Evidence Library

Purpose

The Evidence Library documents how Thinkwerke designs, produces, and maintains audit-ready, exportable security and compliance evidence directly from technical systems and workflows.

The goal is simple:

  • Reduce manual compliance work

  • Eliminate last-minute audit panic

  • Reuse evidence across audits, customers, and tenders

What We Mean by “Evidence”

Evidence is not a document written for an auditor.

Evidence is proof that a control exists, is operating, and is owned.

Valid evidence typically includes:

  • System-generated records

  • Pipeline outputs

  • Configuration states

  • Workflow histories

  • Logged approvals and exceptions

Evidence-by-Design Principle

Thinkwerke applies an Evidence-by-Design approach:

  • Controls are implemented with evidence outputs in mind

  • Evidence is produced automatically

  • Evidence is verifiable and time-bound

  • Evidence maps directly to requirements

This removes the need for retroactive documentation.

Evidence Categories

The Evidence Library is organised into the following categories:

  • Tender & assurance packs

  • Security questionnaires

  • Control-to-proof mappings

  • Exportable artefacts

Each category is designed for a specific stakeholder audience.

Evidence Lifecycle

Evidence follows a clear lifecycle:

  1. Control definition

  2. Technical implementation

  3. Continuous operation

  4. Evidence generation

  5. Export and reuse

  6. Review and retention

This lifecycle ensures consistency across time and audits.

Who Uses the Evidence Library

The Evidence Library supports:

  • Internal security and engineering teams

  • Auditors and certification bodies

  • Regulators and supervisory authorities

  • Customers and procurement teams

  • Executive and board-level stakeholders

Each audience consumes the same evidence, presented differently.

Relationship to Compliance Mapping

Evidence artefacts are mapped directly to:

  • ISO/IEC 27001 controls

  • NIS2 obligations

  • CRA requirements

  • GDPR principles

  • Customer-specific requirements

This mapping is documented in the Compliance Crosswalks: One Control, Many Obligations section.

Automation and Tooling

Evidence is typically generated via:

  • CI/CD pipelines

  • Cloud security tooling

  • Ticketing and workflow systems

  • Logging and monitoring platforms

  • Configuration and policy-as-code

Manual evidence is avoided wherever possible.

Design Goals

The Evidence Library is designed to be:

  • Reusable across multiple audits

  • Consistent over time

  • Easy to explain and defend

  • Aligned with real system behaviour

If evidence cannot be explained technically, it is not considered sufficient.

Key Takeaway

Strong compliance is built on strong evidence.

The Evidence Library turns everyday engineering activity into continuous proof of security and compliance.