Platform

Evidence model

The evidence model links every risk statement to source assessments, tracked vulnerability state, and immutable publication artifacts. This model is designed for auditability, procurement confidence, and repeatable governance.

For: board advisers, internal audit, compliance reviewers, and operational risk owners.

Last updated: 28 April 2026

Assessment to finding chain

Findings are anchored to specific assessments so each issue keeps provenance: source, timeline, target context, and supporting technical evidence. This prevents orphaned backlog entries and enables reproducible review.

Tracked vulnerability state

Once triaged, findings become tracked vulnerabilities with state transitions such as Open, Client Fixed, CyberSec Verified, Risk Accepted, and False Positive. Transitions are explicit and attributable.

Immutable board-pack evidence

Governance outputs are preserved as immutable snapshots. A published board pack remains a trustworthy historical artifact even when the live workspace state evolves after publication.

Recurrence and verification signals

Recurrence and independent verification are first-class signals in the evidence chain. They distinguish unresolved control weaknesses from genuinely remediated risk and improve trend accuracy over time.

Lineage and auditability

Lineage is preserved from ingestion to publication through append-only audit events and constrained mutation paths. This enables technical and governance teams to verify the origin and handling of each material risk item.

In procurement and assurance reviews, this lineage reduces ambiguity in evidence ownership and helps teams demonstrate that decisions were made from traceable, timestamped facts rather than undocumented interpretation.

Related documentation

Was this page helpful?

Trust and legal

Trust and legal baselinePrivacy notice (POPIA)PAIA ManualCookie and tracking noticeWebsite termsSecurity testing authorizationPlatform termsResponsible disclosure