v2.4.0 | Report Errata
docs security docs security

Summary Table per Test Type

All cybersecurity testing produces a summary table that maps each test type to its most recent execution date, the scope covered, the number of findings by severity, the remediation status, and the next scheduled execution date. This summary provides the governance team and assessors with a single-page view of the cybersecurity testing programme’s status.

The table should cover penetration testing, vulnerability scanning, adversarial ML testing, additional threat-specific testing, and red team exercises. For each test type, the table indicates whether the testing is current (executed within the scheduled cadence), whether findings remain open, and what the overall risk posture is.

The summary table is updated after each test execution and reviewed by the AI Governance Lead at the quarterly governance review. It is the primary navigation aid for Module 9 evidence: an assessor starts with the summary table, identifies areas of interest, and navigates to the detailed reports.

Key outputs

  • Single-page summary table covering all cybersecurity test types
  • Per-test-type status (execution date, findings, remediation, next scheduled)
  • Quarterly governance review
  • Module 9 AISDP evidence

Detailed Reports in Evidence Pack

Behind the summary table, detailed test reports and remediation records are maintained in the evidence pack with immutable timestamps. Each detailed report captures the test methodology, the scope, the specific findings with evidence (screenshots, logs, reproduction steps), the severity classification, and the recommended remediation. Remediation records capture the action taken, the verification method, and the verification date.

The evidence pack is organised by test type and date, enabling rapid retrieval for conformity assessment, market surveillance, or incident investigation. Each report carries a hash for integrity verification, ensuring that the report has not been modified since it was produced. The retention period is ten years from the system’s placement on the market.

The Conformity Assessment Coordinator maintains an index of all test reports, linked to the summary table and the threat model. This three-layer structure (summary table, detailed reports, threat model) provides navigable, auditable evidence of the cybersecurity testing programme’s coverage and effectiveness.

Key outputs

  • Detailed test reports per test execution with immutable timestamps
  • Remediation records per finding
  • Hash-based integrity verification
  • Module 9 evidence pack
On This Page