This article brings together common customer questions and practical answers based on typical Secureframe workflows, compliance situations and unique tech stacks.

It is meant as quick reference material for day-to-day use of the product.

Controls

Does changing the owner of a test or control reset the status?

• No, changing the owner of a test or control does not reset its status.

Does SecureFrame provide examples of Enterprise Risk Management controls and tests that can serve as a starting point for organizations?

• Yes, Secureframe offers practical resources that can serve as starting points for organizations—even if your focus is more compliance-based rather than full-scale ERM.

  Here’s how:
  Secureframe's Risk Library is a curated catalog of pre-built risk scenarios based on NIST frameworks, organized by category (e.g., Finance, Legal, IT)

  Each entry includes a description and you can add them directly into your risk register to assess likelihood, impact, enabled controls, and further actions

  This serves as a great starting point—especially for creating a structured risk register and mapping risks to related mitigation strategies or controls.

  2. Enhanced Risk Management Module: Custom Scoring + Quantitative Assessments

  For more refined and data-driven capabilities, Secureframe offers an Enhanced Risk Management Module. Features include:

  Dashboards with heat maps, trend charts, and summaries, helping you visualize the health and evolution of your risk profile

  Custom scoring scales (e.g., 1–10) and tags, allowing you to define your own risk categories (e.g., “High‑value client risk,” “Compliance-only”)

  Quantitative risk assessment using the Annualized Loss Expectancy (ALE) methodology. You can calculate Single Loss Expectancy (SLE) and ALE to express risks in financial terms, giving you objective, monetary-focused insight into your risk landscape

  This is especially useful if you want your risk evaluations to go beyond qualitative descriptions and include quantitative, financial-informed analysis.

  3. ERM vs. Compliance Risk Management: What’s Included

  Secureframe acknowledges the distinction between Enterprise Risk Management (ERM) and Compliance Risk Management:

  Compliance risk management: This is a subset of ERM, tailored to meet specific standards and regulatory frameworks (e.g., SOC 2, ISO 27001, HIPAA, GDPR)

  ERM: A broader approach to managing all risks that could affect your organization’s ability to achieve strategic objectives—this includes but isn’t limited to compliance risks (also covering strategic, operational, financial, reputational, etc.)

  So even if your current scope is compliance-focused, the tools available (Risk Library, custom scoring, dashboards, quantitative models) are well-suited to gradually expand toward a broader ERM stance as needed.

Does the absence of a Secureframe-authored test mean the control can’t be met?

• No. Secureframe’s test library covers common implementations, but it is not exhaustive. When a customer uses a different or more specific control mechanism, they should document it through a custom test.

How are compliance requirements, controls, and tests connected?

• Requirements define what must be done, controls implement those requirements, and tests prove they are working.

How can I change the integration selection in a control test if it is not picking the correct one?

• The integration used for a control test cannot be switched directly. If you want to use a different test, you can disable the current one and then enable the test that matches the integration you prefer. Test availability can vary by integration, and all tests can be found in the main Tests page and in the Tests Library.

How often should penetration testing be performed on segmentation controls if segmentation is used?

• t least once every six months and after any changes to segmentation controls/methods.

How often should the effectiveness of logical separation controls be confirmed via penetration testing?

• The effectiveness of logical separation controls used to separate customer environments is confirmed at least once every six months via penetration testing.

Is organizational independence required for testers of segmentation controls?

• Yes, organizational independence of the tester is required, but the tester is not required to be a QSA or ASV.

Regarding PHYS control tests (for ISO2701_2022 or SOC) that are disabled by default- is it the case that these only need to be enabled for fully on-premise infra or sensitive offices? Or is it necessary to enable for hybrid companies with any physical footprint at all?

• Physical security (PHYS) control tests do not need to be enabled by default unless your company has on-premise infrastructure or sensitive office spaces.

  However, if you have any physical footprint (even hybrid), some PHYS controls likely should be enabled — particularly if sensitive data or systems are accessible from those locations.

  For ISO:

  If you're fully cloud-based, you may justify excluding many PHYS controls.

  But if you're hybrid or have offices with access to systems, data, or personnel, some controls (like secure areas, visitor logging, physical access control) should be implemented.

  For SOC 2:

  The AICPA allows for flexibility based on your environment, so if you're cloud-only, PHYS controls may not apply.

  But any office or datacenter with access to production systems, devices, or sensitive data will require PHYS controls.

s a service provider, how often should penetration tests be performed on segmentation controls used to isolate the CDE?

• Service providers should perform penetration tests on segmentation controls at least once every six months and after any changes to segmentation controls/methods.

What aspects of segmentation controls should penetration tests cover?

