Skip to main content

CPL-02: Cybersecurity & Data Protection Controls Oversight

CPL 10 — Critical Detect

Mechanisms exist to provide a cybersecurity and data protection controls oversight function that reports to the organization's executive leadership.

Control Question: Does the organization provide a cybersecurity and data protection controls oversight function that reports to its executive leadership?

General (55)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC1.1 CC1.1-POF3 CC2.2 CC2.3 CC4.2-POF1 CC4.2-POF2 CC4.2-POF3
BSI Standard 200-1 9
COBIT 2019 MEA02.01 MEA02.02 MEA04.01 MEA04.02 MEA04.03 MEA04.04 MEA04.05 MEA04.06 MEA04.07 MEA04.08 MEA04.09
COSO 2017 Principle 1 Principle 14 Principle 15 Principle 19 Principle 20
CSA CCM 4 A&A-02 A&A-05 CEK-09 LOG-10 STA-11
CSA IoT SCF 2 CCM-07 GVN-04 LGL-03 SAP-10
ENISA 2.0 SO25
Generally Accepted Privacy Principles (GAPP) 8.2.7
GovRAMP Low CA-07
GovRAMP Low+ CA-07 CA-07(01)
GovRAMP Moderate CA-07 CA-07(01)
GovRAMP High CA-07 CA-07(01)
IMO Maritime Cyber Risk Management 3.5.3.9
ISO/SAE 21434 2021 RQ-05-17
ISO 22301 2019 9.3 9.3.1 9.3.2 9.3.3 9.3.3.1 9.3.3.2
ISO 27001 2022 (source) 8.1 10.1
ISO 27002 2022 5.31 5.36 6.8 8.8 8.34
ISO 27017 2015 12.7.1 18.2.2 18.2.3
ISO 27701 2025 9.2.2 9.2.2(a) 9.2.2(b) 9.2.2(c)
ISO 29100 2024 6.12
MITRE ATT&CK 10 T1001, T1001.001, T1001.002, T1001.003, T1003, T1003.001, T1003.002, T1003.003, T1003.004, T1003.005, T1003.006, T1003.007, T1003.008, T1008, T1021.002, T1021.005, T1029, T1030, T1036, T1036.003, T1036.005, T1036.007, T1037, T1037.002, T1037.003, T1037.004, T1037.005, T1041, T1046, T1048, T1048.001, T1048.002, T1048.003, T1052, T1052.001, T1053.006, T1055.009, T1056.002, T1059, T1059.005, T1059.007, T1068, T1070, T1070.001, T1070.002, T1070.003, T1071, T1071.001, T1071.002, T1071.003, T1071.004, T1072, T1078, T1078.001, T1078.003, T1078.004, T1080, T1090, T1090.001, T1090.002, T1090.003, T1095, T1102, T1102.001, T1102.002, T1102.003, T1104, T1105, T1110, T1110.001, T1110.002, T1110.003, T1110.004, T1111, T1132, T1132.001, T1132.002, T1176, T1185, T1187, T1189, T1190, T1195, T1195.001, T1195.002, T1197, T1201, T1203, T1204, T1204.001, T1204.002, T1204.003, T1205, T1205.001, T1210, T1211, T1212, T1213, T1213.001, T1213.002, T1213.003, T1218, T1218.002, T1218.010, T1218.011, T1218.012, T1219, T1221, T1222, T1222.001, T1222.002, T1489, T1498, T1498.001, T1498.002, T1499, T1499.001, T1499.002, T1499.003, T1499.004, T1528, T1530, T1537, T1539, T1542.004, T1542.005, T1543, T1543.002, T1546.003, T1546.004, T1546.013, T1547.003, T1547.011, T1547.013, T1548, T1548.003, T1550.003, T1552, T1552.001, T1552.002, T1552.004, T1552.005, T1553.003, T1555, T1555.001, T1555.002, T1556, T1556.001, T1557, T1557.001, T1557.002, T1558, T1558.002, T1558.003, T1558.004, T1562, T1562.001, T1562.002, T1562.004, T1562.006, T1563.001, T1564.004, T1565, T1565.001, T1565.003, T1566, T1566.001, T1566.002, T1566.003, T1567, T1568, T1568.002, T1569, T1569.002, T1570, T1571, T1572, T1573, T1573.001, T1573.002, T1574, T1574.004, T1574.007, T1574.008, T1574.009, T1598, T1598.001, T1598.002, T1598.003, T1599, T1599.001, T1602, T1602.001, T1602.002
NAIC Insurance Data Security Model Law (MDL-668) 4.C(4)
NIST AI 100-1 (AI RMF) 1.0 GOVERN 1.5
NIST Privacy Framework 1.0 GV.MT-P4 PR.PO-P5
NIST 800-37 R2 S-5
NIST 800-53 R4 CA-7 CA-7(1) PM-14
NIST 800-53 R4 (low) CA-7
NIST 800-53 R4 (moderate) CA-7 CA-7(1)
NIST 800-53 R4 (high) CA-7 CA-7(1)
NIST 800-53 R5 (source) CA-7 CA-7(1) PM-14
NIST 800-53B R5 (privacy) (source) CA-7
NIST 800-53B R5 (low) (source) CA-7
NIST 800-53B R5 (moderate) (source) CA-7 CA-7(1)
NIST 800-53B R5 (high) (source) CA-7 CA-7(1)
NIST 800-53 R5 (NOC) (source) PM-14
NIST 800-82 R3 LOW OT Overlay CA-7
NIST 800-82 R3 MODERATE OT Overlay CA-7 CA-7(1)
NIST 800-82 R3 HIGH OT Overlay CA-7 CA-7(1)
NIST 800-160 3.3.8
NIST 800-161 R1 PM-14
NIST 800-161 R1 Level 1 PM-14
NIST 800-161 R1 Level 2 PM-14
NIST 800-171 R2 (source) 3.12.1 3.12.3
NIST 800-171A (source) 3.12.1[a] 3.12.1[b] 3.12.3
NIST 800-171 R3 (source) 03.12.01 03.12.03
NIST 800-171A R3 (source) A.03.12.03[01] A.03.12.03[03] A.03.12.03[04]
NIST CSF 2.0 (source) GV.OC-03
