This guide walks external auditors through how to use the Secureframe platform to retrieve evidence, understand scope, and collaborate with customers during an audit.

Accessing Secureframe

Secureframe access is managed by the Customer Success or Customer Support Team.

You may be granted access:

• Proactively once a customer is ready for audit

• By request via the customer or Secureframe CSM

• Customer provisioned via the new Audit Module

If you haven't been granted access, contact the dedicated Customer Success Manager (CSM) for the customer you're auditing.

Understanding Customer Roles

• Admins: Perform platform actions, upload evidence, configure settings.
• Employees: Complete training and policy acknowledgment.

Each customer is supported by a CSM who ensures the environment is audit-ready and accurately reflects the organization's current scope.

Pre-Audit Review Areas

As an external auditor, it’s important to verify that Secureframe is configured properly to reflect the customer’s environment. Below are the key areas you should review before starting audit fieldwork:

1. Integrations

Check the Integrations tab to confirm:

• Tools are actively syncing (HRIS, CSP, MDM, VCS, Ticketing)

• Test start dates align with the audit window

• Flags are set for auto-collecting vulnerability and access change tickets

⚠️ Reach out to the CSM if any integration is broken or missing key data.

2. Cloud Service Provider (CSP) Settings

Review:

• Configured regions (e.g., AWS, GCP)

• Cloud resources pulled into Secureframe for sampling (like EC2 instances)

3. Version Control & Ticketing Tools

Verify:

• Test start dates match the assessment period

• Proper checks are enabled for commits, access, and tickets

4. Vendors

Ensure all critical vendors handling sensitive data are listed.

• For those without direct integrations (e.g., MongoDB), create custom tests to capture relevant evidence (e.g., logging or access control).

5. Sample Populations

Use built-in filters to select samples:

• Personnel: hire/termination dates (if HR is integrated)

• Assets: device types via MDM

• Cloud Resources: system types like EC2 instances

Then map your sample to relevant tests under the correct framework and control.

Creating Custom Tests and Selecting Samples

Secureframe includes a robust test library and powerful integrations, but auditors are still responsible for confirming full coverage based on the customer’s unique environment. There may be situations where you need to create custom tests or manually select samples.

Why This Matters

• Not all vendors or systems are integrated

• Frameworks may require specific evidence not covered by default

• Auditors must justify sample selection and ensure audit defensibility

When to Create a Custom Test

Create a test if:

• A critical vendor/tool (e.g., MongoDB) is in use but not integrated

• You need to verify specific controls (e.g., access logging)

Go to the relevant framework → requirement → control, then create a custom test to collect the needed evidence.

Selecting Samples

Use Secureframe’s live data to define samples:

• Personnel: hire/termination info (via HRIS)

• Assets: managed devices (via MDM)

• Cloud Resources: system types like EC2 (via CSPs)

Once selected, link the sample to a test and request supporting evidence directly in-platform.

Exporting Evidence

There are two ways to export data:

1. Frameworks tab: Download all test evidence, including CSVs for automated tests.

2. Data Room: Export all platform-based evidence.

Evidence is structured by Framework > Control > Test for clarity.

Reviewing Policies, Training, and Access

• Policies Tab: View/export policies, owners, and publish dates.

• Personnel Tab: Track training and policy acknowledgment history.

• Vendor Access Tab: Review access levels and privileged user status.

• Risk Management Tab: View current risks, reviews, and history.

• Vulnerabilities Tab: See unresolved vulnerabilities pulled from integrations (e.g., AWS Inspector).

Using Tasks to collab with Clients

Secureframe allows auditors to communicate directly with clients during evidence review — helping streamline feedback, avoid long email threads, and ensure all requirements are clearly addressed.

Use the Tasks feature to request updates from your client:

1. Open a test and click Tasks → Add Task

2. Assign it to a contact, set a due date, and provide context

3. Optionally tag the test (e.g., Action Required)

4. Customize the task:

   • Rename it for clarity

   • Add a description explaining what’s needed

   • Assign it to a specific contact

   • Set a due date, if appropriate

Example: “Please upload a screenshot from System X showing access logs with a visible date/time stamp.”

Use tags to filter and track outstanding review items. When tasks are completed and new evidence is uploaded, you can update the test status accordingly.

Need Help?

If you have any questions or issues accessing Secureframe, contact your Secureframe point of contact or email partnerships@secureframe.com.