• Penetration tests should cover all segmentation controls/methods in use.

What is the difference between a requirement, a control, and a test?

• A requirement is the law or rule that must be followed. A control is the process or system put in place to meet that requirement. A test is an auditor's method for evaluating whether a control meets the requirement. For example, an auditor will test whether background checks were performed for new hires to ensure compliance with the background check requirement.

What is the frequency with which PCI DSS normally requires segmentation controls to be verified by penetration testing?

• Every twelve months.

What should penetration testing cover when validating segmentation controls?

• ll segmentation controls/methods in use.

What should penetration testing verify about segmentation controls?

• That segmentation controls/methods are operational and effective, and isolate the CDE from all out-of-scope systems.

What should penetration tests confirm regarding segmentation controls?

• Penetration tests should confirm that the segmentation controls/methods are operational and effective, and isolate the CDE from all out-of-scope systems.

What’s the difference between a test and a control?

• A control is a rule for your organization (e.g., background screening for new hires). A test is what the auditor looks for (e.g., evidence of a background screening for a recently hired employee).

When segmentation is used to isolate the CDE from other networks, how often should penetration tests be performed on segmentation controls?

• Penetration tests should be performed on segmentation controls at least once every 12 months and after any changes to segmentation controls/methods.

Who should perform penetration tests on segmentation controls?

• Penetration tests on segmentation controls should be performed by a qualified internal resource or qualified external third party.

Evidence and uploads

Can evidence submitted for upload-type tests be provided in a language other than English?

• There is no universal requirement that evidence must be in English. What matters most is that the auditor can reasonably review and understand the evidence in order to perform testing. Customers should work with their auditor prior to the audit to align on acceptable languages and ensure all parties are comfortable with evidence submitted in a language other than English.

Does Secureframe have tests for clock synchronization or Network Time Protocol (NTP) evidence?

• Today, Secureframe includes related tests such as Audit log timestamps (for various vendors) and a Time synchronization test that requires evidence of system configuration for acquiring and distributing accurate time.

  Currently, these tests are not mapped directly to SOC 2 or ISO 27001 because those frameworks do not call out NTP or clock synchronization as hard requirements. However, some auditors may still look for supporting evidence (e.g., proof that systems use a reliable time source like NTP) as part of broader logging and monitoring controls.

  If your auditor requests this, you can use the existing Time synchronization test to upload configuration evidence, or map timestamp-related tests to your in-scope frameworks as supporting artifacts.

For the performance review and the confidentiality agreement tests, is it enough if I upload only one contract (with the confidentiality clause) and one performance review document as evidence for each test?

• For readiness prep, uploading a single example (e.g., one performance review and one confidentiality agreement containing the clause) is acceptable as illustrative evidence. This helps confirm that the process and documentation exist.

  However, during the formal audit process, a single document will not be sufficient. Auditors are required to perform sample testing across the relevant population.

  Performance Reviews:
  The auditor will typically request a selection of employee reviews from across the audit period. The sample size depends on how many employees are in-scope but is usually more than one.

  Confidentiality Agreements:
  Similarly, auditors will review confidentiality agreements signed by newly hired employees during the audit period. They will sample multiple records to ensure the process is consistently followed.

  Summary:
  Readiness: One example document is fine as a placeholder.
  Audit: Auditors will select a representative sample from the full population, so you should be prepared to provide multiple documents.

For the “Incident tracking and resolution,” since we haven’t had any incidents, what evidence can we provide to pass this test?

• If no incidents, performing an incident response tabletop exercise is sufficient. You may want to show where incidents would be tracked, such as through a template or screenshot of a tracking tool.

How can an auditor push back or flag a control test, and what should be done if they are unable to add comments to the test evidence?

• Instead of adding comments directly to the test or evidence, we recommend that auditors create a Task for the test in question and assign it to the test owner.

How can I find out who uploaded test evidence?

• If you know the time and date of the upload, you can find this information in the Audit Log. Look for the relevant entry under the Evidence object to see which user uploaded the evidence.

How can I identify which controls drive evidence collection for integrations like Cloudflare or AWS? What’s automated vs. manual?

• Yes.

  Click on the integration (e.g., AWS, Cloudflare) in your Secureframe dashboard.

  This will show you a list of all associated tests and Controls that use data from that integration.

  From there, click “View in Test Library” to see each test in detail — including:

  What the test checks

  Whether it’s fully automated

  Any configuration steps needed

  If manual evidence or setup is required

How do I use the Create a Test Evidence endpoint (POST /tests/{test_id}/evidences) in the Secureframe API?

