The ACN baseline guidance emphasizes documentary evidence as a core compliance requirement, not a post-hoc activity. For governance and GRC teams, audit readiness depends on maintaining coherent evidence sets across policies, inventories, plans, and operational records linked to baseline obligations.
Sources: ACN baseline reading guide, ACN baseline obligations determination
Key takeaways
- Evidence quality is as important as control implementation.
- Baseline guidance identifies recurring evidence families: inventories, plans, and registers.
- Governance-approved documents should be clearly identifiable and versioned.
- Evidence should map directly to obligations and control measures.
Sources: ACN baseline reading guide
Core evidence families to maintain
1. Inventories
Maintain updated inventories of physical assets, services, systems, and applications relevant to the NIS scope.
2. Plans
Maintain current plans such as risk treatment, vulnerability management, continuity, disaster recovery, and crisis/incident-related plans where applicable.
3. Registers and records
Maintain traceable records of policy reviews, training activities, incident process actions, and governance decisions.
4. Governance-approved documents
Ensure documents requiring governing-body approval are formally approved, version-controlled, and retrievable.
Sources: ACN baseline reading guide, ACN baseline obligations determination
Audit-readiness operating model
| Step | Control objective | Expected output |
|---|---|---|
| Evidence mapping | Link each obligation to documentary proof | Obligation-to-evidence matrix |
| Version governance | Ensure document lifecycle traceability | Version log and approval history |
| Accessibility | Enable rapid retrieval for checks/audits | Structured evidence repository |
| Completeness checks | Detect missing or stale evidence | Periodic gap assessment report |
Sources: ACN baseline reading guide
90-day implementation checklist
- Build an obligation-to-evidence matrix by NIS control family.
- Standardize document naming, ownership, and versioning rules.
- Reconcile all governance-approved documents against required approvals.
- Set periodic evidence freshness checks with escalation for stale artifacts.
- Run an internal mock audit focused on retrieval speed and completeness.
FAQ
Are evidence requirements limited to policies?
No. Official guidance includes inventories, plans, and operational registers in addition to policy artifacts. Source: ACN baseline reading guide
What makes evidence audit-ready?
Evidence should be complete, current, traceable to obligations, and retrievable with clear ownership and approval history. Source: ACN baseline reading guide
Which documents typically need governance approval?
Details are defined in official baseline documentation, including dedicated sections on governance-approved document sets. Sources: ACN baseline reading guide, ACN baseline obligations determination
Aegister provides NIS2 compliance support including evidence framework design and audit preparation guidance.