By Yair Knijn · December 10, 2025

The auditor gave you a week. Pulling the evidence took three.

Your controls are in good shape. Access gets reviewed every quarter, SFTP keys rotate on schedule, every transfer writes a log line. So when the surveillance audit lands and the auditor asks for evidence across the file-transfer estate, you treat it as paperwork. Then you go to pull it, and you find out that a control being true and a control being exportable are two different things. Most teams learn the difference with the clock already running.

The auditor hands you a sampling window and a list. You start collecting, and the evidence is not in one place, because the control was never built to be evidenced. It was built to work.

What an ISO 27001 file-transfer audit actually asks for

A surveillance audit under ISO 27001:2022 does not ask whether you log transfers. It names specific artifacts tied to specific Annex A controls, scoped to the window it sampled. The requests tend to look like this:

• Access reviews proving who could read or write each partner endpoint over the period, plus evidence that the quarterly review genuinely happened rather than being assumed (A.5.18, A.8.2).
• Transfer logs covering every file moved, by whom, to where, with integrity and outcome, retained long enough to show the control held up over time. The 2022 revision expects live review under A.8.15, not a log nobody reads.
• Key and credential rotation records for SFTP keys, AS2 certificates, and service accounts, with dates attached (A.8.24, A.5.17).
• A collection-of-evidence procedure showing these artifacts come out of a defined process rather than being assembled on the spot (A.5.28).

Nothing on that list is exotic. The trouble is that in a typical estate these artifacts live in four systems owned by three teams.

Why scattered logs and spreadsheets miss the deadline

Transfer logs sit on the MFT host, or split across two hosts after a migration nobody finished decommissioning. Access reviews are a SharePoint spreadsheet a manager signed off in a screenshot. Key rotation is a date buried in a ticket, a line in a runbook, or nowhere at all. Answering a single sampling request means reconciling timestamps across syslog, a ticket export, and an .xlsx nobody has opened since the last audit.

That reconciliation is the three weeks. The control did not fail. Proving it just turned into a manual archaeology project, and every gap you surface while digging becomes a finding you now have to explain. The audit goes sideways on export readiness long before it would ever go sideways on the control.

Treat evidence export as a real capability

So build for it. Make "produce the evidence" a first-class function instead of a side effect of logging. One query over a date range returns the access state, the transfer record, and the credential lifecycle in a single export, scoped to the endpoints the auditor sampled. When a director can hand over a CSV or a signed report for the exact window in an afternoon, the audit turns into a conversation about controls rather than a scavenger hunt for proof they exist.

A.5.28 quietly rewards this. A defined collection-of-evidence procedure is itself a control, so when the evidence comes out the same way every time, from the same place, the export demonstrates the procedure. When three people improvise it differently each year, it does not.

Build for the surveillance audit, not the certificate

Certification is a one-time push. The surveillance audits that follow, year after year, are where unexportable controls bleed you out. The teams that stay calm wired evidence export into the platform on day one, so the annual request is a button and not a fire drill. Retention is set deliberately, log review runs continuously, and the export already maps to Annex A. What you want is not more logging. It is the ability to answer on demand.

xEvolve keeps transfers, access reviews, and key rotation inside one Environment with a single audit trail, so an evidence request for any window is an export and not an excavation. When the auditor gives you a week, finish in an afternoon. See what the trail captures on the security page.