old evidence
For section 11.3 would it make sense to also mention that old evidence is not accepted, such as an assessed entity giving a screenshot from 9 months ago with timestamp of a configuration. It might have been provided to the assessor during the 90 day window but the evidence provided by the assessed entity is maybe an old screenshot they borrowed from their SOC 2, 9 months ago and as such that is not indicative of the current environment.
1
vote
James Whitfield
shared this idea