This article brings together common customer questions and practical answers based on typical Secureframe workflows, compliance situations and unique tech stacks.

It is meant as quick reference material for day-to-day use of the product.

Choosing and managing frameworks

Is it possible to add requirements to a custom framework after its creation?

• Yes, you can add requirements to a custom framework after it's created.

  To do this, hover your mouse over an existing control within the custom framework. The "Add Requirement" button will appear when you hover in the correct area.

What document provides additional information on acceptable frameworks for digital identity and authentication factors?

• [NIST Special Publication 800-63, Digital Identity Guidelines](https://example.com/NIST Special Publication 800-63, Digital Identity Guidelines) provides additional information on acceptable frameworks for digital identity and authentication factors.

  Relevant links:
  - https://example.com/NIST

Controls, tests, and framework views

Are audits required for best practice frameworks like CIS and NIST 800-53?

• No, these frameworks are best practices, so audits are not required or necessarily recommended, though some companies choose to get audited for contracts or self-assessment.

Are there any character limits for data input within a custom framework?

• As currently tested, the character limit is well over 1,500,000.

Can custom imports allow whitespaces in framework keys column?

• No, white spaces, nor duplicates, are not allowed in framework keys.

  It is recommended that you use use fillers like dash for example

Do all frameworks require third-party audits?

• No, some like CMMC Level 1 and PCI allow self-attestation. Others, like GDPR and HIPAA, don’t require audits but recommend them.

Do we have a separate Type I and Type II framework within Secureframe?

• No. There is no difference between Type I and Type II tests except for sample testing. For Type I, the auditor would not pull samples from Secureframe.

Does CJIS have any unique policies different than other frameworks?

• Yes, it includes a unique CJIS policy.

How do audit requirements differ between frameworks?

• SOC 2 and ISO require audits, but requirements vary. HIPAA audits are not required but recommended. NIST CSF 2.0 audits are neither required nor strongly recommended but can be done voluntarily.

How do clients know which policies are designated for which framework if they have multiple frameworks in scope?

• SOC 2 policies form the base for other frameworks. Addendums are created for PCI, HIPAA, etc. Additionally, there are two HIPAA-specific policies that should be published for HIPAA, as they contain necessary overlapping requirements.

How do framework requirements work?

• They define what must be done, what is required, and what expectations organizations must meet to be compliant.

How do I scope the services that are excluded from the framework?

• During framework scoping, specify any services not included in the audit. This helps determine if Multi-Business Unit (MBU) scoping is needed and out-of-scope items should be excluded from evidence/testing.

How do organizations meet compliance framework requirements?

• By implementing security controls, processes, policies, and proving their effectiveness through testing.

How does Secureframe simplify framework management?

• Secureframe provides pre-mapped requirements, controls, and tests for 40+ frameworks, eliminating manual tracking and increasing efficiency.

How should we approach the AI Training test under the ISO 42001 framework?

• Organizations are expected to provide AI-related training that is tailored to how AI is used within their business. Because usage varies across companies, the training should first be scoped to reflect your organization’s role in AI (e.g., user, provider, developer, or other).

  We recommend the following approach:

  Identify your role(s) in AI – Determine whether your team primarily uses AI tools, develops AI systems, or provides AI services.

  Refer to the AI Policy template – This outlines the different roles and expectations and can guide what the training should cover.

  Develop or source training – You may create your own role-based training or purchase AI training content from an LMS provider.

  At this time, Secureframe does not provide an out-of-the-box AI training module. However, we are exploring ways to offer AI training within our platform in the future.

Is the COSO ERM framework a custom framework or is it available out of the box?

• COSO ERM is not currently an offered framework, but it is possible this framework could be uploaded using our [Custom Framework Feature. ](https://support.secureframe.com/hc/en-us/articles/19317479228947-Creating-Custom-Frameworks)

ISO 42001 – Since we don’t have training in Secureframe, how can customers fulfill the training requirements set out in the framework? Are there templates available, or do they need to use an external vendor?

• ISO 42001 requires that personnel receive training appropriate to their role in AI (e.g., user, provider, developer). To meet this requirement, customers should:

  Reference the AI Policy Template in Secureframe, which outlines roles and responsibilities and can serve as a foundation for training content.

