Control status reflects implementation progress and ongoing effectiveness. Understanding status indicators and evidence requirements helps you maintain continuous compliance.
Control Status Explained
DSALTA uses four status levels to indicate control health:
Completed (Green)
The control is fully implemented and verified:
All required evidence has been collected
Associated tests are passing
Policies are documented and approved
The owner is assigned and active
No outstanding issues
Completed controls contribute to your framework completion percentage and indicate audit readiness for this requirement.
In Progress (Yellow)
The control is being implemented but is not yet complete:
Some evidence exists, but gaps remain
Tests may be passing, but the evidence is insufficient
Policy is drafted but not yet approved
Implementation is underway, but not finished
In Progress controls show active work but won't count toward completion until fully implemented.
Needs Attention (Red)
The control has issues requiring immediate action:
Previously passing tests are now failing
Evidence has expired or become outdated
Integration connectivity issues prevent monitoring
Critical evidence is missing
Needs Attention indicates drift from compliance or emerging problems that could impact audit outcomes.
No Evidence (Gray)
No implementation activity has occurred:
No evidence collected
No owner assigned
No tests configured
No related policies
Not Started controls represent remaining work in your compliance program.
How Status is Determined
DSALTA calculates control status using weighted factors:
Test Results (40%): Are automated tests passing?
Evidence Completeness (35%): Is the required evidence present and current?
Policy Documentation (15%): Are related policies approved?
Manual Verification (10%): Has the owner confirmed implementation?
All factors must be satisfied for the Completed status. Any failing factor triggers In Progress or Needs Attention status.
Evidence Requirements
Evidence proves you've implemented a control and it's working as intended. Each control requires specific evidence types:
Automated Evidence
Collected automatically from integrations:
Identity Provider Evidence:
User directory exports
MFA enrollment reports
Access logs
Group membership records
Cloud Infrastructure Evidence:
Encryption settings
Network configurations
Security group rules
IAM policies
Audit logs
Development Tools Evidence:
Code review records
Commit histories
Vulnerability scan results
Deployment logs
Communication Tools Evidence:
Security training completion
Policy acknowledgments
Incident response channels
Automated evidence is collected continuously and updated in real-time as your environment changes.
Manual Evidence
Uploaded by control owners for requirements not covered by integrations:
Documentation:
Policy documents
Procedures and runbooks
Contracts and agreements
Certifications and attestations
Screenshots:
Configuration settings
Dashboard views
Security tool outputs
System settings
Reports:
Vulnerability assessments
Penetration test results
Risk assessments
Audit reports
Records:
Training attendance
Background check confirmations
Access review sign-offs
Incident response logs
Evidence Best Practices
Quality Over Quantity
Focus on relevant, clear evidence rather than uploading excessive documentation. Auditors value:
Recent evidence (within the last 3-6 months)
Clear demonstrations of control effectiveness
Well-organized and labeled artifacts
Evidence showing continuous operation, not a one-time setup
Proper Labeling
Name evidence files descriptively:
β "AWS_Encryption_Settings_2024-12-10.pdf"
β "Screenshot.png"
Include dates in filenames to track evidence age.
Regular Updates
Refresh evidence periodically:
Quarterly for most controls
Monthly for high-risk controls
Annually for stable administrative controls
Set reminders in DSALTA to update evidence before it becomes stale.
Complete Coverage
Ensure evidence fully demonstrates the control:
Incomplete: Screenshot of MFA enabled for one account
Complete: Report showing MFA enabled for all accounts with enrollment dates
Auditors look for comprehensive proof, not partial implementation.
Evidence Collection Workflow
For Automated Evidence:
Connect relevant integration
Allow 15-30 minutes for initial sync
Review collected evidence in control detail
Verify evidence covers all requirements
Monitor integration health to ensure continuous collection
For Manual Evidence:
Open the control detail page
Navigate to the Evidence tab
Click Upload Evidence
Select file(s) from your computer
Add description and evidence type
Associate with specific control requirements
Save and confirm upload
Evidence Retention
DSALTA retains all evidence indefinitely, creating a historical record:
Demonstrates continuous compliance over time
Provides audit trail of control evolution
Shows response to previous audit findings
Supports annual recertification
Older evidence remains accessible even after being replaced with updated versions.
Evidence by Control Category
Different control types require different evidence:
Access Control Evidence
User directories with role assignments
MFA enrollment reports
Access review sign-offs
Privileged access logs
Termination records
Encryption Evidence
Encryption configuration screenshots
Certificate inventories
Key management policies
Encryption-at-rest confirmations
TLS/SSL test results
Monitoring Evidence
Log retention configurations
SIEM dashboard screenshots
Alert rule definitions
Security monitoring reports
Incident detection records
Business Continuity Evidence
Backup schedules and logs
Disaster recovery plans
Business continuity test results
Recovery time/point objectives
Failover documentation
Vendor Management Evidence
Vendor security assessments
Contract security clauses
Vendor risk scores
Due diligence reports
Vendor monitoring records
Common Evidence Gaps
Avoid these frequent mistakes:
Outdated Evidence: Last year's access review doesn't prove current access is appropriate
Configuration Only: Showing encryption is enabled doesn't prove it's been enabled continuously
Partial Coverage: MFA evidence for some users doesn't satisfy "all users" requirement
Missing Context: Screenshots without explanation of what they demonstrate
Point-in-Time Only: One backup log doesn't prove regular backup schedule
Evidence for Multiple Frameworks
When a control maps to multiple frameworks, the same evidence often satisfies all requirements:
Example: Encryption evidence proving:
SOC 2 CC6.7 compliance
ISO 27001 A.10.1.1 compliance
HIPAA 164.312(a)(2)(iv) compliance
Upload once, apply to all mapped controls automatically.
Organizing Evidence
DSALTA organizes evidence by:
Control: All evidence for a specific control
Framework: All evidence supporting a framework
Date: Chronological evidence collection
Type: Automated vs. manual evidence
Source: Which integration provided it
This multi-dimensional organization ensures evidence is easily retrievable during audits.
Evidence Review Process
Establish regular evidence reviews:
Monthly: Review critical controls
Verify automated evidence is current
Check for missing manual evidence
Update outdated documentation
Quarterly: Comprehensive evidence audit
Review all control evidence
Replace stale evidence
Fill identified gaps
Prepare for potential audits
Annually: Full program review
Archive old evidence
Update all policies and procedures
Refresh all manual evidence
Prepare for recertification
Evidence and Audit Readiness
Auditors evaluate evidence quality based on:
Relevance: Does it prove the control exists? Reliability: Is the source trustworthy? Completeness: Does it cover all requirements? Currency: Is it recent enough? Consistency: Does it align with other evidence?
Strong evidence in DSALTA translates to smooth audits with fewer follow-up questions.
Next Steps
To maintain strong control evidence:
Connect integrations to automate evidence collection
Review evidence requirements for each control
Upload manual evidence for gaps
Set quarterly reminders to refresh evidence
Monitor evidence age and replace as needed