Download compliance evidence packs
Hand an auditor a single-page PDF instead of a screen-share. The Compliance hub maps your current asset inventory, licensing, and offboarding data to four control frameworks and renders each as a download you can attach to an evidence request without a covering note.
Every pack is generated on demand from live data. There is nothing to schedule and nothing to keep in sync — the numbers in the PDF are the same ones shown on the hub at the moment you click.
:::note Before you begin
- You have an admin role (
admin,it-admin, orsuper-admin). The hub lives in the admin console under Compliance. - The figures reflect your real data. For a credible pack, your hardware register, license inventory, wipe certificates, and offboarding should be current.
- To send NIS2 Article 23 incident notifications referenced by the NIS2 pack, set a CSIRT email first. See NIS2 incident notification. :::
What each pack proves
Auditors ask the same questions every audit: show me your asset inventory, show me what's connected to you, and show me that departing employees return their gear and you erase the data. Each pack answers one framework's version of those questions from a different slice of your data.
| Pack | Control | Headline figures | Download route |
|---|---|---|---|
| ISO/IEC 27001 — Annex A.8 | Asset management | Active assets, assets with category and owner, missing serial numbers | admin.compliance.pdf.iso27001 |
| SOC 2 — CC6.1 | Logical access | Active licenses, total seats, offboarded users still holding assets | admin.compliance.pdf.soc2 |
| GDPR — Article 30 | Records of processing | Users tracked, wipe certificates this year, disposal wipe coverage | admin.compliance.pdf.gdpr |
| NIS2 — Article 21(2) | Cyber-risk-management measures | Per-sub-control status across (a)–(j) with evidence and honest gaps | admin.compliance.pdf.nis2 |
These packs are evidence drawn from your ITAM data, not a certification. They don't replace a SOC 2 report, an ISO 27001 ISMS, or a full NIS2 programme — they give an auditor the ITAM-derived portion of the evidence in a form they can file.
Read the hub before you download
Open Compliance in the sidebar. Each framework gets a card with its headline figures and a download button, so you can see where evidence is missing before you send the pack to an auditor. Colour flags the gaps:
| Indicator | Meaning | What to do |
|---|---|---|
| Amber figure | A hygiene gap — for example, assets missing a serial number or disposal wipe coverage below 100%. | Close the gap in the relevant section, then re-download. |
| Rose figure | A control gap auditors care about — offboarded users holding assets. | Recover the assets via offboarding before you hand over the pack. |
| Emerald figure | Coverage is complete for that metric. | No action. |
The footer shows when the figures were last generated. They refresh on every page load and on every download, so the hub and the PDFs never drift.
Download a pack
To produce a pack for an auditor:
- Open Compliance in the sidebar.
- On the framework's card, check the headline figures and resolve any amber or rose flags you don't want an auditor to see.
- Select the card's download button — for example, Download A.8 evidence pack or Download Article 21 evidence pack.
The A4 PDF opens in a new tab with a timestamp at the top and a filename that includes the
framework and date, such as iso27001-evidence-20260607.pdf or
nis2-article-21-evidence-20260607.pdf. Save it, or print to PDF, and attach it to the
evidence request.
Re-download the pack each time an auditor asks rather than reusing an old file. The timestamp printed at the top is the proof that the evidence is current as of the day you generated it.
The NIS2 pack: honest coverage labels
The NIS2 pack maps all ten sub-controls of Article 21(2) — (a) through (j) — and is deliberately honest about which ones an ITAM platform can actually evidence. Every sub-control carries a coverage class so an auditor knows exactly where to look for the rest of the evidence.
| Coverage class | What it means | Status it can reach |
|---|---|---|
| ITAM-native evidence | The platform produces the full evidence for this sub-control from its own data. | Up to Implemented. |
| ITAM hygiene floor | The platform contributes a necessary precondition, not the whole control. | Capped at Partial. |
| ITAM proxy | A coverage metric, not an effectiveness measurement. | Capped at Partial. |
| Outside ITAM scope | You must produce this evidence yourself. | Shown as Customer-provided. |
For each sub-control the pack lists what OnTrackio contributes and what you must provide separately (for example, a risk register, a business-continuity plan, or training records). This framing keeps the pack credible: an auditor sees real numbers where the platform has them and a clear hand-off everywhere it doesn't.
Don't read the NIS2 pack as "NIS2 complete". Several sub-controls are flagged Customer-provided or capped at Partial by design. The pack covers the ITAM-derived portion only — pair it with your own GRC evidence for the rest.
Each NIS2 download is recorded in your audit log with the generating user and a timestamp, so you keep your own trail of when evidence was produced and by whom.
Verify
- The PDF opens in a new tab with a generation timestamp at the top and the date in the filename.
- The figures in the PDF match the cards on the Compliance hub.
- After a NIS2 download, an entry reading
NIS2 Article 21 evidence pack generatedappears in the audit log under your name.
Troubleshooting
| Symptom | What to do |
|---|---|
| The download button does nothing | The PDF opens in a new browser tab. Allow pop-ups for the admin console, then select the button again. |
| A figure is lower than expected | The packs only count current data — for example, the ISO pack counts assets that aren't disposed, and the SOC 2 pack counts only Active, Trial, and Pending renewal licenses. Check the underlying section. |
| Offboarded users holding assets is above zero | Departing users still hold gear. Recover it via offboarding before you send the SOC 2 pack. |
| Disposal wipe coverage is below 100% | Some disposed assets have no wipe certificate. Mint the missing certificates — see Wipe certificates — then re-download the GDPR pack. |
| The NIS2 pack shows sub-controls as Customer-provided | This is by design. Those controls sit outside ITAM scope; supply that evidence from your own GRC programme. |
| You can't reach the Compliance page | The hub requires an admin role and an active subscription. If your network uses an IP allowlist, confirm you're on an allowed address. |