The ISO 27001 evidence pack assembled by hand the night before the surveillance audit

The GRC lead has a folder on a shared drive called Audit Evidence. It fills up in the two weeks before each surveillance visit and goes quiet for the other fifty. That cadence is the tell. If the evidence only exists when the auditor is on the calendar, the control it claims to prove was not running the rest of the year.

The assumption underneath the scramble is that compliance is a deliverable you produce, like a slide deck, rather than a property of a system that already does the work. An ISMS that can only show its evidence during a fire drill is not a management system. It is a binder.

What the ISO 27001:2022 transition changed about evidence expectations

The transition window closed on 31 October 2025, and anyone still on the 2013 version after that date lost their certificate. The 2022 revision did not just renumber clauses. Annex A went from 114 controls across 14 domains to 93 controls in four themes, and added controls like 8.16 monitoring activities and 8.9 configuration management that are about ongoing state, not a one-time policy.

A control that says "we monitor activities" cannot be evidenced by a policy PDF dated last spring. The auditor wants to see that monitoring produced something this quarter, and that you can show it for an arbitrary window they pick. Stale screenshots fail that test, because a screenshot proves a moment, not a practice.

The screenshot binder versus the queryable control

A screenshot binder answers exactly one question: did this thing look right on the day someone captured it. It cannot answer the follow-up. Who else had that access in March. Was the config still hardened in week six. Did the alert that should have fired actually fire. Each of those is a query against an event stream, and a JPEG is not queryable.

The honest version of the same control stores the underlying records, not pictures of them. Access grants and revocations as dated events. Configuration changes as a log with actor and timestamp. When an auditor asks for a different window, you change a date range instead of capturing again at midnight.

Continuous evidence: exporting the same proof any day of the year

Here is the test I apply, and it is unforgiving. Pick a control. Pick a random Tuesday from four months ago. Can you export the evidence for that day, right now, without asking anyone to log into a console and screenshot? If the answer is no, you do not operate that control. You reconstruct it under deadline pressure, which is a different and weaker thing.

Evidence on demand changes what the audit is. The surveillance visit stops being a production and becomes a spot check, because the auditor samples a stream that was always there. That is the whole point of a management system: it manages continuously, and the proof falls out of normal operation.

Mapping one audit trail to Annex A across the whole estate

The harder problem is breadth. Annex A is dozens of controls touching identity, change management, access review, and incident handling across every application a customer touches. If each app keeps its own log in its own format, mapping an event to a control means stitching ten exports together by hand. That is where the midnight scramble comes from. Not laziness, fragmentation.

The fix is structural, not another GRC dashboard layered on the mess. Spot Suite keeps one audit trail per Customer Environment, so an event maps to its Annex A control across the estate and exports for any date you name. When the auditor picks a Tuesday, the answer is one query, and the binder you assembled by hand becomes a thing you used to do. See how the audit trail is built into the platform on our security page.