AnkosDocs
The App

Carry-forward

Reuse evidence from a previous cycle with an explicit attestation that it's still valid. A first-class feature of the Ankos ledger.

Most PCI evidence doesn't change every quarter. Your acceptable use policy, your vendor list, your incident response plan — these stay valid until something actually changes. Carry-forward lets you reuse that evidence in your new cycle without re-uploading the same file, while keeping an auditable attestation that someone confirmed it's still valid.

What's eligible

An entry can be carried forward if, in the most recent prior cycle, it was in one of these states:

  • evidence_collected
  • evidence_uploaded
  • carried_forward (carry-forward chains are allowed; the full history is preserved)

Entries in not_started, not_applicable, or needs_attention can't be carried forward.

The hint on the entry

When you open an entry in a new cycle that has carry-forward-eligible evidence from the previous cycle, you'll see a Carry forward available hint at the top. It shows:

  • The source cycle and upload date
  • The original uploader
  • The file name and size

Clicking the hint opens the carry-forward dialog.

Attestation note

Carry-forward requires a written attestation. The prompt asks you to confirm one of:

  • The evidence is unchanged and still reflects current practice
  • The evidence has been reviewed on [date] with no changes
  • A more specific note

This is deliberately a friction point. The attestation is what distinguishes "I still care about this" from "I'm just closing out a ticket." It also gives your QSA the signal they need to trust the reused evidence.

After confirming, the entry advances to carried_forward with the attestation note, the source cycle, and the current user recorded.

What your QSA sees

In the evidence export:

  • The file itself is included (identical to the source cycle).
  • The category folder contains a carry-forward.txt noting the source cycle, original upload date, and every attestation in the chain.
  • The summary PDF lists each carry-forward entry and its attestation note.

This makes the provenance explicit: the QSA can see the evidence hasn't been re-uploaded, it's been reused with an attestation trail.

When carry-forward is the wrong call

  • The underlying fact has changed — your vendor list gained a new subprocessor, your org chart changed. Upload fresh evidence.
  • You haven't actually reviewed it — attesting without reviewing defeats the purpose. If in doubt, re-upload.
  • A QSA flagged it last cycle — don't carry forward something your assessor already had concerns about.

Next steps

Evidence sources

Scans, manual uploads, and carry-forward side by side.

Evidence export

How carry-forward evidence is presented to the QSA.

Evidence Readiness Dashboard

Track progress across your current cycle — readiness percentage, state breakdown, owner workload, and Priority 1 items.

Evidence Export

Export your cycle as a QSA-ready ZIP package — organized by DRL category with standard naming, a summary PDF, and integrity hashes.

On this page

What's eligibleThe hint on the entryAttestation noteWhat your QSA seesWhen carry-forward is the wrong callNext steps