Policy context
Include the policy template, PQC-specific controls, control actions, policy version, and any organization-specific policy decisions.
How to build a PQC evidence pack
PQC migration evidence needs to show more than a point-in-time scan. A useful evidence pack connects policy context, current compliance status, findings, remediation, approved exceptions, owners, and retained records into a defensible evidence record.
Scope and ownership
Show which applications, services, certificates, gateways, and infrastructure sources are in scope, and who owns each area.
Evaluation records
Retain compliance status, findings, triggered rules, recent activity, and the timestamp of the latest evaluation.
Remediation and approved exceptions
Capture remediation status, approved exception rationale, approving policy context, owner, affected scope, and expiry date.
Progress snapshots
Keep evidence snapshots that show how status changes over time as teams remediate findings and policies evolve.
Review-ready summary
Prepare a concise summary for audit, customer assurance, risk review, and leadership reporting.
Evidence pack acceptance criteria
Use this as a review standard before sharing evidence with audit, risk, customers, or leadership.
| Evidence item | Acceptance criteria | Review use | Owner |
|---|---|---|---|
| Policy template and version | Shows the standard-aligned template, PQC-specific controls, severity, and effective date. | Proves which requirements were applied. | Security / AppSec |
| Application or service baseline | Names the scoped system, owner, connected certificates, gateways, and latest evaluation timestamp. | Proves what was evaluated. | Platform / service owner |
| Triggered rules and findings | Lists failed and warning controls with affected scope, severity, and current status. | Proves why remediation is required. | Security / engineering |
| Remediation record | Includes owner, target date, dependency, current status, and linked evidence of change. | Proves progress is governed. | Service owner |
| Approved exception record | Includes rationale, affected scope, approving policy context, approver, expiry, and renewal evidence. | Proves temporary risk is controlled. | Risk / security |
| Review summary | Summarizes scope, current compliance state, open issues, approved exceptions, and next milestones. | Gives reviewers the answer before the artifacts. | Security leadership |
Keep evidence current as the migration changes
Crypto Posture retains policy, evaluation, approved exception, and evidence history so teams can show progress without rebuilding the record from spreadsheets each time standards or scope change.