What is Evidence by Design?

Evidence by Design (EbD) is EmpowerIT's continuous compliance documentation methodology. Instead of scrambling to assemble evidence when an auditor or insurer asks, EbD maintains a current compliance posture document at all times across six domains: Network and Infrastructure, Security Operations, Patch Management, Access Control, Backup and Recovery, and Policies and Procedures.

Who is Evidence by Design for?

EbD is built for businesses that answer to someone else about security: manufacturers facing customer cybersecurity audits, accounting firms with regulatory obligations, professional services with client confidentiality requirements, and any business in an insurance renewal cycle with cyber-coverage questionnaires.

How does Evidence by Design work?

Three steps, run continuously: Collect (continuous evidence gathering from monitoring, patch management, backup systems, and access controls), Organize (structured documentation across six compliance domains), Report (a single Compliance Posture Report, current as of the operating quarter, written for a business audience not an auditor).

What does the Compliance Posture Report contain?

The Compliance Posture Report is a quarterly business-audience document covering six domains: Network and Infrastructure inventory, Security Operations evidence (SOC logs, threat events, response times), Patch Management compliance, Access Control matrix, Backup and Recovery test results, and Policies and Procedures inventory. It is designed to be handed directly to a customer auditor, insurance underwriter, or board member.

Is Evidence by Design a one-time engagement or continuous?

EbD is continuous by design. The report is updated each operating quarter as part of EmpowerIT's managed service. Audit-ready documentation is the steady state, not a project.

EmpowerIT | Evidence by Design — Continuous Compliance Documentation

01 / The Problem

The worst possible moment

Most businesses discover their documentation gaps when it's already too late.

The email arrives. A customer security questionnaire — 400 questions. An insurer demanding proof of controls before they'll renew your policy. A regulator asking for evidence you didn't know you needed to keep.

You forward it to your IT provider. They go quiet. A week later they ask you for information you don't have. Network diagrams from three years ago. Patching records that were never kept. Security policies that don't exist.

The deadline ticks down. The relationship — with your customer, your insurer, your regulator — hangs in the balance.

We built Evidence by Design so this never happens to our clients.

inbox · today, 8:42 AM

From procurement@largest-customer.com · to you

Reply-to security@largest-customer.com

Annual Vendor Cybersecurity Questionnaire — response required

Due in 14 days Contract-gating 400 questions

As part of our annual supplier review, please complete the attached cybersecurity questionnaire and provide supporting evidence for each control area:

Q-014 Provide current network topology diagram (last 90 days)

Q-072 Provide patch management records for past 12 months

Q-118 Provide access review & MFA enforcement evidence

Q-203 Provide most recent backup restoration test results

Q-301 Provide incident response & disaster recovery plans

If incompletecontract under review

02 / What It Is

The methodology

The methodology behind continuous compliance documentation.

Evidence by Design is the methodology we use to maintain every piece of documentation an auditor, customer, or insurer might request.

It's a continuous process woven into how we operate your IT environment every single day — captured automatically, organized in one place, and ready the moment someone asks.

What it is not

✕Not a one-time assessment.Snapshots go stale the moment they're filed.

✕Not a document we update the week before an audit.If you only update it under pressure, the rest of the year is a lie.

✕Not a binder on a shelf.Physical artifacts can't reflect a system that changes daily.

01 · CatMaintained

Network & Infrastructure

Current network topology diagrams
Device inventory with serial numbers & lifecycles
Configuration records & change history

02 · CatMaintained

Security Operations

Threat detection logs & alert chains
Blocked attack records with attribution
Incident response documentation

03 · CatMaintained

Patch Management

Patching schedules & cadence policy
Applied patches per device, per cycle
Outstanding vulnerabilities with risk assessments

04 · CatMaintained

Access Control

User access audits & privilege levels
Multi-factor authentication enforcement records
Joiner-mover-leaver audit trail

05 · CatMaintained

Backup & Recovery

Backup schedules & retention policies
Quarterly recovery test results
Off-site & immutable storage verification

06 · CatMaintained

Policies & Procedures

Security & acceptable use policies
Disaster recovery plans
Incident response & communication runbooks

All of it continuously updated. All of it organized. All of it ready.

Autocaptured Crossreferenced Auditshaped

03 / How It Works

Three steps. Continuous. Automatic.

Three steps, run continuously.

1Step one · Continuous

Collect

Our platform captures evidence automatically through daily operations. Every applied patch is logged. Every blocked threat is recorded. Every configuration change is documented.

We don't ask your team to maintain spreadsheets or remember what was done. The system captures it.

SourceDaily ops

2Step two · Always-on

Organize

The evidence is structured within our secure documentation platform — organized by category, cross-referenced, and searchable.

No scattered files. No "I think it's in a folder somewhere." Everything in its place.

StorageSingle platform

3Step three · On demand

Report

When an auditor, customer, or insurer requests evidence, we generate a structured report from the current documentation.

Not a panic project. Not a fire drill. A standard output of how we operate.

OutputEbD report

04 / What You Receive

The EbD Report

Your compliance posture in a single document — written for a business audience.

