Control Evidence

I. Formal Definition

A reproducible artefact, generated by an automated or attested process, that demonstrates a security control was operating as designed during a defined period. Control evidence is not a screenshot, a vendor dashboard, or a written assertion: it is a record that an external auditor can retrieve, validate, and reproduce. The federation requires that evidence be cryptographically signed, time-stamped, and stored in a tamper-evident archive. Evidence that does not meet these three properties is treated as testimony and is not load-bearing under UFMS-001:2.4.

II. Etymology

Audit term in continuous use since the formalisation of internal controls in the mid twentieth century; the cryptographic-evidence variant emerged with the supply-chain security movement of the early 2020s.

III. Federation Usage

Federation accreditation evidence packs must include controls evidence in a federation-recognised signed format. Unsigned screenshots and vendor PDFs are returned for remediation under MEV-Annex:3.2.

IV. Related Terms

• soc2
• iso-27001
• segregation-of-duties
• threat-model

V. Authoritative Citations

• UFMS-001:2.4UFMS Article II - Evidence Standard
• MEV-Annex:3.2MEV Annex III - Signature Requirements

VI. Citation in BibTeX

@misc{ifo4_glossary_control_evidence,
  title        = {{Control Evidence}},
  author       = {{IFO4 Federation Editorial Board}},
  howpublished = {{IFO4 Federation Glossary, slug \texttt{control-evidence}}},
  year         = {2026},
  url          = {https://ifo4.org/glossary/control-evidence},
  note         = {Category: SecOps; key: ControlEvidence}
}

VII. Challenge This Definition

Federation members and accredited practitioners may challenge any entry under TGS-002:1.7. Filed challenges are routed to the editorial board, triaged into the revision register, and resolved in writing on the public docket. The slug remains stable through any revision.