SaaS Evidence Collection Checklist

Audit-Ready Artifacts for Tier 1/2 SaaS Tenants


Document ID	CERG-TMPL-SAAS-001
Version	1.0
Status	Approved
Classification	Public
Owner	Governance Pillar Leader
Parent Document	CERG-STD-IT-001
Review Cycle	Annual / On SaaS baseline change
Frameworks	NIST 800-53 AU, CM, AC · SOX ITGC · CMMC · CSA CCM
Regulations	SOX ITGC · CMMC (where applicable)
Environments	Tier 1/2 SaaS tenants

Purpose

This checklist ensures consistent, auditable evidence collection from Tier 1 and Tier 2 SaaS tenants for compliance (SOX, CMMC, ISO 27001) and CERG internal assurance. Evidence is stored in the CERG evidence library per CERG-PRC-AUD-001.

Evidence by Category

Identity & Access

Artifact	Source	Frequency	SOX	CMMC	Notes
Admin role assignments export	SaaS admin console / API	Quarterly	✓	✓	Filter to privileged roles
Conditional Access / MFA policies	IdP / SaaS security center	Quarterly	✓	✓	Include named locations, device compliance
OAuth / third-party app grants inventory	SaaS admin console / API	Quarterly	✓	✓	Scope, publisher, risk rank
User provisioning / deprovisioning logs	IdP / SCIM audit log	Monthly	✓		90-day lookback
Break-glass / emergency access log	SaaS / PAM	Per use	✓		Must have post-use review

Configuration & Hardening

Artifact	Source	Frequency	SOX	CMMC	Notes
Tenant baseline scan results (CIS/CERG)	SSPM / CSPM	Monthly	✓	✓	Drift findings → PRC-VM-001
DLP policy configuration export	SaaS security center	Quarterly	✓		For Restricted data tenants
Data residency / region config	SaaS admin console	Annual		✓ (CUI)	Verify approved regions only
Sharing / external access settings	SaaS admin console	Quarterly	✓	✓	Anonymous links, domain allowlist

Logging & Monitoring

Artifact	Source	Frequency	SOX	CMMC	Notes
Admin activity audit log sample (90 days)	SaaS audit log export / SIEM	Quarterly	✓	✓	Verify completeness, tamper-resistance
Authentication / sign-in log sample	IdP / SaaS auth logs	Monthly	✓		Include MFA events, failures
Alert / detection rule coverage matrix	SIEM / SSPM	Quarterly		✓	Map to MITRE ATT&CK SaaS
Failed login / brute-force alerts	SIEM	Monthly	✓		Correlate with lockout policy

Data Protection

Artifact	Source	Frequency	SOX	CMMC	Notes
Encryption at rest verification (CMK/BYOK)	KMS / SaaS security center	Annual		✓ (CUI)	Key rotation evidence
Backup configuration & test results	SaaS backup / native	Annual	✓ (ITGC)	✓	RPO/RTO, restoration test
Retention / legal hold policies	SaaS admin / compliance center	Annual	✓		Per regulatory requirements

Incident & Vendor

Artifact	Source	Frequency	SOX	CMMC	Notes
Provider SOC 2 Type II report	Vendor portal	Annual	✓	✓	Review carve-outs, CUECs
Provider incident notification log	TPRM tool / email	Per incident		✓	Verify 24/72hr SLA met
Subprocessor list & changes	Vendor trust portal	Quarterly		✓ (CUI)	New subprocessor = reassessment

Collection Workflow

Scheduler (Governance): Quarterly calendar invite to SaaS tenant owners with this checklist
Collector (Engineering/Risk): Pull artifacts via API / admin console / SSPM export
Reviewer (Governance): Verify completeness, link to evidence library, note gaps
Gaps: Open findings in risk register per PRC-RM-001; track to closure

Document Control

Field	Value
Document ID	CERG-TMPL-SAAS-001
Version	1.0
Status	Approved
Classification	Public
Owner	Governance Pillar Leader
Approved By	CISO
Effective Date	2026-06-17
Review Cycle	Annual / On SaaS baseline change
Next Scheduled Review	2027-06-17

Revision History

Version	Date	Author	Change Summary
1.0	2026-06-17	Cyber Governance	Initial release - SaaS evidence collection checklist for Tier 1/2 tenants

Document	ID	Relationship
IT/Cloud/SaaS Security Standard	CERG-STD-IT-001	Governing standard §5.4, §5.5
Access Management Standard	CERG-STD-AC-001	NHI, ITDR evidence cross-reference
Audit and Evidence Management Procedure	CERG-PRC-AUD-001	Evidence library governance
Exposure Management Procedure	CERG-PRC-VM-001	Baseline drift findings pipeline

Source: templates/CERG-TMPL-SAAS-001_SaaS_Evidence_Collection_Checklist.md · Download .md · View on GitHub