What Types of Evidence Can Be Automated Across SOC 2, ISO 27001, HIPAA, and CMMC?

Application-level evidence can be automated across SOC 2, ISO 27001, HIPAA, and CMMC—specifically access control screenshots, workflow documentation, UI security validations, change management approvals, and application testing results. This represents 20-30% of total evidence that traditional API-based GRC tools cannot capture.

---

Evidence Categories: API-Based vs Screenshot-Based

What Traditional GRC Tools Automate (70-80%)

Vanta, Drata, Secureframe automate through APIs:

Evidence Type	Source	Frameworks	Example
Infrastructure configs	AWS, GCP, Azure APIs	All	CloudTrail logs, IAM policies
Employee access logs	Okta, Google Workspace	All	User provisioning records
Code repository access	GitHub, GitLab APIs	SOC 2, ISO 27001	Branch protection, commit logs
Security tool configs	Crowdstrike, Datadog	All	Antivirus status, monitoring
Training records	LMS platforms	All	Security awareness completion
HR data	BambooHR, Workday	SOC 2, HIPAA	Background check records

Why APIs work here:

• Data is structured (JSON, database records)
• Systems designed for integration
• Real-time monitoring possible
• No human interaction needed

What Cannot Be Automated Without Screenshots (20-30%)

Requires browser-based capture:

Evidence Type	Why API Insufficient	Frameworks	Automation Method
Access control tests	Must show UI behavior	All	Screenshot capture
Workflow approvals	Visual proof of process	All	Workflow recorder
Application security	UI validations needed	All	Browser extension
Change management	Approval screenshots	SOC 2, ISO 27001	Process documentation
Data handling	Show PII controls in UI	HIPAA, GDPR	Screenshot + redaction
Privilege escalation tests	Must demonstrate denial	All	Test execution capture

Why screenshots needed:

• Controls implemented in application UI
• No API exposes this data
• Auditors need visual proof
• Process workflows span multiple systems

---

SOC 2 Type II: What Can Be Automated

Common Criteria (CC) - Trust Service Criteria

CC6.1 - Logical and Physical Access Controls

What can be automated:

Control Test	Evidence Type	Automation Method	Time Savings
Unauthorized access prevention	Screenshots of access denied	Browser extension records login attempt → access denial → error message	60 min → 3 min
Role-based access (RBAC)	Permission matrix + test results	Automated test of different user roles	45 min → 2 min
Privilege escalation testing	Screenshots showing denied elevation	Test user attempting admin actions	40 min → 2 min
Session timeout validation	Screenshots of auto-logout	Capture timeout behavior	30 min → 2 min

Evidence package includes:

• Login screenshot (standard user)
• Attempted access to restricted area
• Error message (403 Forbidden)
• Audit log entry showing denial
• AI-generated test narrative

Manual time: 60 minutes per test Automated time: 3 minutes per test Quarterly frequency: 4x per year Annual savings: 3.8 hours per control

CC6.2 - Prior to Issuing System Credentials

What can be automated:

Control Test	Evidence Type	Automation Method
Access approval workflow	Screenshots of approval chain	Workflow recorder captures request → manager approval → provisioning
Provisioning verification	Before/after user permissions	Screenshot comparison of access lists
Deprovisioning testing	Screenshots showing removed access	Capture termination workflow

Evidence flow:

1. Employee requests access (screenshot of ticket)
2. Manager approves (screenshot of approval)
3. IT provisions (screenshot of access granted)
4. Verification (screenshot of user in system)

CC7.2 - System Operations - Change Management

What can be automated:

Process	Evidence Required	Automation Approach
Code review	Screenshots of PR approvals	GitHub screenshot capture
Deployment approval	Approval workflow screenshots	CI/CD pipeline screenshots
Rollback capability	Screenshots of rollback test	Automated rollback execution
Change documentation	Ticket + implementation proof	Jira ticket + deployment screenshot

Example automated evidence:

• Pull request with 2 approvals (screenshot)
• CI/CD pipeline showing tests passed (screenshot)
• Production deployment (screenshot)
• Monitoring dashboard after deploy (screenshot)

CC8.1 - Risk Assessment - Vulnerability Management

What can be automated:

Evidence	Collection Method	Output
Vulnerability scans	Automated screenshot of scan results	PDF with scan dashboard
Remediation tracking	Screenshots of ticket resolution	Jira/Linear tickets with resolution
Scanning frequency	Screenshots showing scheduled scans	Calendar + scan history

---

ISO 27001: Annex A Controls

A.9 - Access Control

A.9.2.1 - User Registration and De-registration

Automatable evidence:

