Drata's Evidence Library serves as a repository for all the evidence you need to collect across your controls.
Disclaimer: This article describes the new Evidence Library experience, which includes new UI features and the introduction of test evidences. These features may be gradually rolled out and might not be available to all users at this time. The content is subject to change as updates are released. To refer to the older Evidence Library, go to Evidence Library.
Overview
The Evidence Library page is preloaded with evidence mapped to your controls. These pieces of evidence are commonly requested by auditors and help you prepare for an audit while maintaining compliance. If any evidence does not apply to your organization, you can delete it (individually or in bulk) or unlink it from the associated control.
Note: Pre-mapped evidence is available only to customers with SOC 2 or ISO 27001:2022 and who joined Drata after August 27, 2024.
Evidence Type: Manual evidence
Manual evidence is evidence created by a user. Users can create evidence and attach a file, URL, or ticket as artifacts.
When you select on a manual evidence, you will be redirected to a page with a Details tab with more specific sections such as: Overview, Linked controls, and Current artifact.
Overview section
The Overview section allows you to add a name, description, implementation guidance, and owner for the evidence. This information ensures proper collaboration and tracking.
Linked controls section
This section allows you to specify which controls apply to the evidence. Since there is a many-to-many relationship between evidence and controls, a single piece of evidence can apply to multiple controls.
Current artifact Section
The Current Artifact section fulfills the evidence requirement. After creating evidence, you can upload an artifact or specify the creation and renewal dates.
Artifact sources include:
No Artifact: Select this if you plan to fulfill the evidence requirement later.
File: Upload a file from your computer or cloud storage (maximum file size: 25 MB per file).
If you're uploading a zipped file, it will be unzipped and verified to confirm that each file does not exceed the 25 MB limit.
URL: Use a link if the evidence is a URL-based resource or contains sensitive information.
Ticketing Provider: Select this option if the evidence is associated with a connected ticketing system.
Evidence Type: Test Evidence
When a monitoring test runs, Drata generates a test evidence PDF. This file lists failed resources along with any exclusions for that test. This PDF is the evidence that goes to the auditors.
Test evidence appears in the Evidence Library and the source is labeled as Test. These items are automatically created and cannot be modified, except for the evidence owner. To update test details or control mappings, you must go to the Monitoring or Controls pages.
Evidence Status and Control Readiness
These are the statuses for evidence. Here’s what each status means and how it applies to control readiness:
Status | Status definition | Control readiness impact |
No Artifact | Manual evidence does not have an artifact. | Can negatively impact control readiness. |
Ready | Manual Evidence contains an artifact and the renewal date has not passed or Test evidence for a failing or a passing test exists. | Can positively impact control readiness. |
Upcoming renewal | Manual evidence contains an artifact and renewal date is within the next 2 months. | Can positively impact control readiness. |
Past Renewal | Manual evidence contains an artifact but renewal date has past. | Can negatively impact control readiness. |
Test disabled | The Test corresponding to this test evidence is currently disabled. Users can view test evidences generated by the test runs before it was disabled. | Test evidences do not impact control readiness. Only the corresponding test result does. |
Test error | The Test corresponding to this test evidence is currently in error state. Users can view test evidences generated by the test runs before it went into the error state. | Test evidences do not impact control readiness. Only the corresponding test result does. |
Test unused | The Test corresponding to this test evidence is currently in the unused state. Tests are in the unused state if the related connection required to run the test does not exist. Users can view test evidences generated by the test run before it went into the unused state | Test evidences do not impact control readiness. Only the corresponding test result does. |
Evidence Versions
When you update manual evidence, previous versions appear in the Past artifacts tab, preserving historical records.
Key Notes on Evidence Versions
Past artifacts remain accessible for reference.
Only the current version affects control readiness.
Previous versions cannot be restored as the current version.
You can delete old versions, but the current artifact cannot be deleted.
For test evidences, the evidences for the past test runs are shown in the Past evidences tab.
Add a manual evidence
You can upload evidence directly or link it from a cloud provider.