• Endpoint: POST /tests/{test_id}/evidences
  Summary: Create a Test Evidence
  Description: Uploads evidence to a Test.
  Category: Test Evidence
  Parameters:
  - activity_completion (query, string, optional): The date the activity was completed
  - test_id (path, string, required): The ID of the Test to attach the evidence
  Request body (multipart/form-data):
  - file (string): File which you want to attach as evidence
  Responses:
  - default:
  - 404: Resource not found
  - 403: Forbidden
  - 401: Unauthorized
  - 400: Bad Request
  Authentication: header_authorization

How does automatic evidence mapping work when I add a new framework?

• When you add a new framework in Secureframe, any upload tests that overlap with your existing frameworks will automatically recognize and apply the evidence you’ve already uploaded. This means the evidence will show as in scope for the new framework without requiring you to re-upload it.

  This feature reduces duplicate work, ensures consistency across frameworks, and speeds up audit readiness.

Is it permissible to upload non-English evidence for tests?

• Evidence requirements may depend on your framework and auditor. We recommend reaching out to your Customer Success Manager for more information and guidance.

Is there a certain list of tests that should require new evidence for a Type 2 in the second year?

• It depends on the audit window. If it’s 3 months, much of the evidence can be reused. For 12 months, new evidence is likely required. Auditors will generally want evidence from the review period they are testing, and all upload tests will need new evidence.

The auditor requested evidence for “System Change Tracking and Resolution.” Is it appropriate for this request to include code changes, and how should we interpret this control?

• Yes, in this case it is appropriate. While “System Change Tracking and Resolution” can sometimes be interpreted as covering non-code changes (such as configuration or infrastructure updates), the auditor’s request explicitly scopes this control to code changes. The evidence requested (dates completed, approver name, and segregation of duties) clearly indicates that the auditor expects code change tracking and approval evidence. Because the auditor has explicitly framed the request around code changes, it is reasonable and within scope for them to request this information.

What access role is required to add evidence to a test in the system?

• Admin access should be sufficient to allow users to contribute to test evidence.

  If you need a more stricter role, you can review our custom roles [here](https://support.secureframe.com/hc/en-us/articles/4416981247507-Access-Roles-Role-Based-User-Access-RBAC).

What evidence can the customer provide to pass the physical security tests?

• If the server room is in scope, acceptable evidence includes:

  A written Physical Security Policy describing access controls

  A visitor log (even a simple spreadsheet or paper log)

  Evidence of a physical access review (annual PDF or meeting notes)

  Pictures of the locked server room door

  Documentation explaining who controls environmental systems (if disabled)

  These meet the minimum SOC 2 expectations without requiring badges, turnstiles, or automated tracking systems.

What is the maximum file size I can upload as evidence for a individual tests?

• The maximum file size for evidence uploads in Secureframe is 500MB per file.
  You can upload multiple files as long as each one is under the 500MB limit.

What kind of evidence is needed for the baseline configurations test?

• For AWS, use AMIs or golden images, EC2 instances, or any vendor documentation or screenshots showing how your systems are configured. The auditor wants to see that you have baseline security configurations before spinning up instances.

What Test Evidence endpoints are available in the Secureframe API?

• The Secureframe API provides the following Test Evidence endpoints:
  This document describes the API for creating Evidence for a Test.

  - POST /tests/{test_id}/evidences - Create a Test Evidence

What type of evidence to satisfy Role-based access (RBAC) control?

• The organization should know what privileged access teams, departments, and individuals have. Ensure privileged permissions are separated from non-privileged personnel and accounts. Vendors that carry customer data or have user access should also be included.

What types of tests does Secureframe use for evidence collection?

• Secureframe conducts three types of tests: 1) Integration-Based Tests (automated evidence collection via integrations), 2) Platform Tests (compliance tasks like policy acknowledgments and training), and 3) Upload Tests (manual uploads to cover any gaps).

Why are some of my ISO 42001 tests showing as passing even though the evidence uploaded (e.g., Data Flow Diagram, Statement of Applicability) doesn’t specifically reference AI?

• This can happen because many ISO 42001 tests overlap with ISO 27001. If you already had evidence mapped to ISO 27001 before enabling ISO 42001, the platform automatically mapped it across. While this makes 81% of your ISO 42001 tests appear as passing, the evidence may not be AI-specific.

  To ensure accuracy, you should scope your evidence to your AI system:

  When uploading evidence, use the prompt to select the framework(s) it applies to.

  If ISO 42001 was added after you uploaded the original files, go to Frameworks → ISO 42001 → Testing tab and upload AI-relevant evidence for each test as needed.

  This way, your evidence reflects AI-specific practices rather than just inherited ISO 27001 documentation.

Failing tests and remediation

A GitHub pull request was labeled as an emergency exception, but the "Code Pull Request Approvals (GitHub)" test is still failing. Why?