Control Activity	Evidence Type	Automation
User provisioning process	Workflow screenshots	Request → approval → provisioning screenshots
Access review	Permission audit screenshots	Quarterly review of user access lists
Deprovisioning	Account termination screenshots	Disabled user screenshots across systems

Cross-framework mapping:

• SOC 2 CC6.2 ← → ISO 27001 A.9.2.1
• One set of evidence satisfies both
• Automated tool maps to both frameworks

A.9.4.1 - Information Access Restriction

Automatable evidence:

Test	Evidence Format	Collection
Data access controls	Screenshots of denied access to sensitive data	Browser extension captures PHI/PII access tests
Role-based data filtering	Screenshots showing different data views by role	Test different user roles viewing same page
Encryption verification	Screenshots of encrypted data storage	AWS S3 encryption settings screenshot

A.12 - Operations Security

A.12.1.2 - Change Management

Automatable evidence:

Change Type	Required Evidence	Automation Method
Application changes	PR approval + deploy screenshot	GitHub + CI/CD screenshot
Infrastructure changes	Terraform plan approval	Screenshot of infrastructure PR
Configuration changes	Before/after screenshots	Config comparison screenshots

Automation captures:

• Change request (Jira/Linear screenshot)
• Review and approval (PR screenshot)
• Testing evidence (CI results screenshot)
• Deployment (production deploy screenshot)
• Verification (monitoring dashboard screenshot)

A.14 - System Acquisition, Development and Maintenance

A.14.2.1 - Secure Development Policy

Automatable evidence:

Policy Requirement	Evidence	Automation
Code review requirement	Screenshots of enforced reviews	Branch protection + PR screenshots
Security testing in pipeline	SAST/DAST results screenshots	CI/CD security scanning screenshots
Deployment approvals	Production deploy approval screenshots	GitHub Actions approval screenshots

---

HIPAA Security Rule: Administrative Safeguards

§164.308(a)(4) - Access Authorization

Automatable evidence:

HIPAA Requirement	Evidence Needed	Automation
Access to ePHI authorization	Approval workflow for PHI access	Screenshot of access request → approval → provisioning
Access enforcement	Screenshots showing denied PHI access	Test unauthorized PHI access attempt
Role-based access	Permission matrix + testing	Screenshots of different roles accessing PHI

Key difference from SOC 2:

• Must demonstrate PHI-specific protections
• Screenshots must show PHI handling
• Requires PII redaction in evidence
• Automated redaction critical

Automation handles:

• Automatic detection of PHI in screenshots
• Real-time redaction before export
• Synthetic test data suggestions
• HIPAA-compliant evidence formatting

§164.312(a)(1) - Access Controls (Technical)

Automatable evidence:

Control	Evidence Type	Collection Method
Unique user IDs	Login screenshots	Capture login with user ID visible
Emergency access	Break-glass access screenshots	Document emergency access procedure
Automatic logoff	Session timeout screenshots	Capture auto-logout behavior
Encryption verification	Encrypted data screenshots	Show ePHI stored encrypted

§164.308(a)(6) - Security Incident Procedures

Automatable evidence:

Procedure	Required Documentation	Automation
Incident response	Workflow screenshots	PagerDuty alert → investigation → resolution
Incident tracking	Ticket screenshots	Incident ticket lifecycle screenshots
Notification process	Communication screenshots	Breach notification workflow

---

CMMC 2.0: Practice-Level Controls

Level 1 (17 Practices)

AC.L1-3.1.1 - Authorized Access Control

Automatable evidence:

Practice	Evidence Format	Automation
Verify authorized access only	Screenshots of access tests	Test authorized/unauthorized access attempts
CUI access controls	Permission screenshots	Document CUI access restrictions
Access enforcement	Denied access screenshots	Capture access denial for unauthorized users

CMMC-specific requirements:

• Must reference NIST SP 800-171
• Evidence must show CUI (Controlled Unclassified Information) protection
• Requires more detailed documentation than SOC 2

Level 2 (110 Practices)

AC.L2-3.1.2 - Transaction and Function Control

Automatable evidence:

Practice	Documentation	Automation Approach
Limit transaction authority	Screenshots showing transaction limits	Test user attempting transactions beyond authority
Function-level access	UI access control screenshots	Document function-level RBAC
Approval workflows	Multi-step approval screenshots	Capture approval chain for sensitive transactions

AU.L2-3.3.1 - Audit Log Review

Automatable evidence:

Requirement	Evidence	Collection
Regular log review	Screenshots of log review process	Scheduled log review screenshots
Anomaly detection	Alert screenshots	Security alert dashboard screenshots
Review documentation	Reviewer notes + screenshots	Automated report generation

Level 3 (Advanced/Persistent Threat Focus)

Higher evidence burden:

