Establishing evidence best practices is crucial for maintaining a strong compliance posture. Collecting, organizing, and managing evidence effectively not only ensures that you meet regulatory requirements but also simplifies audits and reduces risk. Best practices include maintaining clear documentation, centralizing storage for easy access, and verifying the accuracy and timeliness of evidence. By following these guidelines, organizations can demonstrate due diligence, streamline compliance processes, and instill confidence in auditors and stakeholders.

Screenshot Evidence

When uploading a screenshot be sure to include the following:

• URL (if applicable)
• Date Stamp (the computer generated time and date stamp)
• URL & Date Stamps help auditors confirm where and when the screenshots originated from.

When uploading a screenshot be aware of the following:

• A screenshot cannot be from a training document or text pasted into a document.
• When documenting a password policy do not upload a screenshot of the password policy section of the Acceptable Use policy. Instead, upload a screenshot of the password policy that governs the particular tool or application requested (when not available via integration).
• It also cannot be a screenshot from a vendor guideline document unless the vendor does not provide the ability to configure the element being tested. For example, Bitbucket password settings are unable to be configured by the Bitbucket admin.

Guidelines for File Uploads

Secureframe supports uploads in formats like PDF, PNG, JPG, DOCX, XLSX, and CSV. Note that legacy DOC files are not supported. When uploading evidence, use widely accessible formats to ensure compatibility and readability.

Keep evidence up to date

Regularly review your evidence to ensure it reflects current practices. Use the “Last Updated” column and filters on the Tests page to easily identify stale or outdated items that need refreshing.

Using ‘Pass with Upload’

If a test can’t be auto-validated via integration, use the “Pass with upload” feature to manually upload documentation that demonstrates control effectiveness. This helps maintain test coverage when integrations aren’t available.

Additional Evidence

This is used to upload supplementary materials related to a test — for example, to provide extra context or information for your auditor. Uploading only to Additional Evidence will not pass the test. You must use Pass with Upload if the intent is to complete the test manually.

Note: If your Platform or Integration test is still failing after uploading evidence, double-check that the file was added via Pass with Upload, not Additional Evidence.

Handling Evidence Findings

If a file is uploaded with findings, the test will remain unpassed until addressed. You can comment on the finding, re-upload corrected evidence, or resolve the finding directly in the platform to clear the flag.

Choosing the Right Evidence Type

When uploading a file to Secureframe, you may be prompted to assign an Evidence Type. This field determines how the file is mapped to tests, controls or even personnel (ex, Background checks) throughout your frameworks.

Choosing the correct type ensures your evidence is properly recognized and helps avoid test failures due to misclassification.

When to Use “Other” vs. a Specific Type

• Use Other if:

  • You’re uploading a template or reference document (e.g., Security Incident Log template, Corrective Action Plan template) for future use.

  • You’re storing documentation in the Data Room that is not meant to satisfy a specific test or control yet.

  • You’re unsure which type applies and want to avoid automatic mapping to an active test.

• Use a specific type (e.g., SOC 2 Report, ISO 27001 Certificate) if:

  • The document is intended to satisfy a test, such as proving a vendor review or confirming annual security training.

  • You’re uploading an attestation, report, audit result, or other file that directly maps to a framework requirement.

  • The test description or platform prompt suggests a specific expected file type.

✅ Example: If you’re uploading a vendor’s SOC 2 or ISO 27001 report to satisfy the Vendor Management Review test, be sure to select the appropriate evidence type (e.g., SOC 2 Report).
🚫 Choosing Other in this case may cause the test to fail, as Secureframe will not recognize the file as valid proof of due diligence.

Frequently Asked Questions (FAQ)

What should I select when prompted to assign a document to an Evidence Type?

• It depends on the purpose of the upload and where in the platform you're uploading it.
• As noted above, some test like Vendor Reviews will require a specific evidence type such as SOC 2, ISO, PCI, etc.. If you were to choose "other" for this type of test, it would fail, because that does not satisfy the requirement. 

When using the “Mark comment as a finding” option in a comment for a Platform or Integration test, the test still shows as Passed, unlike upload-based tests where it remains Failed until the finding is resolved. Why does this happen?

• This behavior occurs when the “Pass with upload” option was previously used to pass the test. For Platform and Integration tests, selecting “Pass with upload” explicitly sets the test to a Passing state, even if the evidence includes a comment marked as a finding. In these cases, “Pass with upload” overrides the test’s health status and does not evaluate any findings that may still be present.
• Upload-based tests work differently. They do not offer the “Pass with upload” option because their status depends entirely on the uploaded evidence. If a finding is marked in an upload-based test, the test will remain Failed until that finding is resolved.