CPL-01.2: Compliance Scope
Mechanisms exist to document and validate the scope of cybersecurity and data protection controls that are determined to meet statutory, regulatory and/or contractual compliance obligations.
Control Question: Does the organization document and validate the scope of cybersecurity and data protection controls that are determined to meet statutory, regulatory and/or contractual compliance obligations?
General (20)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC2.2-POF11 CC5.2-POF2 |
| BSI Standard 200-1 | 7.1 |
| IEC TR 60601-4-5 2021 | 4.1 |
| ISO 27001 2022 (source) | 4.3 4.3(a) 4.3(b) 4.3(c) 9.1 |
| ISO 27701 2025 | 4.3 |
| ISO 29100 2024 | 6.12 |
| ISO 42001 2023 | 4.3 |
| NIST AI 100-1 (AI RMF) 1.0 | GOVERN 1.1 GOVERN 1.3 MAP 3.3 |
| NIST 800-171 R3 (source) | 03.04.11.a 03.15.02.a.04 |
| NIST 800-172 | 3.11.5e 3.14.3e |
| NIST 800-218 | PO.1 |
| NIST CSF 2.0 (source) | GV.SC-05 |
| PCI DSS 4.0.1 (source) | 12.5 12.5.1 12.5.2 A3.2 A3.2.1 A3.2.3 |
| PCI DSS 4.0.1 SAQ D Merchant (source) | 12.5.1 12.5.2 |
| PCI DSS 4.0.1 SAQ D Service Provider (source) | 12.5.1 12.5.2 |
| TISAX ISA 6 | 1.2.1 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | CPL-01.2 |
| SCF CORE ESP Level 1 Foundational | CPL-01.2 |
| SCF CORE ESP Level 2 Critical Infrastructure | CPL-01.2 |
| SCF CORE ESP Level 3 Advanced Threats | CPL-01.2 |
US (3)
| Framework | Mapping Values |
|---|---|
| US CMMC 2.0 Level 3 (source) | RA.L3-3.11.5E SI.L3-3.14.3E |
| US - CA CCPA 2025 | 7123(b)(2) 7123(b)(3) |
| US - TX SB 2610 | 542.002 542.002(1) 542.002(2) |
EMEA (5)
| Framework | Mapping Values |
|---|---|
| EMEA EU DORA | 23 |
| EMEA EU GDPR (source) | 3.1 3.2 3.2(a) 3.2(b) 3.3 |
| EMEA Saudi Arabia PDPL | 2.2 |
| EMEA Spain BOE-A-2022-7191 | 38.2 |
| EMEA Spain 311/2022 | 38.2 |
APAC (1)
| Framework | Mapping Values |
|---|---|
| APAC Japan ISMAP | 4.4.4 4.4.4.1 4.6.2.4 |
Americas (2)
| Framework | Mapping Values |
|---|---|
| Americas Canada OSFI B-13 | 1.3.1 |
| Americas Canada ITSP-10-171 | 03.04.11.A 03.15.02.A.04 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to document and validate the scope of cybersecurity and data protection controls that are determined to meet statutory, regulatory and/ or contractual compliance obligations.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to document and validate the scope of cybersecurity and data protection controls that are determined to meet statutory, regulatory and/ or contractual compliance obligations.
Level 2 — Planned & Tracked
Compliance (CPL) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Compliance activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for compliance activities.
- Cybersecurity personnel use a defined set of controls to conduct cybersecurity and data protection control assessments, as defined by the applicable statutory, regulatory and contractual requirements.
- Data process owners and asset custodians are responsible for performing compliance scoping of control applicability for statutory, regulatory and/ or contractual compliance obligations.
Level 3 — Well Defined
Compliance (CPL) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Ensures data/process owners understand their requirements to manage applicable cybersecurity and data protection controls through oversight and written guidance. o Provides applicable stakeholders with status reports on control execution to enable security controls oversight. o Works with data/process owners and asset custodians to document and validate the scope of cybersecurity and data protection controls to ensure statutory, regulatory and/ or contractual compliance obligations are met. o Conducts cybersecurity and data protection control assessments, on a regular cadence that is defined by the applicable statutory, regulatory and contractual requirements.
- A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to ensure compliance requirements are identified and documented.
- The GRC function, or similar function:
- Cybersecurity and data privacy controls are centrally managed through a technology solution (e.g., GRC solution) to assign controls, track control activities and report on compliance efforts.
- GRC personnel assist data process owners and asset custodians with performing compliance scoping of control applicability for statutory, regulatory and/ or contractual compliance obligations.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to document and validate the scope of cybersecurity and data protection controls that are determined to meet statutory, regulatory and/ or contractual compliance obligations.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to document and validate the scope of cybersecurity and data protection controls that are determined to meet statutory, regulatory and/ or contractual compliance obligations.
Assessment Objectives
- CPL-01.2_A01 the organization's applicable cybersecurity / data privacy controls are determined through the analysis of business practices to determine required statutory, regulatory and/or contractual compliance obligations.
- CPL-01.2_A02 a recurring process exists to validate the scope of cybersecurity / data privacy controls that are determined to meet statutory, regulatory and/or contractual compliance obligations.
Evidence Requirements
- E-AST-02 Asset Scoping Guidance
-
Documented evidence of an asset scoping guidance. This is program-level documentation in the form of a runbook, playbook or a similar format provides guidance on defining in-scope systems, applications, services, processes and third-parties.
Asset Management - E-CPL-02 Defined Compliance Scope (DCS)
-
Documented evidence of a formal scoping document that identifies applicable statutory, regulatory and/or contractual obligations for the organization. Defines the affected Lines of Business (LOB), internal / external stakeholders and facilities for the specific scope of compliance obligations.
Compliance - E-GOV-10 Cybersecurity & Data Protection Controls
-
Documented evidence of an appropriately-scoped cybersecurity & data protection controls. Controls are technical, administrative or physical safeguards. Controls are the nexus used to manage risks through preventing, detecting or lessening the ability of a particular threat from negatively impacting business processes. Controls directly map to standards, since control testing is designed to measure specific aspects of how standards are actually implemented.
Cybersecurity & Data Protection Management
Technology Recommendations
Micro/Small
- Unified Scoping Guide (https://unified-scoping-guide.com)
Small
- Unified Scoping Guide (https://unified-scoping-guide.com)
Medium
- Unified Scoping Guide (https://unified-scoping-guide.com)
Large
- Unified Scoping Guide (https://unified-scoping-guide.com)
Enterprise
- Unified Scoping Guide (https://unified-scoping-guide.com)