PCI DSS 4.0.1 (source) 10.7 10.7.1 10.7.2 10.7.3
PCI DSS 4.0.1 SAQ D Merchant (source) 10.7.2 10.7.3
PCI DSS 4.0.1 SAQ D Service Provider (source) 10.7.1 10.7.2 10.7.3
TISAX ISA 6 1.5.1 5.2.6
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) CPL-02
SCF CORE ESP Level 1 Foundational CPL-02
SCF CORE ESP Level 2 Critical Infrastructure CPL-02
SCF CORE ESP Level 3 Advanced Threats CPL-02
US (34)
Framework Mapping Values
US C2M2 2.1 ASSET-5.E.MIL3 ASSET-5.F.MIL3 THREAT-3.F.MIL3 RISK-5.F.MIL3 ACCESS-4.F.MIL3 SITUATION-4.F.MIL3 RESPONSE-5.F.MIL3 THIRD-PARTIES-3.F.MIL3 WORKFORCE-4.F.MIL3 ARCHITECTURE-5.F.MIL3 PROGRAM-3.F.MIL3
US CERT RMM 1.2 COMP:SG4.SP1 CTRL:SG3.SP1 GG2.GP9 GG2.GP10 MON:SG1.SP1 MON:SG1.SP3 OPD:SG1.SP1 OTA:SG4.SP1 RISK:SG6.SP2
US CMMC 2.0 Level 2 (source) CA.L2-3.12.1 CA.L2-3.12.3
US CMMC 2.0 Level 3 (source) CA.L2-3.12.1 CA.L2-3.12.3
US CMS MARS-E 2.0 CA-7 CA-7(1) PM-14
US DHS CISA TIC 3.0 3.UNI.PEPAR
US FCA CRM 609.930(c)(6) 609.930(c)(6)(i)
US FDA 21 CFR Part 11 11.10 11.10(a) 11.10(b) 11.10(c) 11.10(d) 11.10(e) 11.10(f) 11.10(g) 11.10(h) 11.10(i) 11.10(j) 11.10(k) 11.10(k)(1) 11.10(k)(2)
US FedRAMP R4 CA-7 CA-7(1)
US FedRAMP R4 (low) CA-7
US FedRAMP R4 (moderate) CA-7 CA-7(1)
US FedRAMP R4 (high) CA-7 CA-7(1)
US FedRAMP R4 (LI-SaaS) CA-7
US FedRAMP R5 (source) CA-7 CA-7(1)
US FedRAMP R5 (low) (source) CA-7
US FedRAMP R5 (moderate) (source) CA-7 CA-7(1)
US FedRAMP R5 (high) (source) CA-7 CA-7(1)
US FedRAMP R5 (LI-SaaS) (source) CA-7
US FFIEC D5.IR.Pl.Int.3 D1.RM.RMP.E.2 D1.G.Ov.A.2
US GLBA CFR 314 2023 (source) 314.4(d)(1)
US HHS 45 CFR 155.260 155.260(a)(3)(viii)
US HIPAA Administrative Simplification 2013 (source) 164.306(d)(3)(i) 164.316(b)(2)(iii)
US HIPAA Security Rule / NIST SP 800-66 R2 (source) 164.306(d)(3)(i) 164.316(b)(2)(iii)
US IRS 1075 1.6 CA-7 CA-7(1) PM-14
US NISPOM 2020 8-202 8-302 8-610 8-614
US SSA EIESR 8.0 5.7 5.11
US - AK PIPA 45.48.520
US - CA CCPA 2025 7122(a)(3) 7122(f)
US - NY SHIELD Act S5575B 4(2)(b)(ii)(B)(4)
US - OR 646A 622(2)(B)(iii)
US - TX DIR Control Standards 2.0 CA-7 PM-14
US - TX TX-RAMP Level 1 CA-7
US - TX TX-RAMP Level 2 CA-7 CA-7(1)
US - VT Act 171 of 2018 2447(b)(2)(C) 2447(b)(8) 2447(b)(8)(A)
EMEA (30)
Framework Mapping Values
EMEA EU EBA GL/2019/04 3.4.6(41) 3.4.6(42) 3.4.6(43) 3.4.6(43)(a) 3.4.6(43)(b) 3.4.6(44) 3.4.6(45) 3.4.6(46) 3.4.6(47) 3.4.6(48)
EMEA EU GDPR (source) 32.1(d)
EMEA EU PSD2 3
EMEA Germany Sec 9 Sec 9a Annex
EMEA Germany Banking Supervisory Requirements for IT (BAIT) 5.6
EMEA Germany C5 2020 SP-03
EMEA Greece 10
EMEA Hungary 7
EMEA Ireland 2
EMEA Israel CDMO 1.0 1.3 3.1
EMEA Israel 16 17
EMEA Italy 31 33 34 35
EMEA Netherlands 12 13 14
EMEA Nigeria DPR 2019 4.1(5)(a) 4.1(5)(b) 4.1(5)(c) 4.1(5)(d) 4.1(5)(e) 4.1(5)(f) 4.1(5)(g) 4.1(5)(h) 4.1(5)(i) 4.1(5)(j) 4.1(6) 4.1(7)
EMEA Norway 13 14
EMEA Poland 1 36
EMEA Russia 7 19
EMEA Saudi Arabia CSCC-1 2019 1-4
EMEA Saudi Arabia IoT CGIoT-1 2024 1-7-3
EMEA Saudi Arabia ECC-1 2018 1-3-2
EMEA Saudi Arabia OTCC-1 2022 1-6 1-6-1
EMEA Saudi Arabia SAMA CSF 1.0 3.2.4
EMEA South Africa 8 19 21
EMEA Spain BOE-A-2022-7191 10.1 10.2 10.3
EMEA Spain 311/2022 10.1 10.2 10.3
EMEA Spain CCN-STIC 825 9
EMEA Sweden 31
EMEA Switzerland 7
EMEA Turkey 12
EMEA UK DEFSTAN 05-138 1206
APAC (18)
Framework Mapping Values
APAC Australia Privacy Act APP Part 11
APAC Australia Prudential Standard CPS230 29 30 58(b) 58(c)
APAC Australia Prudential Standard CPS234 27 27(a) 27(b) 27(c) 27(d) 27(e) 29
APAC China DNSIP 4
APAC China Privacy Law 54
APAC Hong Kong Principle 4
APAC India ITR 8
APAC India SEBI CSCRF EV.ST.S4
APAC Japan APPI 21
APAC Japan ISMAP 4.6 4.6.1 4.6.2 4.6.2.2 4.6.2.6 4.6.3 4.6.3.1 4.6.3.2 4.6.2.3 4.6.2.4 12.7.1 18.2.2 18.2.3
APAC Malaysia 9
APAC New Zealand HISF 2022 HHSP67 HML66 HSUP58
APAC New Zealand HISF Suppliers 2023 HSUP58
APAC New Zealand NZISM 3.6 6.1.7.C.01 23.2.18.C.01
APAC Philippines 25 29
APAC Singapore 24
APAC Singapore MAS TRM 2021 3.2.3
APAC Taiwan 27
Americas (6)
Framework Mapping Values
Americas Argentina PPL 9
Americas Bermuda BMACCC 5.7
Americas Canada CSAG 6.10
Americas Canada ITSP-10-171 03.12.01 03.12.03
Americas Canada PIPEDA Principle 7
Americas Chile 7

