Evidence Gaps
Identify and resolve missing compliance evidence
Evidence Gaps
Evidence gaps identify controls lacking sufficient documentation. Systematically address gaps to ensure complete compliance evidence.
Understanding Gaps
What Creates a Gap?
A gap exists when:
- No evidence linked to a control
- Evidence is expired or outdated
- Evidence doesn't match requirements
- Manual evidence is required but not uploaded
Gap Severity
| Severity | Definition |
|---|---|
| Critical | Required evidence missing for critical control |
| High | Important control lacks sufficient evidence |
| Medium | Evidence exists but may be insufficient |
| Low | Minor documentation gap |
Viewing Gaps
Gap Dashboard
Navigate to Evidence > Gaps to see:
- Total gaps by severity
- Gaps by framework
- Recently identified gaps
- Gap trends over time
Gap List
View all gaps:
| Column | Description |
|---|---|
| Control | Control with gap |
| Framework | Associated framework |
| Gap Type | Missing, expired, insufficient |
| Severity | Critical, high, medium, low |
| Identified | When gap was detected |
| Status | Open, in progress, resolved |
Filtering Gaps
Filter by:
- Severity - Focus on critical/high first
- Framework - Specific frameworks
- Gap Type - Missing, expired, etc.
- Status - Open, in progress, resolved
Gap Types
Missing Evidence
No evidence exists for the control:
Resolution: Upload appropriate evidence or run assessment
Expired Evidence
Evidence exists but is outdated:
Resolution: Collect fresh evidence (run assessment or upload current documentation)
Insufficient Evidence
Evidence exists but doesn't fully satisfy the control:
Resolution: Upload additional supporting evidence
Manual Required
Control requires evidence that can't be auto-collected:
Resolution: Manually upload required documentation
Resolving Gaps
Basic Workflow
- Review gap details
- Determine evidence needed
- Collect or upload evidence
- Link to control
- Mark gap as resolved
Gap Resolution Actions
| Action | Use When |
|---|---|
| Upload Evidence | You have documentation to add |
| Run Assessment | Automatic evidence can be collected |
| Link Existing | Evidence exists but isn't linked |
| Mark N/A | Control doesn't apply |
| Accept Risk | Gap is acknowledged exception |
Uploading Evidence
- Click Resolve on the gap
- Select Upload Evidence
- Upload appropriate file(s)
- Add description
- Confirm resolution
Running Assessment
- Click Resolve on the gap
- Select Run Assessment
- Assessment collects evidence
- Gap auto-resolves if evidence found
Linking Existing Evidence
If evidence already exists:
- Click Resolve on the gap
- Select Link Existing
- Search for artifact
- Confirm link
Gap Management
Assigning Gaps
Assign gaps to team members:
- Select gap(s)
- Click Assign
- Select team member
- Add optional note
- Assignee is notified
Gap Status
Track resolution progress:
| Status | Meaning |
|---|---|
| Open | Not yet addressed |
| In Progress | Being worked on |
| Pending Review | Evidence submitted |
| Resolved | Gap closed with evidence |
| Accepted Risk | Gap acknowledged |
Due Dates
Set resolution deadlines:
- Open gap details
- Click Set Due Date
- Select date
- Optional: Add to calendar
Overdue gaps are highlighted in the dashboard.
Gap Reports
Gap Summary Report
Generate a report of current gaps:
- Go to Evidence > Gaps
- Click Generate Report
- Select scope (all or filtered)
- Download PDF/Excel
Gap Trend Report
Track gaps over time:
- Go to Evidence > Analytics
- Select Gap Trends
- Set date range
- View/download report
Shows:
- Gaps opened vs. resolved
- Average resolution time
- Gap sources
Best Practices
Prioritization
Address gaps in order:
- Critical - Immediate attention
- High - Within 1 week
- Medium - Within 1 month
- Low - Scheduled cleanup
Prevention
Reduce new gaps:
- Schedule regular assessments
- Set evidence refresh reminders
- Establish upload workflows
- Train team on documentation
Bulk Resolution
For multiple similar gaps:
- Filter to specific type
- Select all applicable
- Take bulk action
- Resolve efficiently
Gap Exceptions
When to Accept Gaps
Some gaps may be acceptable:
- Control truly doesn't apply
- Compensating controls exist
- Business decision with approval
- Temporary during implementation
Documenting Exceptions
For accepted gaps:
- Click Accept Risk
- Provide justification
- Select approval (who approved)
- Set review date
- Gap moves to "Accepted" status
Accepted risk gaps should be reviewed periodically and require appropriate approval.
Notifications
Gap Alerts
Configure notifications for gaps:
- New critical gaps
- Gaps approaching due date
- Gaps past due date
- Gap trend changes
Email Digest
Receive regular gap summaries:
- Go to Settings > Notifications
- Enable Evidence Gap Digest
- Select frequency
What's Next?
- Evidence Artifacts - Upload evidence
- Attestations - Add attestations
- Evidence Bundles - Package for audit