Skip to main content

Control Testing Guide

Complete guide for CCOs and CPOs

Quick Start

  1. 1
    Navigate to your dashboard
    Professional, Enterprise, or Enterprise Plus dashboard
  2. 2
    Click the "Control Testing" card
    Green shield icon (🛡️) with live metrics
  3. 3
    View your controls
    Filter by SOC 2, ISO 27001, or HIPAA framework
  4. 4
    Export evidence
    Individual CSV or complete compliance package

What is Control Testing?

Control Testing is how you demonstrate that your compliance controls are operating effectively. This is required for SOC 2 Type II, ISO 27001, and HIPAA audits.

Why it matters: Auditors don't just want to see that you have controls—they need evidence that those controls are working. Control testing provides that evidence.

Supported Frameworks

SOC 2 Type II

Trust Services Criteria (CC1-CC9)

Test frequency: Quarterly for critical controls

ISO 27001

Annex A Controls (A.5 - A.18)

Test frequency: Annual for certification

HIPAA

Administrative Safeguards (§164.308)

Test frequency: As required by regulation

Exporting Evidence

Two export options available:

1. Individual CSV Exports

Export specific files as needed:

  • controls.csv - All control definitions
  • control-tests.csv - Test execution results
  • control-findings.csv - Issues found during testing

2. Complete Compliance Package

Download ZIP file with 24 files including:

  • • All control testing files (controls, tests, findings)
  • • GDPR compliance records (DPIAs, DSARs, consents)
  • • SOC 2 evidence (policies, attestations, audits)
  • • ISO 27001 documentation
  • • HIPAA records (BAAs, PHI logs)
  • • EU AI Act compliance data

CCO/CPO Use Cases

🔍 SOC 2 Type II Audit

Scenario: Your SOC 2 auditor asks for evidence that access controls are operating effectively.

Solution: Export controls.csv andcontrol-tests.csv filtered for SOC 2 framework.

✅ Requirement: Quarterly testing for critical controls (CC6.x)

✅ ISO 27001 Certification

Scenario: Annual surveillance audit requires evidence of Annex A control effectiveness.

Solution: Export complete compliance package with all ISO 27001 control evidence.

✅ Requirement: Annual testing + remediation evidence

🏥 HIPAA Compliance

Scenario: HHS audit requires evidence of administrative safeguards (§164.308).

Solution: Export control-tests.csv showing access control testing and workforce training validation.

✅ Requirement: Regular testing of technical and administrative safeguards

Frequently Asked Questions

How often should I test controls?

Critical controls: Quarterly (every 3 months)

Important controls: Semi-annually (every 6 months)

Standard controls: Annually (once per year)

⚠️ Note: Your auditor may require more frequent testing for high-risk controls

What's the difference between controls.csv and control-tests.csv?

controls.csv: Defines what controls you have (control ID, title, description, framework)

control-tests.csv: Shows results of testing those controls (test date, pass/fail, score)

control-findings.csv: Documents any issues found during testing (severity, remediation plan)

Can I customize the compliance package export?

The compliance package includes all 24 files automatically for complete audit readiness. For custom exports of specific modules, use the individual CSV export buttons on each module's page.

What if I have overdue tests showing on my dashboard?

Overdue tests indicate controls that need to be tested based on their test frequency.

Action: Navigate to Control Testing, filter by overdue status, and schedule testing for those controls.

How do I interpret the passing rate metric?

The passing rate shows the percentage of control tests that passed from your last 100 tests. A rate above 95% is considered excellent. Below 90% may indicate systemic issues requiring investigation.

Ready to Get Started?

Everything you need for SOC 2, ISO 27001, and HIPAA compliance—automated and audit-ready.

View Controls →Compliance Hub →