SOC 2 tests and evidence
For general test upload mechanics (Last Uploaded, intervals, tolerance windows, audit Testing tab), see FAQs: Test uploads, tracking, and audit Testing tab.
This article answers common questions about SOC 2 compliance documentation, test evidence, and troubleshooting failing or At Risk tests in Secureframe. It is based on recurring customer support themes.
In the SOC 2 framework, are the default tests sufficient for all controls, or are custom tests required for a SOC 2 Type 1 audit?
Default SOC 2 tests are a strong starting point, but they may not cover every control in your environment. You may still need Custom Upload Tests (manual evidence) or Custom Automated Tests when a tool is not integrated, the default test is broader than your scope, or your control implementation is unique. Create custom tests from the relevant control detail page and map them to the control that needs coverage.
Why is my privacy policy or communication test still At Risk after I uploaded an updated policy?
Uploading the policy document alone may not satisfy a communication or notice test. These tests often require evidence that stakeholders were notified of the change, such as an email announcement, intranet post, or acknowledgment campaign. Check the test description for the required evidence type. Set the activity completion date to when the communication occurred, not when you uploaded the file. Confirm the test interval still covers your audit window.
Why is Vendor compliance reports still failing after I uploaded vendor SOC 2 reports?
Confirm you uploaded the report to the correct vendor record with the right document type. The test checks whether required vendors have a current compliance report on file within the test interval (Annual, Quarterly, or Monthly). Set the activity completion date to the report's coverage period end date or issue date per the test guidance, not the upload date. If the vendor is out of scope, update the vendor record accordingly instead of uploading a report.
Why can't I set a test interval on Security Awareness Training or policy tests?
Test intervals apply to Upload Tests where you manually upload evidence. Platform-based tests, including training completions and published policy acknowledgments, run on automated cadences built into the product. Security Awareness Training is treated as annual by design. Policy tests pass when the policy is published, linked to the policy test, and personnel complete acknowledgments.
What happens to a test that is shared between SOC 2 and another framework (for example, HIPAA)?
Shared tests count toward all linked frameworks. Passing or failing evidence applies to every framework mapped to that test. If you need different evidence per framework, adjust test scope or create framework-specific custom tests.
Why are failing tests still showing for a repository I excluded with a SOC 2 scope filter?
Framework scope filters limit which assets count toward a specific framework, but the global failing tests view may still show items that are out of scope for one framework if they are in scope for another. Filter the Tests page by framework to confirm SOC 2 scope. If a scoped asset still appears incorrectly, verify the scope filter configuration, re-sync the integration, and contact support with the repository name and framework filter settings.
I am not receiving exported test evidence CSV files by email. What should I do?
Check spam and quarantine folders first. Export emails come from Secureframe notification addresses and may be filtered by corporate email security. Retry the export from the test or control detail page. If exports still fail, contact support with the test or control name, export time, and the email address used. Support can often provide the export directly while troubleshooting delivery.
Framework setup and scoping
If I mark Trust Service Criteria or controls as Not Applicable in SOC 2, are they removed from my health score?
Yes. When you mark requirements or controls as N/A in Frameworks because they do not apply to your audit scope, those items should be excluded from your health score calculation. Review the Frameworks view to confirm which controls remain active before your audit.
How do I remove or exclude Processing Integrity from SOC 2?
Exclude the Processing Integrity Trust Service Criterion from your framework scope and mark related requirements N/A in Frameworks. Archive policies you no longer need. Platform default policies generally cannot be deleted; archiving removes them from active use. Support cannot delete policies from the backend unless there is a data issue.
How do I remove or disable CIS IG1 tests if I only care about SOC 2?
If CIS IG1 is enabled as a separate framework or benchmark, disable or remove that framework from your account. SOC 2 tests will remain. If individual tests appear from a bundled mapping, review your enabled frameworks and test scope filters.
How do I link a policy to a framework or control?
Publish the policy, then link it to the paired policy test from the Policies or Tests page. Policy-to-control mappings are handled through the platform's default policy test mappings. If you need a policy to satisfy a specific control outside the default mapping, confirm the policy test is enabled for your SOC 2 scope and assigned to the right personnel groups for acknowledgment.
Where does HR and Operations policy language go in Secureframe's default SOC 2 policy templates?
HR and operations topics are often covered across multiple default templates rather than a single standalone HR policy. Review the Information Security Policy, Acceptable Use Policy, and Code of Conduct templates first. You can add HR-specific sections to the template that best matches your program, or maintain a separate internal HR policy and upload it as evidence if your auditor accepts that approach.
How many controls are in the SOC 2 framework in Secureframe?
The number of controls and tests depends on which Trust Service Criteria you include in scope. Security is required; Availability, Confidentiality, Processing Integrity, and Privacy are optional. Your Frameworks page shows the active control count for your scoped program. Adding optional criteria increases the number of mapped controls and tests.
Is there a cost to add more controls to our SOC 2 framework?
Secureframe does not charge per control within your subscription. Adding Trust Service Criteria or controls increases audit and readiness effort, and may affect auditor fees, but it is not a per-control platform charge. Contact your Customer Success Manager if you are evaluating expanding SOC 2 scope.