  Develop their own internal training (e.g., slides, LMS modules, or attestation logs) aligned to the organization’s AI governance policy and ISO 42001 Annex A controls.

  Leverage external vendors if they prefer pre-built content. Many LMS providers are starting to offer AI governance or responsible AI training modules.

  Secureframe does not currently provide an ISO 42001 training template. However, customers can upload internally created training materials or external vendor content as evidence in the platform.

What are common compliance frameworks?

• Examples include SOC 2, ISO 27001, PCI DSS, HIPAA, GDPR, and NIST.

What are compliance frameworks?

• Frameworks are sets of requirements created by governing bodies to protect data and ensure organizations meet specific standards.

What are examples of secure software lifecycle management methodologies and frameworks?

• Secure software lifecycle management methodologies and frameworks include PCI Software Security Framework, BSIMM, OPENSAMM, and works from NIST, ISO, and SAFECode.

What happens if a framework is removed from a Secureframe instance?

• We have a flow internally that will remove any exclusive controls, policies, or platform tests associated with the removed framework.

What is framework scoping and why is it important?

• Framework scoping defines what parts of your organization, systems, data, and services are included in a compliance assessment. It ensures Secureframe enables the right tests and configures the framework correctly.

What is the challenge of managing frameworks without Secureframe?

• Organizations manually compare framework requirements in spreadsheets, which is tedious, overwhelming, and difficult to track.

What is the difference between framework scope and production scope in Bitbucket?

• Framework Scope and Production Scope refer to how repositories are evaluated based on their relevance to compliance evidence.

  Framework Scope includes repositories relevant to a specific compliance framework (e.g., SOC 2, ISO). These are the repos Secureframe reviews for control evidence. Ex, internal-tools-api – Used for internal operations, but relevant to SOC 2 because it handles sensitive data

  Production Scope is a subset of Framework Scope and includes only repos that support your live, customer-facing application. These are subject to stricter security requirements (e.g., MFA, deploy protections). Ex, auth-service – Manages user authentication and sessions

What questions should I ask when scoping for any compliance framework?

• Ask: What frameworks are you pursuing and why? What services are included in or excluded from compliance? Are you preparing for an audit? Where is data stored and processed (e.g., cloud platforms, on-premise)? Are there any physical locations in scope? These questions help align your instance with real operational risk.

What should be done if a test is included in the framework but the corresponding policies are missing?

• If a test appears in the framework but the related policies are missing, this is likely a bug. Secureframe provides all required policies for each supported framework by default.

  Please email our support team at support@secureframe.com so we can investigate and resolve the issue promptly.

What should I do if I'm unable to access the frameworks within a project?

• If you cannot access the Frameworks page, it may be due to custom access settings not being enabled for your account. If that does not resolve the issue, please reach out to support@secureframe.com for assistance.

What should I include when scoping for any compliance framework?

• Include your business overview, services requiring compliance, need for the framework, report timeline, physical locations, data flow, and any services out of scope.

Where do I define physical locations in scope for a framework?

• In the scoping phase, specify offices or data centers. This determines whether physical security controls/tests are enabled.

Which frameworks are supported by the Gap Assessment?

• CIS IG1, CIS IG2, CIS IG3, SOC 2, ISO, UK Cyber Essentials, Essential 8, PCI, HIPAA, CMMC, & EU DORA.

Which frameworks are the hardest, most complex, most comprehensive?

• FedRAMP, NIST 800-53, PCI, and HITRUST are the most complex frameworks, with the most controls and stringent requirements. SOC 2 and ISO are relatively more flexible with fewer controls.

Mappings between frameworks

How does Secureframe handle test mapping?

• Secureframe pre-maps requirements, controls, and tests to eliminate manual work and improve efficiency.

Additional customer questions

Why isn't Hitrust supported?

• HITRUST CSF is not an open framework like SOC 2 or ISO 27001. It's a proprietary framework maintained by the HITRUST Alliance, and access to it often requires a paid license or partnership.

  It’s a meta-framework, meaning it combines multiple compliance standards (e.g., HIPAA, ISO, NIST) and maps them together — which makes automation more difficult.

  Most GRC platforms skip HITRUST because it's proprietary, complex, and healthcare-specific, and the certification process relies heavily on manual workflows and a closed ecosystem.