• More frequent testing (monthly vs quarterly)
• More detailed documentation
• Advanced threat scenarios
• Pen test evidence

Still automatable:

• Same screenshot-based evidence
• More frequent automated collection
• Advanced test scenarios
• Professional reporting

---

Cross-Framework Evidence Mapping

Single Test → Multiple Frameworks

Example: Access Control Test

One automated test satisfies:

Framework	Control ID	Requirement
SOC 2	CC6.1	Logical access controls prevent unauthorized access
ISO 27001	A.9.4.1	Information access restriction
HIPAA	§164.308(a)(4)	Access authorization for ePHI
CMMC 2.0	AC.L2-3.1.1	Limit access to authorized users

One evidence pack includes:

• Screenshots of access test
• Pass/fail determination
• Tester information
• Timestamps
• Control objectives

Mapped automatically to all 4 frameworks

Manual approach:

• Document test 4 separate times
• Different formats for each framework
• 4x the work

Automated approach:

• Document once
• Map to all frameworks
• 1/4 the work

Common Evidence Types Across All Frameworks

Evidence Type	SOC 2	ISO 27001	HIPAA	CMMC	Automation Method
Access control tests	✅ CC6.1	✅ A.9.4.1	✅ §164.308(a)(4)	✅ AC.L2-3.1.1	Browser screenshot capture
Change management	✅ CC7.2	✅ A.12.1.2	✅ §164.308(a)(8)	✅ CM.L2-3.4.3	Git/CI/CD screenshots
Vulnerability scanning	✅ CC8.1	✅ A.12.6.1	✅ §164.308(a)(8)	✅ RA.L2-3.11.2	Scan result screenshots
Access removal	✅ CC6.2	✅ A.9.2.1	✅ §164.308(a)(3)	✅ AC.L2-3.1.3	Deprovisioning workflow
Incident response	✅ CC7.3	✅ A.16.1.5	✅ §164.308(a)(6)	✅ IR.L2-3.6.1	Incident ticket screenshots

Automation efficiency:

• 5 evidence types
• 4 frameworks each
• 20 total documentation requirements
• Automated: Create 5 evidence packs, map to 20 requirements (2 hours)
• Manual: Document 20 separately (40 hours)
• Savings: 95%

---

What Cannot Be Automated (And Shouldn't Be)

Evidence Requiring Human Judgment

Evidence Type	Why Not Automated	Best Approach
Policy documents	Strategic decisions	Manual authoring, AI assistance
Risk assessments	Business context	Manual analysis, automated data
Vendor evaluations	Relationship-based	Manual review, automated tracking
Business continuity plans	Strategic planning	Manual creation, automated testing
Training content	Educational design	Manual creation, automated delivery

Evidence Already API-Automated

Evidence Type	Existing Solution	Don't Need Screenshot Automation
Infrastructure configs	Vanta/Drata → AWS/GCP API	Already automated
Employee lists	Vanta/Drata → Okta API	Already automated
Code commits	Vanta/Drata → GitHub API	Already automated
Cloud logs	SIEM integration	Already automated

Ideal automation strategy:

• Use Vanta/Drata for API-based evidence (70%)
• Use screenshot automation for UI evidence (20%)
• Manual for strategic/judgment items (10%)
• Total: 90% automated

---

Implementation: Evidence Automation Roadmap

Phase 1: High-Impact Controls (Week 1-2)

Focus on controls that:

• Take most time manually (60+ minutes)
• Required across multiple frameworks
• Tested most frequently (quarterly)

Top 5 to automate first:

Control	Frameworks	Manual Time	Automated Time	Time Saved
Access control tests	All 4	60 min × 4 quarters	3 min × 4 quarters	3.8 hrs/quarter
Change management	SOC 2, ISO, CMMC	45 min × 4 quarters	2 min × 4 quarters	2.9 hrs/quarter
Vulnerability scanning	All 4	30 min × 4 quarters	2 min × 4 quarters	1.9 hrs/quarter
Access provisioning	All 4	40 min × 4 quarters	2 min × 4 quarters	2.5 hrs/quarter
Access removal	All 4	40 min × 4 quarters	2 min × 4 quarters	2.5 hrs/quarter

Phase 1 total savings: 54+ hours/year from just 5 controls

Phase 2: Framework-Specific Controls (Week 3-4)

Add controls unique to your frameworks:

HIPAA-specific:

• ePHI access logging (§164.312(b))
• Encryption verification (§164.312(a)(2))
• Emergency access procedures (§164.312(a)(2)(iii))

CMMC-specific:

• CUI access controls (AC.L2-3.1.20)
• Audit log protection (AU.L2-3.3.3)
• Insider threat program (AT.L2-3.2.2)

Phase 3: Full Rollout (Month 2)

