Getting Started With Framework Fundamentals

Compliance frameworks involve multiple layers of expectations, implementation steps, and validation processes. The Uproot platform simplifies this by structuring every framework into three interconnected components: requirements, controls, and tests.

This structure gives teams clarity on what needs to be achieved, how it is implemented, and how it is continuously validated—all within a single workflow.

Framework Requirements: What Needs to Be Met

Framework requirements define what a compliance framework expects an organization to achieve. They focus on outcome-level objectives such as security, availability, system reliability, and risk management.

Requirements are high-level goals—they explain what needs to be achieved rather than how to do it. During an audit, these requirements show the conditions your organization must meet.

In the Uproot platform:

• Requirements define what must be satisfied under a compliance framework, such as those issued by the AICPA for SOC 2.
• Each requirement belongs to a framework and has one or more controls linked to it.
• Requirement health is automatically calculated based on the status of its controls.

For instance, SOC 2 requirements are organized under five Trust Services Criteria (TSC)—security, availability, processing integrity, confidentiality, and privacy. Under SOC 2, system availability is one such requirement, ensuring that systems can handle capacity demands and remain operational.

Framework Controls: How Requirements Are Implemented

Controls define how a requirement is fulfilled in practice. They translate high-level compliance expectations into concrete technical, operational, or procedural safeguards, making them the actionable layer of compliance.

In Uproot, each control includes:

• A clear control name
• A description of how the control operates
• A control group or domain
• An assigned owner
• One or more associated tests

Controls can support one or multiple requirements, helping organizations avoid duplication and maintain consistency.

For example, an availability requirement under SOC 2 may be supported by controls describing multi-zone infrastructure deployment, traffic distribution, or automatic capacity scaling. Each control assigns ownership and defines how the requirement is concretely addressed.

Framework Tests: How Controls Are Validated

Tests verify that controls are operating as intended, providing objective validation and generating reliable evidence for audit review.

Tests answer a critical question:
Is this control actually working?

In Uproot, tests:

• Are always tied to a specific control
• Tests can be executed in four ways: automated integrations, manual uploads, platform tests, or AI agents.
• Run continuously, not just at a single point in time
• Directly determine control and requirement health

For instance, a control supporting SOC 2 availability requirements may include a test that continuously checks autoscaling configurations. Passing tests keep the control and requirement healthy, while failures immediately signal risks that need remediation.

How to Access Requirements, Controls, and Tests

Uproot lets users navigate easily from high-level compliance visibility to detailed operational validation.

Accessing Requirements

1. Go to the Frameworks section in Uproot.
2. Select the framework you want to review.
3. View the list of requirements for that framework.
4. Check requirement health and coverage to identify any gaps.

Accessing Controls

1. Click on a requirement to view its controls, or open the Controls tab to see all controls across frameworks in one place.
2. Review each control’s objective, description, and owner.
3. Monitor control health to detect gaps or failures.

Accessing Tests

1. Within a control, view the associated tests, or go to the Tests tab to see all tests across frameworks.
2. Check test status and execution details.
3. Investigate any failures and remediate underlying issues.
4. Use historical test results as evidence for audits.
5. Each test includes additional information such as “How to get compliant,” “How this works,” and reference materials.

How It All Works Together

In Uproot, compliance follows a clear and auditable flow:

• Requirements define what must be achieved
• Controls define how it is achieved
• Tests validate that it is working
  

This ensures every requirement is backed by clearly owned controls and continuously validated through tests, keeping organizations audit-ready and confident that their compliance posture is accurate and up to date.