Certification
Evidence Requirements
Each Continuum/AI control specifies evidence required to demonstrate compliance. This section defines evidence types, validity periods, and retention requirements.
Evidence types
| Type | Description | Validity |
|---|---|---|
| Policy Document | Approved organizational policy | 12 months |
| Configuration Export | System configuration demonstrating control | 12 months |
| Architecture Diagram | Visual representation of system design | Until material change |
| Log Sample | Representative logs demonstrating control operation | 30 days |
| Scan Report | Automated assessment results | 90 days |
| Test Results | Manual or automated test execution | 6 months |
| Audit Report | Independent assessment findings | 12 months |
Evidence by control
Each control specifies required evidence in its definition. Assessors evaluate whether evidence demonstrates actual compliance rather than merely documented intention.
Configuration exports must reflect deployed configurations. Log samples must show actual logging behavior. Test results must demonstrate control effectiveness.
Inherited controls
Organizations with existing certifications may inherit applicable controls when evidence demonstrates equivalence. Inheritance documentation specifies the source certification, control mapping, and evidence of equivalence.
Evidence retention
Evidence supporting certification shall be retained for the duration of certification validity plus minimum 12 months following certification expiration.
Regulatory requirements may mandate longer retention. Organizations must identify applicable requirements and retain evidence accordingly.