Skip to content
  • There are no suggestions because the search field is empty.

Artifact

Also called: Proof, Records

What it is
An Artifact is proof that something exists, happened, or was followed.

Artifacts are collected as part of normal operations. They show what actually occurred or what is currently in place. At this stage, an artifact is unreviewed proof.

Once an artifact is reviewed and accepted by a human, it becomes Evidence.

From Artifact to Evidence

Why it exists
Organizations don’t just need rules and plans—they need proof those rules and plans are followed. Artifacts provide that proof.

Artifacts are gathered continuously. Evidence is what results after review, when someone confirms the artifact is valid, complete, and relevant.

How artifacts become evidence
An artifact becomes evidence when:

  • A person reviews it
  • Confirms it supports a requirement, policy, or control
  • Accepts it as sufficient proof

Before review, it is an artifact.
After review, it is evidence.

What an artifact usually looks like
Artifacts can take many forms and can be created by people or systems. Format does not matter.

Common characteristics:

  • Captures results, actions, or current state
  • Often timestamped or versioned
  • May be generated automatically or manually
  • Represents something that already happened or exists

Common examples

  • Logs and reports
  • Screenshots
  • Tickets from a ticketing system
  • Meeting notes
  • Calendar entries
  • Emails
  • Signed acknowledgments
  • Contracts or agreements
  • Background check results
  • Incident and disaster recovery reports
  • Audit outputs
  • Lists and exports (for example, a list of users or firewall rules)

Artifact types

Process Artifacts
Artifacts that provide proof a policy, plan, process, or procedure is being followed.
Examples include completed checklists, signed policy acknowledgments, training attendance logs, incident reports, and approval records.

Configuration Artifacts
Artifacts that provide proof a required configuration is in place or has been verified.
Examples include configuration screenshots, exported settings, scan results, and drift detection reports.

Additional Artifacts
Artifacts that provide useful proof but are not directly tied to a specific process or configuration definition.
Examples include general system logs, internal communications, waivers or exceptions, and supporting records.

How to use artifacts
Upload artifacts as proof of work performed or conditions met.
Review artifacts to confirm they meet requirements.
Once reviewed and accepted, artifacts become evidence.

Common confusion

Artifact vs Evidence
An artifact is unreviewed proof.
Evidence is proof that has been reviewed and accepted.

Artifact vs Policy
A policy defines rules or outcomes.
An artifact proves those rules or outcomes are being followed.

Artifact vs Procedure
A procedure explains how to do something.
An artifact shows that it was done.

Artifact vs List
A list of results is an artifact.
A list of actions to perform is a procedure.

 

FutureFeed Footer – Newest