Trying to get documentation into KCM is scattered across multiple areas and can be confusing and frustrating to properly maintain:
- "Documents" can only be uploaded/linked to a Control, which then appear under the main "Documents" section
- "Evidence" will only appear within the Control if it was uploaded/linked to a Task associated with that Control
- Documents uploaded to a Control cannot be used as Evidence for that Control's Task
- "Policy Management" only allows uploading policies, and you are directed to the "Documents" section to edit them
- The "All" tab of Policy Management doesn't discern between what kind of document each one is, only the Name, Date, and possible Actions are shown
- Any policies uploaded cannot be used as either Documents or Evidence
- While both Documents and Evidence are visible in the "Documents" section, you can only edit existing items rather than upload items
- You must also upload/link the same file multiple times if it applies to multiple Controls, Requirements, and/or Tasks, rather than uploading it once and linking it to multiple Compliance items
Rather than going into each Control, uploading documents/links to Support Evidence, then repeating for each Control, I would much prefer to upload and/or link all of our existing documentation, evidence, and policies under the "Documents" section, then connect them to the appropriate item.
For PCI, a single policy can apply to multiple controls, so we wind up uploading the same policy multiple times as Evidence; our "Network Security Policy" appears 13 times under Documents > Evidence.
Uploading documents should be a "one and done", then allowing us to link that particular file to the necessary Compliance item.