The finest-grain obligation inside a control — the level at which mapping happens so one test can serve many frameworks.
Controls are often broad ('restrict logical access'). Requirements break that down into specific, testable obligations. Because many frameworks describe overlapping obligations in different words, mapping at the requirement level is what lets a single automated test satisfy requirements in SOC 2, ISO 27001, and other frameworks at once.
Looking for another term or the full list?