• The emergency label must be applied to the PR before it is merged for Secureframe to recognize it. If the label was added after the PR was already closed/merged, the test will continue to fail because it does not retroactively evaluate historical PRs. To resolve this going forward, ensure emergency labels are applied prior to merging. For PRs where the label was added post-merge, use the exception or risk acceptance workflow in Secureframe to document the deviation.

Can Secureframe automatically send detailed failing test results or Slack/Jira notifications when tests fail?

• Secureframe currently allows tasks to be manually or bulk created and sent to Jira, but automatic task creation and detailed failing resource results in notifications are not supported yet. Slack test notifications are planned as part of future notification improvements.

Can we get a list of all tests and the date they started failing or passing?

• Yes, but you need to file a ticket with engineering to pull that information. It is not available as an export in Secureframe.

Can you help me understand why i'm failing some CloudFront WAF tests? I put WAF rule on the distribution but it's still showing as failing for two of my CF distros.

• The possible reason for the failure could be the delayed test results.

  If you have recently made changes to the rules, make sure the test is recently synced, which would pull in new changes from the integration.

How can I integrate Slack to receive notifications for failing tests and vulnerabilities in Secureframe?

• Secureframe does not currently support Slack notifications for failing tests or vulnerabilities. You can, however, enable admin email alerts for these events in My Settings.

How should vulnerabilities found during penetration testing be remediated?

• Vulnerabilities should be remediated in accordance with the entity’s assessment of the risk posed by the security issue as defined in Requirement 6.3.1.

I completed the “Anti-malware enforcement for user endpoints (Microsoft Intune)” test, but it still shows as failing. How do I fix this?

• For Intune-based tests, ensure that:

  Anti-malware configuration is in place – Verify anti-malware is enabled and scanning on all in-scope devices, with up-to-date virus definitions.

  Devices are in compliance – All in-scope devices must be monitored and meet this configuration.

  Integration is synced – From the Integrations page in Secureframe, sync the Intune connection to pull updated compliance data.

  If the test remains failing, check Intune’s compliance report to see which devices are out of compliance and remediate them before syncing again.

I want a member on our team to have access to failing tests so he can help remediate them. I put him on the Information Security Team but he can't access most of the Secureframe platform, why?

• To access the administrative portion of the Secureframe platform, such as Test Page, Frameworks, Controls, and more...the user will first need to be set as an Admin.

  In this case, you can choose to make them an admin, granting access to most all of the platform, or you can create a custom admin role which limits the admin to only the specific portions of the platform.

I want to use a script to read test failures, is that possible?

• Yes, using our new MCP Server we have 11 read-only endpoints like test, controls, users, and more.

  Learn more about MCP [here](https://support.secureframe.com/hc/en-us/articles/42425225937299-Secureframe-MCP-Server-AI-Driven-Compliance-Insights).

Is it normal for a cloud infrastructure load balancer test to fail if there are no load balancers present?

• If no resources are being pulled in, this could indicate an issue with your integration or its configuration. We recommend reviewing your integration settings to ensure it is connected and configured correctly so resources can be pulled in properly. If you continue to experience issues, please reach out to our support team and we will be happy to help!

Our Elastic Load Balancer HTTPS test is failing, but our AWS console shows HTTPS is configured. Why?

• The test checks whether all listeners on a load balancer use HTTPS. If your load balancer has an HTTP listener on port 80 — even if it only exists to redirect traffic to HTTPS on port 443 — the test will flag the entire load balancer as failing. This is expected behavior from our scanning engine. To resolve this, you can mark that specific load balancer resource as out of scope in Secureframe, which will exclude it from the test results.

The Salesforce "Multi-factor authentication" test is showing failing users even though MFA is enforced at the org level. Why might this still fail?

• The Salesforce MFA test checks for the "Manage Multi-Factor Authentication in API" permission, which is a separate setting from org-level MFA enforcement. Even if MFA is enforced at the Salesforce org level and users cannot log in without it, the test may still flag users — particularly Chatter Free users, integration users, and some standard users — if this specific permission has not been granted. Enabling the "Manage Multi-Factor Authentication in API" permission resolves the failing test results.

We have a few small repos with production-like code (e.g., simple scripts for versioning) that don’t need PR approvals. They keep failing the “Require Branch Approval” test. Do we need to manually ignore every PR, or is there a better approach?

• For utility repos that don’t impact production, the recommended approach is to mark the entire repo Out of Scope with a short justification. This prevents recurring test failures. If you’d rather keep them tracked, you can instead create a documented Exception/Waiver for those repos.

What should be done if there are Github integration failures that are believed to be transient errors, but the related PRs no longer exist for re-testing?

