CPL-01.1: Non-Compliance Oversight
Mechanisms exist to document and review instances of non-compliance with statutory, regulatory and/or contractual obligations to develop appropriate risk mitigation actions.
Control Question: Does the organization document and review instances of non-compliance with statutory, regulatory and/or contractual obligations to develop appropriate risk mitigation actions?
General (15)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC1.1-POF4 CC1.5 CC4.2 CC4.2-POF1 CC4.2-POF2 CC4.2-POF3 |
| CSA CCM 4 | A&A-05 A&A-06 GRC-04 |
| CSA IoT SCF 2 | GVN-04 |
| ISO 27001 2022 (source) | 9.1 9.1(a) 9.1(b) 9.1(c) 9.1(d) 9.1(e) 9.1(f) 10.2 10.2(a) 10.2(a)(1) 10.2(a)(2) 10.2(b) 10.2(b)(1) 10.2(b)(2) 10.2(b)(3) 10.2(c) 10.2(d) 10.2(e) 10.2(f) 10.2(g) |
| ISO 27701 2025 | 10.2 10.2(a) 10.2(b) 10.2(c) 10.2(d) 10.2(e) |
| ISO 29100 2024 | 6.12 |
| NAIC Insurance Data Security Model Law (MDL-668) | 4.E(2)(b) |
| NIST 800-171 R3 (source) | 03.12.02.a.01 |
| PCI DSS 4.0.1 (source) | 12.4.2 |
| PCI DSS 4.0.1 SAQ D Service Provider (source) | 12.4.2 |
| TISAX ISA 6 | 1.5.1 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | CPL-01.1 |
| SCF CORE ESP Level 2 Critical Infrastructure | CPL-01.1 |
| SCF CORE ESP Level 3 Advanced Threats | CPL-01.1 |
| SCF CORE AI Model Deployment | CPL-01.1 |
US (6)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | ASSET-5.E.MIL3 ASSET-5.F.MIL3 THREAT-3.F.MIL3 RISK-5.F.MIL3 ACCESS-4.F.MIL3 SITUATION-4.F.MIL3 RESPONSE-5.F.MIL3 THIRD-PARTIES-3.F.MIL3 WORKFORCE-4.F.MIL3 ARCHITECTURE-5.F.MIL3 PROGRAM-3.F.MIL3 |
| US DFARS Cybersecurity 252.204-70xx | 252.204-7019(b) |
| US DHS CISA TIC 3.0 | 3.UNI.PEPAR |
| US FCA CRM | 609.930(c)(1)(ii) |
| US - CA CCPA 2025 | 7123(b)(3) |
| US - NY DFS 23 NYCRR500 2023 Amd 2 | 500.4(b)(6) |
EMEA (4)
| Framework | Mapping Values |
|---|---|
| EMEA EU AI Act | 10.2(h) 16(j) 20.1 41.5 |
| EMEA EU NIS2 | 21.4 |
| EMEA Saudi Arabia IoT CGIoT-1 2024 | 1-7-3 |
| EMEA Saudi Arabia OTCC-1 2022 | 1-6 1-6-1 |
APAC (7)
| Framework | Mapping Values |
|---|---|
| APAC Australia Prudential Standard CPS230 | 30 31 |
| APAC Australia Prudential Standard CPS234 | 29 35 35(a) 35(b) 36 |
| APAC China Privacy Law | 54 |
| APAC Japan APPI | 40(1) 40(2) 40(3) |
| APAC Japan ISMAP | 4.7.1 4.7.1.1 4.7.1.2 4.7.1.3 4.7.1.4 4.7.1.5 4.7.1.6 4.7.1.7 |
| APAC New Zealand NZISM 3.6 | 1.1.68.C.01 1.1.69.C.01 1.1.69.C.02 |
| APAC Singapore MAS TRM 2021 | 3.2.3 4.5.2 4.5.3 |
Americas (4)
| Framework | Mapping Values |
|---|---|
| Americas Bermuda BMACCC | 5.7 |
| Americas Canada CSAG | 6.10 6.14 |
| Americas Canada OSFI B-13 | 1.3.1 |
| Americas Canada ITSP-10-171 | 03.12.02.A.01 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to document and review instances of non-compliance with statutory, regulatory and/ or contractual obligations to develop appropriate risk mitigation actions.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to document and review instances of non-compliance with statutory, regulatory and/ or contractual obligations to develop appropriate risk mitigation actions.
Level 2 — Planned & Tracked
Compliance (CPL) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Compliance activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for compliance activities.
- Cybersecurity personnel use a defined set of controls to conduct cybersecurity and data privacy control assessments, as defined by the applicable statutory, regulatory and contractual requirements.
- Legal representation is consulted on an as-needed basis.
Level 3 — Well Defined
Compliance (CPL) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Ensures data/process owners understand their requirements to manage applicable cybersecurity and data protection controls through oversight and written guidance. o Provides applicable stakeholders with status reports on control execution to enable security controls oversight. o Works with data/process owners and asset custodians to document and validate the scope of cybersecurity and data protection controls to ensure statutory, regulatory and/ or contractual compliance obligations are met. o Conducts cybersecurity and data privacy control assessments, on a regular cadence that is defined by the applicable statutory, regulatory and contractual requirements.
- A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to ensure compliance requirements are identified and documented.
- The GRC function, or similar function:
- Cybersecurity and data privacy controls are centrally managed through a technology solution (e.g., GRC solution) to assign controls, track control activities and report on compliance efforts.
- Legal representation is consulted on an as-needed basis.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to document and review instances of non-compliance with statutory, regulatory and/ or contractual obligations to develop appropriate risk mitigation actions.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to document and review instances of non-compliance with statutory, regulatory and/ or contractual obligations to develop appropriate risk mitigation actions.
Assessment Objectives
- CPL-01.1_A01 instances of non-compliance with statutory, regulatory and/or contractual obligations are documented, including the reason(s) for non-compliance.
- CPL-01.1_A02 instances of non-compliance with statutory, regulatory and/or contractual obligations are formally-reviewed.
- CPL-01.1_A03 instances of non-compliance with statutory, regulatory and/or contractual obligations are centrally-governed to maintain appropriate situational awareness.
- CPL-01.1_A04 instances of non-compliance with statutory, regulatory and/or contractual obligations are assigned to individuals or teams for remediation.
- CPL-01.1_A05 remediation plans for instances of non-compliance with statutory, regulatory and/or contractual obligations are documented.
Evidence Requirements
- E-CPL-05 Internal Audit (IA) Findings
-
Documented evidence of a centrally-managed and prioritized repository Internal Audit (IA) findings.
Compliance
Technology Recommendations
Micro/Small
- Governance, Risk and Compliance (GRC) solution (e.g., SCFConnect, SureCloud, Ostendio, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)
Small
- Governance, Risk and Compliance (GRC) solution (e.g., SCFConnect, SureCloud, Ostendio, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)
Medium
- Governance, Risk and Compliance (GRC) solution (e.g., SCFConnect, SureCloud, Ostendio, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)
Large
- Governance, Risk and Compliance (GRC) solution (e.g., SCFConnect, SureCloud, Ostendio, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)
Enterprise
- Governance, Risk and Compliance (GRC) solution (e.g., SCFConnect, SureCloud, Ostendio, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)