Applies to: NIS2 entities organizing documentary evidence and governance approvals for baseline obligations.
An evidence matrix is the operational bridge between policy text and verifiable compliance proof. In Aegister's Compliance Documentation Audit method, the matrix links each requirement point to expected artifacts (plans, procedures, registries, reports) and evaluates their maturity. In parallel, approval-readiness checks validate whether board-sensitive documents include a formal approval pathway where baseline rules expect it.
Key Takeaways
- Evidence should be measured on maturity levels, not only "present/absent."
- Approval-sensitive controls need a dedicated governance track, not a late legal formality.
- The matrix should separate artifact types (lists, plans, procedures, registers, reports).
- The output is a prioritized remediation queue aligned to compliance risk.
Scope of This Article
This article covers:
- How to design and use an evidence matrix in documentary audit.
- How to assess approval-readiness for board-sensitive controls.
- How to convert matrix results into actionable remediation priorities.
This article does not cover:
- Client-identifying evidence or internal records.
- Full proprietary templates.
Official Reference Framework
| Source | Relevance for evidence and approvals |
|---|---|
| Legislative Decree 138/2024 | Defines obligations on governance, risk management measures, and incident handling. |
| ACN Determination on baseline obligations | Establishes baseline measure/point structure and annex-based control logic. |
| ACN Reading Guide | Clarifies documentary evidence expectations and governance approval context (Appendix C). |
| ACN NIS baseline page | Provides implementation context for baseline obligations. |
Why Evidence Matrices Fail Without Method
- Evidence references are scattered in prose and not requirement-linked.
- Procedures are cited but not traceable to a controlled artifact.
- Plans exist as statements but not as structured documents.
- Approval workflow is assumed, but not encoded in document governance.
Matrix Design: Two Linked Views
1) Evidence coverage view
Maps requirement points to expected evidence artifacts by family:
- Lists
- Inventories
- Plans
- Procedures
- Registers and reports
2) Approval-readiness view
Maps board-sensitive requirement points to governance approval controls:
- approval actor
- approval stage
- revision log trace
- signature/date evidence path
Evidence Maturity Scale (Operational)
| Level | Label | Interpretation |
|---|---|---|
| 0 | Absent | No evidence reference |
| 1 | Mentioned without locator | Evidence named but not traceable |
| 2 | Mentioned with locator | Traceable reference without explicit requirement mapping |
| 3 | Traceable and mapped | Requirement-to-evidence link is explicit |
| 4 | Verified artifact | Evidence is available for verification in controlled corpus |
Approval-Readiness Scale (Operational)
| Level | Label | Interpretation |
|---|---|---|
| 0 | No approval mention | Governance path absent |
| 1 | Generic approval mention | Approval implied, actor/path unclear |
| 2 | Explicit mention of approving body | Governance actor identified, process still weak |
| 3 | Defined process | Approval workflow and controls documented |
| 4 | Verified approval evidence | Workflow documented and approval evidence traceable |
Board-Sensitive Controls: How to Handle Them
The baseline framework requires dedicated governance attention for approval-sensitive items (Appendix C context). In audit operations, these are tracked as a specific control cluster and reviewed separately from technical-document quality.
Practical rule:
- technical quality can score high,
- but readiness remains constrained if approval architecture is missing.
Official interpretation is defined by ACN baseline documentation and annexes (ACN Reading Guide, ACN Determination).
Minimum Matrix Fields for Audit Use
| Field | Mandatory | Why it matters |
|---|---|---|
| Requirement point code | Yes | Atomic traceability |
| Primary document | Yes | Accountability |
| Expected evidence artifact | Yes | Control design clarity |
| Evidence maturity level | Yes | Objective progress measurement |
| Approval-sensitive tag | Conditional | Governance control routing |
| Approval maturity level | Conditional | Board-readiness status |
| Owner | Yes | Execution responsibility |
| Target remediation date | Yes | Program control |
How to Run the Evidence + Approval Audit
- Load requirement-to-document baseline mapping.
- Identify required evidence artifacts per requirement point.
- Assign evidence maturity level (0-4).
- Identify approval-sensitive points and assign approval maturity level.
- Flag gaps by severity and dependency.
- Build a remediation queue with quick wins and structural fixes.
- Re-check matrix after remediation cycle.
Typical High-Impact Findings
- Approval-sensitive documents with no explicit approval path in draft architecture.
- Critical procedures referenced in policy but missing as retrievable artifacts.
- Incident-response communication evidence missing from documentary chain.
- Data-protection and logging artifacts not linked to requirement points.
- Cross-document conflicts in governance terminology and escalation ownership.
Deliverables Produced from the Matrix
- Evidence coverage matrix (requirement -> artifact -> maturity).
- Approval-readiness register for governance-sensitive items.
- Gap log by severity and dependency.
- Executive dashboard for remediation progress.
FAQ
Is an evidence matrix only useful for audits?
No. It is also a governance instrument for ongoing control lifecycle management.
Can we run approval-readiness checks before formal signatures?
Yes. That is recommended, because missing workflow architecture is usually the real blocker.
Should external group-level documents be accepted as evidence?
They can support coverage, but they should be explicitly mapped and, when possible, made reviewable in the local compliance corpus.
If we are unsure about an approval requirement, where do we confirm it?
Use official baseline sources: ACN Reading Guide, ACN Determination, D.Lgs. 138/2024.
Conclusion
An evidence matrix becomes valuable when combined with explicit approval-readiness controls. This dual view lets organizations move from documentary statements to auditable proof, while reducing late-stage governance bottlenecks in NIS2 baseline compliance programs.
Related reading
- Compliance Documentation Audit for NIS2 Baseline Obligations: Method Overview
- NIS2 Requirement-to-Document Mapping: Building a Defensible Audit Structure
- NIS2 Compliance Documentation Audit: How the Scoring Methodology Works
- Aegister NIS2 Compliance Service
- Aegister Virtual CISO Service