When evidence is requested, you receive a professional, structured report that answers the core questions auditors and insurers ask.

Your auditor understands it. Your insurer understands it. Your customer's procurement team understands it. You don't need to translate IT jargon.

Q · 01What is your network architecture and how is it secured?

Q · 02How do you manage and verify patching?

Q · 03How do you control user access and enforce authentication?

Q · 04How do you detect and respond to security threats?

Q · 05How do you back up critical data and test recovery?

Q · 06What policies govern your security and acceptable use?

A standard output of how we operate — not a deliverable assembled under pressure.

CONFIDENTIAL · Prepared by EmpowerIT
Evidence by Design Report

EBD-RPT-26Q2
Rev. 04 · 14 pp

Compliance Posture Report

Prepared for: [Client Name] · Reporting period: Apr 1 – Jun 30, 2026

Contents

01Network Architecture & SecurityTopology, segmentation, perimeter controlsp. 02

02Patch Management PostureCadence, applied patches, outstanding risksp. 04

03Access Control & AuthenticationUser audits, MFA enforcement, privilege levelsp. 06

04Threat Detection & ResponseSOC activity, blocked attacks, incidentsp. 08

05Backup & Recovery VerificationSchedules, restore tests, off-site proofp. 10

06Governing PoliciesSecurity, AUP, DR, IR plansp. 12

Continuously maintained · VERIFIED Generated 2026-05-08 04:12 EDT

05 / Why We Built It

From the field

We built EbD because we've seen what happens without it.

We've walked into businesses where the previous IT provider kept everything in their head. No documentation. No records. No evidence that anything had ever been patched, secured, or tested.

When the audit request came, the scramble was painful. In one case, a manufacturer nearly lost their largest customer because they couldn't produce basic security evidence within a 90-day window.

We turned it around — barely. But we recognized that the entire crisis was unnecessary. The evidence should have existed all along.

"We built Evidence by Design so our clients never face that situation. Your evidence isn't something we create when you're in trouble. It's something we maintain as a standard operating procedure — because we designed our entire service that way."

Evidence by Design. The proof is already there. Because we built it that way.

The 90-day audit

Manufacturer given 90 days to produce evidence. Previous provider had nothing organized. We rebuilt the package — and the methodology — from scratch.

The "I think it's somewhere"

Backup logs that nobody had ever checked. Patching records that didn't exist. A binder full of policies dated 2017.

The customer who walked

A six-figure contract under review because the supplier couldn't answer six questions. The supplier had answers — they just couldn't prove them.

The insurance non-renewal

Cyber insurance declined because "we have antivirus" no longer cleared the bar. The renewal questionnaire is now a security audit.

06 / Who Needs This

Built for organizations with external accountability

EbD is built for businesses that answer to someone else about security.

01 · Profile

Manufacturers

Whose customers require cybersecurity verification before awarding or renewing contracts.

Demanded by OEM customers

02 · Profile

Accounting Firms

Facing increasing data protection expectations from CPA Canada and privacy regulators.

Demanded by CPA Canada · regulators

03 · Profile

Professional Services

Any firm whose clients trust them with sensitive data and expect proof of protection.

Demanded by client procurement

04 · Profile

Insurance Renewers

Any business renewing cyber insurance and discovering "we have antivirus" is no longer a sufficient answer.

Demanded by cyber insurers

If someone outside your business can ask you to prove your security posture, you need what EbD delivers.

See your sample EbD report

07 / The Alternative

Without EbD, this is what happens

We know this happens because we've been called in to fix the aftermath.

The request arrives. You forward it to your IT provider. They go silent for a week. Then they ask you to fill in the gaps yourself.

You spend evenings and weekends hunting for information that should already exist. The deadline approaches. The submission is incomplete. The customer puts your contract under review. The insurer declines to renew.

We built EbD so our clients never experience it.

T+0d

The request arrives.Customer security questionnaire. Insurance renewal. Regulator letter.

T+1d

You forward it to your IT provider.You assume they'll have the answers. You're about to find out.

T+7d

A week of silence.No reply. No status update. Multiple follow-ups ignored.

T+10d

They ask you to fill in the gaps.Network diagrams. Patch logs. Policies. None of it exists.

T+30d

Evenings and weekends, hunting for evidence.Your team is doing the IT provider's job.

T+60d

The submission is incomplete.Best-effort answers, no supporting evidence.

T+90d

Contract under review. Insurance declined.The relationship survives — or it doesn't.

The next step

See what your evidence package would look like.

Request a free IT Assessment. We'll evaluate your current environment and show you what an Evidence by Design report would contain for your business — the structure, the categories, and the gaps. So you know exactly where you stand.

No charge. No pitch. Just clarity.

Request Your Free IT Assessment Call (519) 279-0194

Or email hello@empowerit.ca

EbD Sample · 14pp

$0K-W businesses

What your sample EbD report shows you

The six evidence categories applied to your environment
The exact questions auditors and insurers will ask
What you have today — and where the gaps are
What "continuously maintained" looks like for your stack
30-min walkthrough with Lee — findings, no pitch

When an auditor or insurer asks for proof, your answer should already be prepared.

Compliance posture, current as of the operating quarter.