• This can be handled in different ways depending on when the integration and tests were configured and whether the failures are related to a misconfiguration. Because this can vary by setup and compliance context, we recommend reaching out to Support or your Customer Success Manager so they can review your configuration and advise on the best next steps.

When Secureframe bulk-creates tasks for multiple failing tests, how are Jira tickets and task details handled?

• Secureframe creates one task and one Jira ticket per test when tasks are bulk created. Each ticket is generated separately and automatically includes test-specific details such as the test name, remediation guidance, and links to the test. This allows each test to be tracked and resolved independently, and tasks can automatically close when the associated test passes.

Why are my Code Change tracking (GitHub) tests failing?

• Check if the product code (master) branches are configured in asset/version control for all in-scope repositories. If you’re not using integration tests or static code analysis, you can disable those tests.

Why are my GCP VPC Network & Route Logging and Alerting tests failing even though logging and alerts are configured?

• These tests require that logs-based metrics and alert policies match Secureframe’s exact expected filter patterns and exist in every GCP project connected to Secureframe. Even small differences in filters, or missing metrics in one connected project, will cause the test to fail.

  To pass these tests, Secureframe checks that:

  A logs-based metric exists with the exact expected filter

  An alert policy is created from that metric

  The alert is enabled and has at least one notification channel

  The alert does not need to be actively firing

  The metric and alert exist in all connected GCP projects, not just one

Why are my Google Workspace users failing the MFA test even though they have passkeys enrolled?

• Passkeys are not automatically configured as a second factor for MFA when first enrolled, so additional setup is required for Secureframe to recognize them as having MFA. To resolve this:

  Have your Workspace admin check Security Settings and confirm that Passwordless logins are disabled. You can find more information in Google's Workspace Support Documentation.
  Once Passwordless logins are disabled, each affected user will need to go into their individual settings, turn on MFA, and set their passkey as the second step. This may require assistance from a Workspace admin. Instructions can be found in Google's User Support Documentation.

Why does Secureframe fail the “Limited IAM Root Account Use (AWS)” test when we occasionally log into the root account?

• AWS root account use is highly restricted and should be exceptional only (e.g., billing or account recovery).
  Secureframe flags usage because:

  Any root login is considered a significant event

  Root access has full administrative power with no guardrails

  Platforms often implement a cool-down period to surface potential risky behavior and encourage least-privilege access.

Why is my "Security policies are reviewed and updated" test failing even though I recently updated my policies?

• This test requires all published policies to have been reviewed and updated within the past 12 months. If the test is failing, it means at least one policy hasn't been updated recently enough.
  To resolve this:

  Go to your Policies page in Secureframe
  Check the "Last Updated" date on each published policy
  Look for any policies that haven't been updated in the last 12 months
  Review and re-publish those policies

  Once all policies show a recent update date, the test will pass on the next evaluation.
  Common issue: If you recently did a policy review, double-check that you didn't miss any policies (like the Security Incident Response Plan, which is sometimes overlooked).

Why is my Azure DevOps code integration test failing for old pull requests after I configured the repository?

• Code integration tests evaluate whether checks were performed on pull requests at the time they were merged. If you configure repository checks in Secureframe after pull requests have already been merged, those historical PRs will fail the test because the required checks were not configured at the time of merging. Secureframe cannot retroactively evaluate historical pull requests. To resolve this, you have two options: move your Azure DevOps testing start date to after the repository was properly configured in Secureframe, or mark the failing historical results as ignored and provide a justification explaining that the repository checks were not configured at the time those PRs were merged.

Why is the AKS cluster patching (Kubernetes – Azure) test failing even though we use a supported AKS version (for example, the “Stable” channel)?

• This test does not evaluate whether your AKS cluster is on a supported or “N-1” minor version. Instead, it checks whether Azure reports any pending Kubernetes upgrades for the cluster.

  If Azure indicates that an upgrade is available (for the control plane or node pools), the test will be marked as failing until that upgrade is applied or completed.

Why is the CloudWatch monitoring metrics (AWS) test is failing inaccurately for Sign in without MFA alert. It seems that the metric for the alert is updated from the AWS side?

• One common scenario is that you may have an unmatched filter pattern for Sign In Without MFA.

  We expect one of below;

  { ($.eventName = ConsoleLogin) && ($.additionalEventData.MFAUsed != Yes) }

  or

  { ($.eventName = ConsoleLogin) && ($.additionalEventData.MFAUsed != Yes) && ($.userIdentity.sessionContext.mfaAuthenticated != true) && ($.userIdentity.sessionContext.sessionIssuer.arn != %/sso.amazonaws.com/%) }

  or

  { ($.eventName = ConsoleLogin) && ($.additionalEventData.MFAUsed != Yes) && ($.userIdentity.type = IAMUser) && ($.responseElements.ConsoleLogin = Success) }
  
  You can still use your own custom patterns but they should also add the patterns we are looking for.

