Ankos
Ankos Ledger

Evidence Export

Export your cycle as a QSA-ready ZIP package — organized by category with consistent file naming, a summary PDF, and integrity hashes.

When your cycle is ready for QSA review, export an evidence package. The export is a ZIP file organized to make assessor review fast: one folder per category, consistent file naming, a summary PDF, and an integrity manifest.

Evidence export is available on the Team plan and above. The free CLI produces local reports, but not packaged QSA exports.

Sending the package to your QSA? Use Share with QSA instead — same package, but delivered as a secure link directly to the QSA's email with revoke + audit. Use the download path below for internal copies, board reports, or anything not headed to the assessor. And if your QSA is an invited reviewer, the export you generate also appears in their workspace to download directly — see The QSA review workflow.

How to export

From the cycle detail page, click Export Evidence Package. The export runs as a background job (seconds to a few minutes depending on cycle size); when it finishes you'll get a download link and an email.

You can trigger an export any time, as often as you need. Each export is a snapshot at the moment you clicked — re-run it after uploading more evidence to get a fresh package.

What's in the ZIP

At the top level: a summary PDF, a manifest.json with integrity hashes, and a README.txt orientation guide for the QSA. Below that, one folder per category your cycle uses, each containing the evidence files for the entries in that category (with carry-forward.txt attestation notes when applicable).

ankos-export-<cycle-id>-<timestamp>.zip
├── summary.pdf
├── manifest.json
├── README.txt
└── <NN>-<CATEGORY>/
    ├── <ENTRY-ID>-<slug>.<ext>
    └── carry-forward.txt    (if any entry in this category was carried forward)

Summary PDF

A generated PDF that opens with:

  • Your organization name, cycle ID, and date range
  • A table of contents matching the category folders
  • Per-entry summaries with the state, owner, sign-off status, and any carry-forward attestations
  • The standard "Ankos prepares the case; your QSA makes the final compliance determination" disclaimer

Category folders

One folder per category your cycle uses. Each entry's evidence file keeps its original format (PDF, PNG, DOCX, JSON, etc.) and gets a standardized name of the form <ENTRY-ID>-<slug>.<ext>.

For carried-forward entries, a carry-forward.txt in the folder lists the source cycle, original upload, and every attestation in the chain.

Manifest

manifest.json contains:

  • A SHA-256 hash for every file in the ZIP
  • The export timestamp and the exporting user
  • The full list of entries with their states, sign-off info, and owners
  • The cycle metadata

Your QSA can verify nothing has been tampered with by recomputing the hashes.

README.txt

A plain-text guide for the QSA explaining how the archive is organized, how to cross-reference it against their Document Request List, and how to verify integrity.

What's not in the export

  • Entries in not_started state (no evidence to export)
  • Entries explicitly marked as draft / unshared
  • API keys, user PII, or system-internal metadata
  • Previous cycles (one export = one cycle)

Regenerating after changes

If you upload new evidence or change sign-off status after exporting, the old ZIP is out of date. Re-run the export — each export is independent and timestamped. Old exports remain downloadable from the Exports tab for audit history.

Ankos prepares the case

The export is the case you hand to your QSA. The package is organized and annotated to make their review as fast as possible, but the final compliance determination is made by your QSA. Ankos never declares an entry, a cycle, or a company "compliant."

Next steps

Share with QSA

Send the same package straight to your QSA as a secure link.

Sign-off

What readiness means before you export.

Carry-forward

How reused evidence is presented in the export.

Pre-flight Check

Before you export your cycle to your QSA, Ankos reviews the package and flags weak narratives, placeholder-looking filenames, and entries that look unfinished — so you catch issues before your assessor does.

Share with QSA

Send your evidence package directly to your QSA over a secure, time-limited link — no email attachments, no forwarding.

On this page

How to exportWhat's in the ZIPSummary PDFCategory foldersManifestREADME.txtWhat's not in the exportRegenerating after changesAnkos prepares the caseNext steps