviews, risk assessment updates, the sign-off on an access review, supplier reassessments. These will not generate themselves, so make them predictable.
Put the recurring ones on a schedule with a named owner and a fixed cadence, and treat each as a small routine task rather than an annual scramble. A short quarterly management review, held and minuted on time, is worth far more than a large one improvised the week before an audit. The aim is a steady rhythm of small, owned actions, each leaving a durable record where the map says it should be.
Resist the urge to over-document. Evidence should be sufficient to show the control operates, not exhaustive. A library bloated with redundant artefacts is as hard to maintain as one that is empty, and it makes the auditor's job slower, not easier.
Bottom line
An evidence library your team will maintain is one where evidence falls out of normal work, not one where people manually assemble proof under deadline pressure. Map each control to a living source once, favour evidence that accumulates over snapshots, and keep the human tasks small and scheduled. Do that and both certification and every surveillance audit become far less painful. If you want a clear-eyed view of where your current evidence would hold up and where it would not, a Kellwick readiness review can map your controls to their sources before an auditor does it for you.
Need a second pair of eyes before the auditor does?
A readiness review shows exactly where your ISMS stands - and what to fix first - while there is still time to act on it.