  If you're in a healthcare-adjacent market but HITRUST is too much, focusing on HIPAA + SOC 2 + ISO 27001 often covers 80–90% of what customers need — without the licensing and process headaches of HITRUST.

  With that said, our team can assist with Hitrust if customers have the following:
  1) Already have your controls from myCSF
  2) If the Hitrust Assessment types is an E1 or i1
  3) Are flexible and can allow time for us to help build out the framework in our platform using Custom Frameworks feature

Does Secureframe support HITRUST E1?

Yes, Secureframe now supports HITRUST E1 for current customers.
If you're interested in using HITRUST E1 for your compliance needs, please reach out to your Customer Success Manager to discuss your specific requirements and next steps.

How quickly can we achieve HITRUST E1 compliance using Secureframe?

The timeline for HITRUST E1 varies depending on your starting point. If you're starting from scratch, it's important to know that HITRUST requires both an external audit and a formal review process, so it typically takes more than a few weeks. We recommend aligning on your goals and urgency, and we’re happy to help you scope a realistic timeline.

HITRUST assessments, costs, and timelines

How much does a HITRUST audit cost?

Typically ranges between $30K to $80K (very expensive).

Is it possible to fast-track HITRUST E1 compliance?

HITRUST compliance involves several required steps, including third-party assessment and HITRUST review, so timelines can’t usually be fast-tracked. However, we’ll do everything we can to support your process and recommend helpful resources if you’re on a tight deadline.

What do we need to get started with HITRUST E1?

begin pursuing HITRUST E1, it helps to have:

A clear understanding of your timeline and drivers

Access to HITRUST’s MyCSF platform

A HITRUST Authorized External Assessor (if you're planning on certification)
If you don’t yet have these in place, we can guide you or connect you with resources to get started.

What does HITRUST compose of?

HITRUST has two types of assessments: R2 and I1. R2 is more robust and is a 2-year certification, while I1 is a 1-year certification. R2 uses a scoring matrix and rubric with different tiers. HITRUST is updated every 9 years, which can make staying up to date challenging.

AI, ISO 42001, and Comply AI

Are NIST AI and ISO 42001 more specified at generative AI?

Yes, NIST AI and ISO 42001 frameworks can apply to machine learning, which is a subset of AI.

Does ISO 42001 require an internal audit?

Yes.

How does Secureframe ensure that PII does not leak from Comply AI?

Secureframe publicly discloses that OpenAI is a subprocessor and provides privacy and security practices beyond OpenAI's offerings to ensure data protection.

Should we pursue ISO 42001 if we’re only using AI tools like ChatGPT or Copilot internally and not building our own AI systems?

In most cases, no—ISO 42001 is not necessary if your organization is simply using AI tools internally and not developing or embedding AI into customer-facing products or services.

However, it may be worth considering if:

You're embedding AI into your own offerings

You start receiving ISO 42001-specific requests from clients

Your brand strongly aligns with AI (e.g., your company name or domain ends in “.ai”)

In your current scenario, unless your clients begin asking for this certification specifically, it’s more practical to implement internal AI-related policies and procedures without going through the full ISO 42001 certification process.

What AI technology does ComplyAI utilize for its backend operations?

Secureframe's AI features are powered by a combination of advanced technologies, including:

• Generative AI: Used in Comply AI for Policies to summarize content, improve writing, and simplify language.

• Advanced Machine Learning: Employed in Comply AI for Control Mapping to suggest intelligent control mappings to frameworks and risk assessments.

• Natural Language Processing: Utilized to analyze and understand security compliance documentation in vendor profiles.

These AI technologies are powered by OpenAI's technology and work together to automate various compliance tasks, such as policy writing, remediation guidance, control mapping, risk assessment, and vendor profile analysis.

This automation helps save time and resources while improving accuracy in compliance processes.

What is ISO 42005, and how does it relate to ISO 42001 or the “2025 version”?

ISO 42005 is a guidance document focused on how to perform AI impact assessments. It is not a certifiable or audited standard—it functions more like a best-practice guide. It is not an updated version of ISO 42001. ISO 42001 remains the certifiable and auditable standard currently available and supported on our platform.

What should be considered during ISO 42001 scoping?

Confirm whether an AI management system (AIMS) is defined and whether you're performing AI risk assessments. Include how internal audits will be handled.