Complete automation of all screenshot-based controls:

• 20-30 controls total
• 10 hours setup time
• 50+ hours quarterly savings

---

Framework-Specific Evidence Requirements

SOC 2 Type II Evidence Standards

Required elements:

• Control ID (CC6.1, CC7.2, etc.)
• Test date and tester
• Test procedure description
• Screenshots showing test execution
• Pass/fail determination
• Evidence organized by Trust Service Category

Frequency:

• Quarterly for manual controls
• Continuous for automated controls

ISO 27001 Evidence Standards

Required elements:

• Annex A control reference (A.9.2.1)
• Implementation evidence
• Effectiveness evidence (testing)
• Review and approval dates
• Nonconformity tracking

Frequency:

• Annual control assessment minimum
• Quarterly recommended for key controls

HIPAA Evidence Standards

Required elements:

• CFR section reference (§164.308)
• ePHI-specific protections shown
• Risk analysis documentation
• Breach notification procedures
• Business associate agreements

Special considerations:

• PHI must be redacted in all screenshots
• Use synthetic data in test environments
• Document data minimization

CMMC 2.0 Evidence Standards

Required elements:

• NIST SP 800-171 practice reference
• CUI protection evidence
• Maturity level justification
• Continuous monitoring evidence
• Third-party assessor requirements (L2+)

Evidence organization:

• By practice (110 practices for L2)
• By domain (17 domains)
• Assessment artifacts clearly labeled

---

Frequently Asked Questions

Can one tool automate evidence for all four frameworks?

Yes. Modern evidence automation platforms support:

• SOC 2 Trust Service Criteria
• ISO 27001:2013 and 2022 Annex A
• HIPAA Security Rule
• CMMC 2.0 practices

How it works:

• Capture evidence once
• Map to multiple framework requirements
• Generate framework-specific reports
• Maintain single evidence repository

What percentage of total evidence can be automated?

Typical breakdown:

Evidence Category	% of Total	Automation Status
API-based (infrastructure, SaaS)	60-70%	Already automated (Vanta/Drata)
Screenshot-based (application, workflows)	20-25%	✅ Can automate (Screenata)
Strategic/judgment (policies, risk)	10-15%	❌ Requires human expertise

Total automatable: 80-95%

Do different frameworks require different screenshots?

Mostly the same, with variations:

Core evidence (identical):

• Access control tests
• Permission screenshots
• Workflow approvals
• Change management

Framework-specific additions:

Framework	Unique Requirements
HIPAA	PHI-specific protections, redaction
CMMC	CUI marking, NIST references
ISO 27001	Risk treatment plans
SOC 2	Trust Service Category mapping

One screenshot, multiple labels:

• Same access control screenshot
• Labeled CC6.1 for SOC 2
• Labeled A.9.4.1 for ISO 27001
• Labeled §164.308(a)(4) for HIPAA
• Labeled AC.L2-3.1.1 for CMMC

Can automation handle framework updates?

Yes. When frameworks change:

• SOC 2 TSC 2017 → TSC 2024
• ISO 27001:2013 → 2022
• HIPAA rules updates

Automation platforms update:

• Control mappings
• Evidence templates
• Report formats
• Assessment criteria

Your evidence remains valid:

• Screenshots don't change
• Just remapped to new control IDs
• No re-testing required

---

Key Takeaways

✅ 20-30% of compliance evidence requires screenshots and cannot be automated through APIs

✅ Access controls, workflows, and application testing can be fully automated across all frameworks

✅ Single evidence collection can satisfy requirements across SOC 2, ISO 27001, HIPAA, and CMMC simultaneously

✅ 5 core evidence types cover 80%+ of automatable screenshot needs

✅ Framework updates don't require re-testing—evidence is remapped to new control IDs

✅ Combined with API automation (Vanta/Drata), achieves 90%+ total automation

✅ 54+ hours saved annually by automating just top 5 high-impact controls

---

Start Automating Framework Evidence

Screenata automates evidence collection across SOC 2, ISO 27001, HIPAA, and CMMC—with intelligent mapping that satisfies multiple frameworks from single tests.

Multi-framework features:

• Automatic control ID mapping (4 frameworks)
• Framework-specific report formats
• Cross-framework evidence repository
• Update-proof evidence collection

Implementation:

• Day 1: Automate first control (any framework)
• Week 1: Top 5 controls automated
• Month 1: Full multi-framework coverage

See framework coverage →

---

Related Articles

• What Is Compliance Evidence Automation (and Why It's Transforming Modern Audits)
• How to Automate SOC 2 Evidence Collection with Screenshots
• Integrating Automated Screenshot Documentation with Drata and Vanta
• Why Screenshots and Workflow Recordings Are Essential for Control Validation