Why is the “Athena workgroup configuration override (AWS)” test failing in some regions but passing in others, even though settings appear identical?

• This test checks whether the Athena workgroup disables client-side overrides for configuration options, which is done by enabling the setting:
  “Override client-side settings” → Turned ON

  However, there’s an additional nuance. If a workgroup has a Query result location (OutputLocation) configured, that value is always used unless the override is explicitly turned on. This can cause the test to fail even if the UI appears identical across regions.

  In your case:

  The ca-central-1 region is passing because no OutputLocation is set, meaning there’s no implicit override risk.

  The us-east-1 and us-west-2 regions are failing because an OutputLocation is configured and “Override client settings” is not enabled, which introduces the potential for unintended query result storage.

  [See AWS documentation](https://docs.aws.amazon.com/athena/latest/ug/workgroups-settings-override.html)

Frameworks and mappings

Can controls and tests apply to multiple frameworks?

• Yes, common controls can be mapped across different frameworks to improve efficiency and reduce redundancy.

Do we have mapping guidance available for ISO 27018:2019 controls?

• At this time, Secureframe does not provide an out-of-the-box control mapping for ISO 27018:2019.

  The newest version of the standard (ISO/IEC 27018:2025) has recently been released, but since it is a licensed standard, customers will need to purchase it directly from ISO to review the official requirements (link [here](https://www.iso.org/standard/27018)[](https://www.iso.org/standard/27018)).

  On our compliance side, building support for ISO 27018 is already on our roadmap, though we don’t have a confirmed ETA for release yet.

From a controls perspective, are ISO 42001 framework and NIST AI RMF equivalent?

• No, ISO 42001 and the NIST AI RMF are not equivalent, though they are complementary in many areas.

  ISO/IEC 42001 is a certifiable management system standard specifically designed for Artificial Intelligence Management Systems (AIMS). It follows a structure similar to other ISO standards (like ISO 27001) and includes specific control requirements for governing the responsible development and use of AI within an organization. It provides a framework for establishing policies, assigning responsibilities, managing risks, and continually improving AI governance.

  NIST AI RMF, on the other hand, is a voluntary guidance framework developed by the U.S. National Institute of Standards and Technology. It focuses on helping organizations evaluate, manage, and mitigate AI risks across the lifecycle of AI systems. It’s structured around core functions—Govern, Map, Measure, and Manage—but it does not prescribe certifiable controls.

  In short:

  ISO 42001 = Prescriptive, certifiable, control-based standard

  NIST AI RMF = Flexible, guidance-oriented risk management framework

  Organizations may choose to implement both: NIST AI RMF can help inform risk identification and mitigation strategies, while ISO 42001 provides the formal structure and requirements for building an auditable AI management system.

How can I verify if a specific control exists within the NIST 800-53 standards or any framework?

• To check if a specific control exists in the NIST 800-53 framework (or any framework) within Secureframe, follow these steps:

  Go to the Frameworks page in the Secureframe platform.

  Click “View Details” next to the NIST 800-53 framework.

  You’ll see a full list of control categories, with each control listed by control ID, name, and description.

  Each control will also show any associated tests that Secureframe uses to validate compliance.

  Alternative method:
  You can also use the Controls section in Secureframe to search for a specific control ID or keyword. From there, you can filter the results by framework (e.g., NIST 800-53) to narrow down the list.

is it possible to filter by the mapped frameworks on the policies page?

• Yes, you can do this if you filter by ‘groups’ since frameworks are be pre-assigned by groups.

Our auditor requested a test stating that “The Company’s security team subscribes to and receives emerging security threat information from various sources to assist in the identification of risks and emerging threats.” What control should this be mapped to?

• The correct mapping depends on the compliance framework in scope:

  For SOC 2 (CC2.1 – Risk Assessment): This test is typically mapped to ORG-05 (risk identification and monitoring). If desired, you can also create a custom control mapped to CC2.1 to capture the requirement more explicitly.

  For other frameworks: The most appropriate control may vary. Some users map this type of test to NET-04 (Network monitoring and threat intelligence) or a similar control, depending on how the framework defines emerging threat monitoring.

  If your auditor requires this test specifically, we recommend confirming their expectation and then either:

  Mapping it to an existing control such as ORG-05, or

  Creating a new custom control to ensure it’s documented and tracked.

What is an example of framework mapping?

• A company implementing password policies can use the same controls and tests to meet multiple framework requirements, such as SOC 2 and ISO 27001.

