Cyber Essentials
DashboardSign Out

Lesson 10.2 — Final evidence pack: mapping evidence to the five controls, gaps, risks and submission readiness

This lesson helps the learner build a final Cyber Essentials evidence pack.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • create a structured evidence index
  • map evidence to each Cyber Essentials control
  • check whether evidence supports the declared scope
  • identify missing or weak evidence
  • decide which gaps must be fixed before submission
  • prepare safer evidence by redacting secrets and personal data

Why This Matters

It explains how to map evidence to the declared scope and the five technical control themes, identify evidence gaps, distinguish strong evidence from weak evidence, handle supplier evidence, remove unsafe information, prepare a submission readiness decision, and avoid submitting with unresolved critical gaps.

The Core Rule

The final evidence pack should prove that the declared Cyber Essentials scope is covered by the five technical controls.

It should map evidence to Firewalls, Secure Configuration, User Access Control, Malware Protection and Security Update Management.

What the CE Assessor Looks For

A strong position shows:

  • scope statement is clear;
  • evidence index exists;
  • evidence maps to the five controls;
  • evidence maps to device, user, cloud, supplier and service scope;
  • each evidence item says what it proves;
  • evidence is current enough;

Copy This

Keep this rule visible:

Do not submit with a random pile of screenshots. Submit with a mapped evidence pack that shows what each item proves, where gaps remain, and whether the organisation is genuinely ready.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] What is the purpose of the final evidence pack?
  • [ ] Why is a folder of screenshots not enough?
  • [ ] What should an evidence index include?
  • [ ] Why are policies not enough on their own?
  • [ ] What makes supplier evidence stronger?

Your Action

Do this now — it takes 10–20 minutes.

Compile your final evidence pack. Organise supporting files (screenshots, exports, policy documents) so you can find them quickly during the assessment.

Key Takeaway

Do not submit with a random pile of screenshots. Submit with a mapped evidence pack that shows what each item proves, where gaps remain, and whether the organisation is genuinely ready.

Your Workbook Activity

Complete: Final Cyber Essentials evidence pack and submission readiness record

Next Lesson

In the next lesson: Completing the Cyber Essentials questionnaire: answer quality, consistency, assessor comments and avoiding common submission mistakes

Up next

Completing the Cyber Essentials questionnaire

Complete the questionnaire with clear, consistent responses that minimise clarifications and rework.