The new Frameworks page allows you to view your security stance through the lens of framework requirements and how they map to your existing tests. You can also export structured CSVs and Evidence folders to help track progress or collaborate with your Customer Success Manager as you prepare for audit.

With the Frameworks page, you can:

• Map Framework Requirements to Tests

• Mark a Framework Requirement as N/A

• Export Evidence

You can find the Frameworks page in the left side navbar of the Monitoring view:

Frameworks Page Overview

Frameworks in Secureframe (like SOC 2, ISO 27001, HIPAA, etc.) are high-level structures that organize the security and compliance standards your organization is working to meet. Each framework is broken down into requirements, which are tied to mapped controls and ultimately validated through tests. This is just one of several ways Secureframe helps you track and visualize your compliance posture.

While you can review your compliance progress from the Controls or Testing views, the Frameworks view helps you:

• Understand how each requirement is structured (e.g., CC1.1, CC1.2 for SOC 2)

• See how many mapped controls support a given requirement

• Review the health of those controls at a glance (e.g., Healthy, Unhealthy, Not Applicable)

• Mark entire requirements or mapped controls as Not Applicable (N/A) with justifications when appropriate

• Assign ownership or edit test mappings directly from this view

Tip: Use the “Show N/A items” toggle to include or hide requirements and controls you’ve excluded from your scope.

For example, a remote-only organization might mark physical security-related SOC 2 requirements as "Not Applicable" and justify that with supporting documentation. That decision, and any related control health, will be clearly reflected in the Frameworks view.

You can also:

• Click on any requirement (like CC1.2) to view its mapped controls

• Expand controls to see their associated tests and pass/fail status

• Use the three-dot menu to assign owners, edit mappings, or mark items N/A

This view is especially helpful during pre-audit reviews, gap analysis, and when collaborating with stakeholders across your organization.

Adding or Deleting Frameworks

Framework access is managed by Secureframe to ensure your subscription includes the right set of frameworks for your compliance goals.

• Standard Frameworks (e.g., SOC 2, ISO 27001, HIPAA, etc.):
  These frameworks are provisioned based on your Secureframe subscription. If you need to add a new framework or remove one you're no longer using, please contact your Customer Success Manager at success@secureframe.com. Our team will ensure the right frameworks are enabled and help you make adjustments without impacting your compliance progress.

• Custom Frameworks: If you’ve created a framework using the Custom Frameworks feature, you can rename or delete it directly by clicking the three-dot menu next to the framework name.

Frequently Asked Questions (FAQ)

Why is my test marked Not Applicable or N/A by Secureframe?

• One scenario would be that the Test in question has no mapped Controls, which we call an Unmapped Control State. A new " Unmapped" state more clearly show what controls are actively being used in your implemented control set. Controls that are not mapped to at least one active framework requirement will now show as "Unmapped" in the Inactive tab of this page.

Where did the Reports page go?

• The Reports page has been deprecated and replaced by the Frameworks Page, which has a new and improved UX, improved exportability, and uses our new proprietary control layer.

Why can’t I remove a mapping?

• Mappings for Secureframe-authored controls and tests cannot be deleted. If a test or control is N/A for your business, you are still able to disable it.
• In order to edit a control or test, you can also add mappings to other framework requirements or controls. If you would like to replace the control, you should create a custom control to do so.

How do tests, controls, and  framework requirements relate to each other?

• Tests map to framework requirements through controls. All tests in a control that is mapped to a particular framework requirement will also be mapped to that framework requirement.
• Framework requirements are specific to a framework, whereas controls can be framework specific or used as common controls across framework requirements.
  

Can I map my tests directly to a framework requirement without using a control?

• No, tests can only be mapped to framework requirements through a control.

Why do I have a Internal Framework in my dashboard?

• Some customers may have a "Internal" framework which is temporary.
• In the past Tests and Controls could be floating and not connected to a framework, and this created issues with the status of the test. To remedy, we are making a more seamless connection between Controls, Tests, Frameworks and status, but in order to do this we need to connect those floating test/controls to a "Internal" framework for the time being.

If Secureframe doesn't currently offer a framework we need, can we request one?

• Yes, absolutely! Secureframe is consistently expanding our compliance frameworks. See our complete list of frameworks here. 
• Alternatively, if you need a framework right away consider using our Custom Framework Feature!