COMPLIANCE EVIDENCE

Evidence for every contractor login.

Each check writes a timestamped record showing the user, the device, the controls evaluated, and the result. The records export on request.

Book a demo How it works

ISO 27001NYDFS Part 500Exportable reports

audit-log, live

streaming

2026-02-14 09:12:03CTR-4821-Wj.martinez@accenture.com

pass

Win11-24H2BitLocker:256CrowdStrike:activeFirewall:onOS:current

2026-02-14 09:15:41CTR-7293-Ms.patel@deloitte.com

fail

macOS-15.3FileVault2:onSophos:outdated ✕

2026-02-14 09:18:22CTR-7293-Ms.patel@deloitte.com

remediated

macOS-15.3FileVault2:onSophos:updatedresolved:2m41s

Key facts

Every PosturePass check writes a timestamped record of the user, device, controls evaluated, and the result.
Records export on demand, filterable by contractor group, security control, date range, remediation status, or exception.
Evidence maps to ISO 27001 (A.8.1, A.9.4), NYDFS Part 500 (§500.7, §500.12, §500.14), NAIC Model Law 668, CIS Controls v8, and CMMC AC.L2 / IA.L2.
Failed checks and the time-to-remediate are logged alongside passes, providing continuous-monitoring evidence rather than a point-in-time snapshot.
Reports are designed to answer the four questions auditors ask about third-party device controls: what controls, proof they ran, what happens on failure, and evidence for a given date range.

ISO 27001 aligned

NYDFS Part 500 support

NAIC support

CMMC use cases

The gap between written policy and enforced policy.

What auditors actually ask

Show me the controls you apply to third-party devices.

Show me proof those controls were active at the time of access.

Show me what happens when a device fails, and whether it was fixed.

Show me this evidence for a specific date range.

A policy document and a walk-through tell auditors what should happen.

An exportable log of checks, failures, and fixes tells them what did happen.

Where the gap usually sits

Most contractor programs have written policies. What they lack is a timestamped record showing those policies ran at the moment of access.

Report views

Filter by partner, control, time period, remediation, or exception.

By contractor group

Filter by partner, vendor, or team to show posture across a relationship.

By security control

Review encryption, antivirus, firewall, or OS compliance across devices.

By time period

Pull evidence for any audit window. Q4 2025, last 90 days, custom range.

By remediation

See what failed, how fast it got fixed, and whether the user resolved it.

By exception

Find contractors with open gaps. Track outstanding issues.

Mapped to the frameworks your auditors use

Framework

Relevant Requirements

What PosturePass helps document

ISO 27001 (A.8.1, A.9.4)

Asset management, access control

Device inventory, policy-based access gating

NYDFS Part 500 (§500.7, §500.12, §500.14)

Access privileges, MFA, third-party security

Device compliance, audit trail, third-party evidence

NAIC Model Law 668

Third-party security program

Evidence of third-party device controls

CIS Controls v8 (1, 4, 13)

Asset inventory, secure configuration, network monitoring

Device inventory, posture enforcement, continuous checks

CMMC (AC.L2, IA.L2)

Access control, identification and authentication

Device-level access gating, identity-linked compliance

Exporting an audit pack

Within the first hour

Pull the report for the audit period. Export by group, control, or date. Send it.

Within the first day

Answer follow-ups with drill-down reports, remediation timelines, and continuous-monitoring proof.

Within the first week

Provide trend data, document exceptions, and show how issues were handled.

Want to see the verification flow?

How it works

Want to learn more?

Book a 30-minute demo with our team.

Book a demo How it works