· Yair Knijn
The compliance posture that lived in a binder instead of being exportable on demand
The GRC lead has built a beautiful library. Policies versioned, control descriptions cross-referenced to clauses, a risk register that maps cleanly to Annex A. The wrong assumption inside that work is that maintaining the documents about the controls is the same as proving the controls run. A policy that says access is reviewed quarterly is a claim. The quarterly review log, with names, dates and the tickets it generated, is evidence. The binder holds the first and goes looking for the second only when an auditor asks.
That is the moment the gap shows. The question is narrow: show me proof this one control operated over the last twelve months. The answer takes two weeks, because the proof was never a stored output of the control. It was something a human had to reconstruct.
Documents about controls versus controls that emit evidence
Two kinds of compliance artifact get conflated constantly. A document about a control describes intent: the policy, the procedure, the SoA entry. A control that emits evidence produces a record every time it runs: an access review that writes who reviewed what and when, a backup job that logs a verified restore, a change that carries an approval trail. The binder is full of the first kind. An auditor under ISO 27001:2022 does not want intent restated. They want the artifact the operating control left behind, dated, attributable, and continuous across the audit period.
If you cannot produce that record on demand, the honest reading is that the control does not run continuously. It runs when someone remembers, or it runs the week before the audit. A binder is the artifact of a control that does not run on its own.
Why one estate feeds ISO 27001, DORA, NIS2 and GDPR from the same trail
This is where the binder model gets expensive instead of merely awkward. The same control answers to multiple regimes at once. Access governance is an Annex A control, a DORA ICT risk-management obligation, a NIS2 measure, and a GDPR Article 32 safeguard simultaneously. DORA became applicable to EU financial entities on 17 January 2025, and practitioners mapping it landed on the obvious: ISO 27001 works as the control backbone, and the same evidence trail, mapped once, satisfies the overlapping frameworks instead of being re-gathered per regulator.
If your evidence lives as separate document piles per framework, every new regime multiplies the binder. If it lives as one trail per control, mapped to each clause it answers, the export is the same no matter who asks.
The two-week assembly problem and what causes it
The delay is not laziness. It is architecture. Assembly takes two weeks because the proof is scattered across systems that do not share a record:
- The access review happened in a spreadsheet someone emailed and archived.
- The approval trail lives in a ticketing tool nobody exports cleanly.
- The user list comes from one app, the activity log from another, the offboarding date from HR.
- Stitching those into one defensible timeline is manual, done under deadline pressure by the person least able to spare the time.
Every hour of that fortnight is reconstruction the control should have produced as a byproduct of running. The two weeks are the receipt for evidence that was never persisted in the first place.
Exporting proof of any control on the day it is requested
The test that matters is plain. Pick any control. Ask for twelve months of proof that it operated, with actors and timestamps, scoped to one customer. If the answer is an export, your posture is real. If it is a project, you have a library, not a control set, and the regulator is about to find out which one you have.
Spot Suite is built so every control writes its evidence to the audit trail of the Customer Environment as it runs, mapped once to the clauses it satisfies across ISO 27001, DORA, NIS2 and GDPR. Proof of any control becomes a single scoped export on the day it is asked for, not a binder assembled the night before. That is what our security posture is designed to make provable.