Most SMEs already have the right evidence somewhere — the problem is they cannot find it three weeks before renewal. A simple structure fixes that.
This guide describes a layout that works for teams of 5 to 250 people and survives staff turnover.
Group evidence by control area
Always start from the five Cyber Essentials control areas, not from file types or departments.
- Firewalls and routers
- Secure configuration
- User access control
- Malware protection
- Security update management
Tag every item with status and owner
Status and ownership turn a pile of files into a workflow.
- Status: draft, approved, expired
- Owner: a real named person, not a job title alone
- Review date: when this item must be refreshed
Link evidence to the asset it covers
Evidence without an asset link is hard to validate. Tie patch reports to laptop fleets, MFA exports to admin accounts.
Set recurring reminders
Every dated piece of evidence should trigger a reminder before it goes stale.
- Annual: policies, asset register sweep
- Quarterly: access reviews, asset diffs
- Monthly or on release: patch reports
Practical examples
Per-control folders
Five top-level groups, one per control area. New evidence lands in the right place by default.
Owner column
Spreadsheet or app field naming the person responsible for the item.
Recurring task
Quarterly access review task assigned to a named owner, with a link to the evidence to update.
Common mistakes
Organising by date
‘2026-CE-evidence’ folders push old items out of sight. Group by control, not by year.
Filename-only metadata
Filenames lie. Track status, owner and review date as real fields.
Sharing everything
Sharing a whole drive with an assessor exposes drafts. Share only approved items.
Build this properly in Evaud
Start a free workspace and organise your Cyber Essentials evidence in one place.
Frequently asked questions
Evaud helps organise Cyber Essentials evidence and readiness information. It is not a certification body and does not guarantee certification.