Support File Types:
Direct Upload:
.pdf, .docx, .odt, .xlsx, .ods, .pptx, .odp, .gif, .jpeg, .jpg, .png, .md, .zip, .txt, .csvCloud Storage:
.pdf, .docx, .odt, .xlsx, .ods, .pptx, .odp, .gif, .jpeg, .jpg, .png, .csv
Supported Cloud Providers:
Google Drive
Microsoft OneDrive
SharePoint
Okta Box
Dropbox
File Size Limits:
Individual Files: 25 MB
Zipped Files: 100 MB (unzipped, each file must be under 25 MB)
Steps to Add Evidence in Evidence Library:
Navigate to Evidence Library page.
Select Add Evidence.
In the next steps, enter a Name, Description, Owner, and Artifact.
The Artifact section is where you can add a URL, upload a file, or indicate that this item does not need an artifact.
To upload a file, under the Artifact sections select File from the Source dropdown options.
Then, select Attach file.
You can either upload evidence directly from your machine, or link a preferred cloud file provider.
Select the desktop icon (
) to upload evidence directly from your machine, or
Select the desired cloud provider icon to link to that provider.
If you selected Google as your cloud provider:
Allow Drata to access See your Google Drive labels to view the labels in Evidence Library. If you do not allow this, the labels are not viewable in Evidence library.
If you selected Microsoft OneDrive, ensure to log into your preferred work account using the right credentials.
If you selected OneDrive and more than one Drive associated with the account, ensure to select the preferred drive from the Drive dropdown menu.
For those that linked a cloud provider: After linking the provider, you can browse all the files from your account directly from Drata. You search thru the search icon to find your files or folders with keywords.
Once you’ve uploaded a file, enter the Creation date and Renewal date.
Optionally, you can link the evidence to controls by selecting on Link control. Then, you can search and select the controls you want to link the evidence to.
You can unlink a control by expanding the control tile and clicking the Unlink icon.
Once you select Save, the evidence will be created and linked to the respective controls in Drata.
Add a manual Evidence from the Control page
Add a manual Evidence from the Control page
Navigate to the Controls page and select a control.
On the control drawer, scroll down to the Control Evidence section. Select Add in the Evidence Library section.
Select Add Evidence.
Enter the evidence details, upload a file or URL, and optionally link other controls.
Save your changes. You will be taken back to the control drawer. Any changes made within the control drawer will also be synced to Evidence Library.
View or update evidence
On the Evidence Library page, there is a table of evidences. If the evidence status needs attention like upcoming renewal or past renewal, the banner on the top will guide you to the next steps.
You can also use filters to sort by status, source, owner, or framework. You can also search for evidences by name or linked controls.
Select the manual evidence or select Update to modify manual evidence.
Artifact
Under the Artifact section, if you have updated your evidence with a new artifact, the previous artifacts will be shown in the past artifacts tab. The associated creation date and renewal date for all versions will be shown. If there is no previous evidence uploaded, the previous artifacts tab will not be available.
Select View file to view the artifact or Update dates to update the creation or the renewal dates.
Bulk assign evidence owners
Users can also bulk reassign evidence owners by selecting one or more test or manual evidences and selecting on Assign evidence owner.
Test evidence details like overview or linked controls cannot be updated. The only editable attribute is the evidence owner. To update overview or linked controls, please update the corresponding tests from the Monitoring or the Controls page.
Delete manual evidence
⚠️ Warning: Deleting manual evidence is a permanent action. The evidence will be removed and deleted from all linked controls.
Delete multiple manual evidences
Navigate to Evidence Library page by selecting Evidence Library on the left side navigation.
Select one or more evidences
Then, select Delete evidence.
Delete specific evidence
Navigate to the Evidence Library page by selecting Evidence Library on the left side navigation.
Click on the evidence you want to delete in the Evidence library.
On the evidence details page, click on the 3 dots at the top and click on the ‘Delete’ option
Test evidences cannot be deleted. If users do not want a test to generate evidence, they can do so by disabling the test.