Observations are basis in any informed-assessment to understand if operations are compliance to rules & regulations meeting the expected standards. Observations are used to support the finding in the report. They can be in the form of screenshots, photo, configuration files in plain text.
When you find anomalies, what is your first respond?
You have to double check if it is a false positive first. If it is valid, then check if exception process has been granted with valid reason and appropriate level of approval.
That is not yet the end. A more responsible cybersecurity practitioner or auditor shall also look at the effectiveness of the written directive – if they are reasonable and practically achievable. This is the hard part because it might outside the scope of assessment, or the assessor solely bases on the book.
In any cases, policy maker should look at the report and rethink if the written directives are too tight, too rigid in killing the business. Bear in mind that cybersecurity is to help business running securely but not imposing unnecessary overheads dealing with protections that have no material enhancement to cybersecurity. The latter part will recur resources just to keep evidence for compliance.
By the same token, intention of establishing cybersecurity laws is a good move but the regulator must not micro-manage how organizations in securing their infrastructure. This should simply be consequence-based with different tiers of deterrent as obligation.: The focus shall then be on the level of business interruption to set mandatory and voluntarily reporting of incidents to the regulator. Collecting all infrastructure information will make the regulator office itself a vulnerable point and attract attackers. Further, regulator won’t be domain experts for all these infrastructure to determine if protection is sufficient.