Controls and tests are elements of a compliance framework, a structured set of requirements to help organizations achieve compliance with relevant laws, regulations, and standards.
SOC2, ISO 27001, and GDPR are examples of external security and privacy frameworks, but larger organizations often define their own frameworks for their own unique business objectives or custom compliance needs.
A control defines an activity, process, procedure or configuration that minimizes risks when followed. Controls are defined by an organization in response to the risks that organization has identified with respect to external or internal compliance frameworks. One control may be mapped to multiple frameworks and may be supported by multiple tests.
Tests are the small units of work that Secureframe has created to demonstrate that certain controls are functioning as intended.
It is important to perform these tests or monitor them continually as part of your ongoing compliance program in order to avoid any surprises from your auditor performing the same or similar tests as part of their audit procedures. One test may support multiple controls across frameworks.