Tests and monitoring

Can a single document upload be used to satisfy multiple tests, or does each test require a separate document upload?

• Secureframe does not currently have a dedicated “map this evidence to multiple tests” feature. Each test has its own evidence record, so a document is uploaded and associated to one test at a time.

  That said, Secureframe automatically cross-maps controls across frameworks (for example SOC 2, ISO 27001, GDPR). When a control passes in one framework, the corresponding mapped controls in other frameworks will also pass — so in many cases you do not need to upload the same document multiple times.

  If a document truly needs to be reused for another test, you can duplicate the file and upload it again to the additional test.

  In practice, most customers rely on control cross-mapping and rarely need to re-upload the same evidence across multiple tests.

For the "System processing documentation" test, what is needed to pass this test?

• This test is relevant to processing integrity criteria for SOC 2. So essentially just wants to see how data is intaken, processed, output, etc. Can be a data flow diagram, but doesn’t have to be can also be really anything else (like system description, or system manual) that will speak to what their system’s data processing does and looks like

For the “Password Manager for Shared Accounts” test, can customers use built-in browser password managers like Google Password Manager or Microsoft Edge Password Manager?

• Yes — as long as they are using the password manager properly and it meets the intent of the control:

  Passwords are securely stored and encrypted
  Access is restricted — only authorized users can view shared credentials
  MFA protects the account tied to the password manager
  There is clear ownership and accountability for shared access

  Examples that are acceptable when configured securely:

  Google Password Manager → passwords.google.com

  Microsoft Edge Password Manager

  In cases where passwords are highly sensitive or shared widely, a dedicated enterprise password manager (e.g., 1Password, LastPass, Bitwarden) is often recommended — but not strictly required to pass the Secureframe test.

Is it mandatory to enable Multi-AZ for RDS instances to pass the "RDS instance availability zones" test?

• No, this test is not a mandatory requirement. Enabling Multi-AZ is recommended as a best practice for high availability, but it's not required for compliance.
  If you choose not to enable Multi-AZ due to cost considerations, you should:

  Document a risk acceptance explaining your decision
  Implement compensating controls such as:

  Regular automated backups
  Tested restoration procedures
  Defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
  Incident response procedures for database failures

  This approach allows you to remain compliant while managing costs according to your business needs.

Our static code analysis (SAST) is running, but it's not part of our CI/CD pipeline. Will the "Code Static Application Security Testing (GitHub)" test pass?

• No. For the SAST test to pass in Secureframe, the static analysis tool must be configured and running inside the CI/CD pipeline itself. Secureframe pulls this configuration from pipeline settings, not from the repository configuration. Simply running SAST outside the pipeline is not sufficient. The tool does not need to be a blocking step, but it does need to be integrated into the pipeline and correctly named/configured so Secureframe can detect it.

What does Code Integration Testing on GitHub encompass? Does it include security, component, functional, or UI testing?

• This test is intended to confirm that integration testing is part of the CI/CD pipeline and runs automatically on code changes before they are merged into the production branch.

  Integration testing, in this context, refers to testing how different components of the application work together. The scope of these tests may include functional, component-level, or even UI tests depending on how the test suite is designed.

  While additional tests such as security scans or static analysis may also run in the pipeline, the requirement for this control is specifically that integration tests are triggered and passed before code is merged to production.

What does the “Security features for insecure services” test mean, and how do I pass it?

• This test ensures that security features are implemented for all insecure services, daemons, and protocols in your environment — a key principle of least functionality.

  How to pass this test:
  You must upload evidence that demonstrates these services are secured or disabled. Examples include:

  Port or protocol hardening documentation (e.g. disabling Telnet or FTP)

  Firewall or security group configurations

  System configuration screenshots showing unnecessary services disabled

  Network scanning reports confirming unused/insecure services are closed or blocked

  Additional Guidance:
  This test is about limiting exposure to insecure functionality. You can think of it as proving your environment only runs what is absolutely necessary.

  It aligns with the broader compliance goal of least functionality—ensuring only required services are enabled.

  If you're already passing 2 out of 3 tests for the associated control, this test can sometimes be disabled upon request, depending on your framework requirements.

  If you’re unsure what counts as an insecure service, think about outdated protocols (e.g. SMBv1, Telnet, HTTP), unused daemons, or open ports not in use.

What should I do if I can't select any options from the "select resource category" drop-down menu when creating a custom automated test in Secureframe?

• If the "Select Resource Category" drop-down is blank, it's likely because no integrations have been connected that pull in resources. Custom Automated Tests rely on integrated applications (like GitHub, AWS, etc.) to provide resource data.

