Evidence is required, not optional
Every answer in the CyberVadis questionnaire must be supported by evidence. Without it, our analysts cannot credit your declared controls, no matter how accurate your answers are. Evidence is what transforms a self-declaration into a verified security practice.
A document uploaded to the platform but not attached to a specific question will not be considered in your assessment. Every piece of evidence must be linked to the relevant answer to count.
What good evidence looks like
The CyberVadis assessment evaluates security practices at three levels: definition, implementation, and monitoring. Your evidence should cover all three:
Definition: a formal policy or procedure that shows the security practice is officially established (e.g. an information security policy, an access control procedure)
Implementation: proof that the policy is being followed in practice (e.g. a screenshot of a system configuration, an audit report, a training attendance record)
Monitoring: evidence that the control is being actively maintained and reviewed over time (e.g. a log extract, a review report, a vulnerability scan result)
A policy document alone is rarely sufficient for a full score. The strongest submissions combine all three levels of evidence for each control.
Types of evidence accepted
CyberVadis accepts a wide range of document types as evidence. Examples include:
Information security policies and procedures
Risk assessment and risk treatment reports
Access control and user management records
Incident response plans and post-incident reports
Business continuity and disaster recovery plans
Employee security awareness training records
Audit reports and compliance certificates (including ISO 27001, SOC 2, etc.)
Screenshots of system configurations or technical controls
Internal emails or management communications regarding security
Action plans for future security improvements
This list is not exhaustive: any document that credibly demonstrates a security practice is in place is acceptable.
Examples of masked evidence
You do not need to share confidential or sensitive information in full. Our analysts only need enough to verify that a practice exists and is operational. Here are examples of what is sufficient:
Risk register extract: we need to see that a risk assessment process exists and is being maintained, not the specific risk values or asset names
Network diagram: we need to see your network segmentation, security zones, and key controls (firewalls, DMZ, IDS/IPS), not IP addresses or port numbers
PII register: we need to confirm that personal data is being inventoried and managed, not the personal data itself
Security policy: we need to see the structure, scope, and management commitment, not internal names, IDs, or confidential operational details
When in doubt, redact sensitive fields and upload the sanitized version. Our analysts will work with what you provide.
A note on sensitive information
Before uploading any document, check that it does not contain information that should remain strictly internal, such as passwords, financial account details, or personally identifiable information that is not required for the assessment. Redact or mask any fields that are not relevant to the security practice being evidenced.
For information on how CyberVadis handles and protects your uploaded documents, see [How CyberVadis protects your data: overview].
Reducing the evidence burden with AI prefill
If you have a library of information security documentation, consider using the AI prefill feature - our in-house tool will automatically analyse your documents, fill in the relevant controls, and attach the corresponding evidence on your behalf. See [Why do some questions already have responses?] for more detail.