  To resolve this:

  First, integrate with a supported application that pulls in relevant resources (e.g., GitHub, AWS, Azure).

  Once resources are ingested, the drop-down menu will populate and allow you to select a category.

  For full setup instructions, refer to our Custom Automated Tests article.

What steps should be taken to pass the "Unique accounts for customer instances" test in PCI compliance?

• To pass the "Unique accounts for customer instances" test for PCI:

  You’ll need to upload evidence that demonstrates each customer instance is accessed using unique, individual credentials—not shared logins.

  Acceptable examples of evidence:
  A screenshot or exported list from your access control system (e.g., AWS IAM, Azure AD, Okta) showing named user accounts per customer environment.

  A policy or SOP that states shared credentials are not permitted and that all access must be uniquely assigned.

  Audit logs showing individual user access events tied to customer environments.

  Access provisioning documentation demonstrating how accounts are created uniquely per user and per customer.

  Why PCI requires this:
  PCI DSS Requirement 8.1.1 mandates that all users must be assigned a unique ID before allowing them to access system components. This is to ensure accountability and traceability.

Which upload tests should I enable if we don’t integrate with a developer tool?

• Recommended upload tests:

  Code change tracking
  Code dependency testing
  Code integration testing
  Code pull request approvals
  Code static application security testing
  Multi-factor authentication for developer tools
  Password requirements for version control
  Version control branch approval configurations
  Version control repository inventory
  Version control repository ownership
  Version control tool system

  Each test in Secureframe will provide guidance on what to upload to help satisfy the evidence requirements.

Who is required to complete AI training to pass the AI Training test?

• Typically, only personnel who directly work with, develop, manage, or interact with AI systems are required to complete AI training. Employees who do not work with AI or AI-related processes are generally not required to complete this training to meet the test requirements.

Why did our upload test continue showing as passing after the test interval expired, and only updated after a manual refresh?

• Upload tests are evaluated by a daily automated run. There is a brief window after midnight where the test table may show an evidence upload as overdue, but the pass/fail status won't update until the daily run processes it. If the automated run fails to execute, the test status will not update until either the next scheduled run or a manual refresh is triggered. If you notice a test is not reflecting the expected status, manually refreshing the test will force an immediate evaluation and update the result correctly.

Additional customer questions

Do test intervals populate automatically?

• Test intervals in Secureframe don't populate automatically. They are a configurable feature that you need to set up manually. Test intervals allow you to determine how often a test needs remediation, such as monthly, quarterly, or yearly.

  When you set up a test interval, it will automatically create a new test in the future based on the interval and due date you choose. This helps ensure that your tests are regularly updated and remain compliant.

  To set up a test interval, you'll need to click on the "Test Interval" option and fill out the necessary fields in the pop-up modal. This way, you can customize how often each test needs to be reviewed and updated.

How does Secureframe define a service account, and how does that relate to the test “User identity is confirmed prior to granting login access to a service account”?

A service account is a non-human account used by applications, systems, or services to perform automated tasks such as running background jobs, connecting applications to databases or APIs, or executing automation scripts. These accounts are not tied to a single employee and are often identified by generic email addresses or naming patterns like “svc”, “bot”, or “automation”.

Because service accounts typically have elevated privileges and are not linked to an individual by default, Secureframe requires evidence that any login or use of a service account can be traced back to a verified user identity. This means organizations must implement controls such as SSO, MFA, or role assumption so that when a person accesses or uses a service account, their identity is first confirmed and logged. The test is designed to ensure that service account activity is always attributable to an individual, preventing anonymous or untraceable access.

How does Secureframe streamline control management?

Secureframe provides pre-mapped controls across frameworks, allows custom controls, assigns owners, and enables efficient compliance tracking.

Why would SecureFrame add a new test to my account?

Sometimes we break a single test into separate tests for more granularity, or we might receive feedback from auditors requesting more detailed tests.

Do I need to mark each control as N/A if it's not applicable to our environment?

Yes, if a control does not apply to your organization (e.g., due to being fully cloud-based or remote), you should mark it as Not Applicable (N/A). Secureframe allows you to mark controls as N/A individually or in bulk. This ensures clarity during audits and helps reflect your true compliance scope.

To learn more about the controls page click [here](https://support.secureframe.com/hc/en-us/articles/17140545754131-Frameworks-and-Controls).

Can users modify the justification for a disabled test in Secureframe?

No, justifications for disabled tests cannot be directly edited. If you need to update the justification, you must re-enable the test. However, please note that re-enabling a disabled test clears out the previous justification, meaning you’ll need to enter a new one from scratch.

How are controls managed without Secureframe?

Organizations track controls manually in spreadsheets, making it complex to maintain and cross-map across multiple frameworks.