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to provide a cybersecurity and data protection controls oversight function that reports to its executive leadership.

Level 1 — Performed Informally

Compliance (CPL) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • IT personnel use an informal process to govern statutory, regulatory and contractual compliance obligations.
  • IT personnel self-identify a set of controls that are used to conduct cybersecurity and data privacy control assessments.
  • IT personnel perform internal assessments of cybersecurity and data protection controls to determine compliance status.
Level 2 — Planned & Tracked

Compliance (CPL) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Compliance activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for compliance activities.
  • Cybersecurity personnel use a defined set of controls to conduct cybersecurity and data privacy control assessments, as defined by the applicable statutory, regulatory and contractual requirements.
  • Cybersecurity personnel generate a formal report for each security assessment to document the assessment of cybersecurity and data protection controls.
  • Compliance reporting is performed, as required.
Level 3 — Well Defined

Compliance (CPL) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Ensures data/process owners understand their requirements to manage applicable cybersecurity and data protection controls through oversight and written guidance. o Provides applicable stakeholders with status reports on control execution to enable security controls oversight. o Works with data/process owners and asset custodians to document and validate the scope of cybersecurity and data protection controls to ensure statutory, regulatory and/ or contractual compliance obligations are met. o Conducts cybersecurity and data privacy control assessments, on a regular cadence that is defined by the applicable statutory, regulatory and contractual requirements. o Reviews the findings from security assessments and oversees long-term remediation efforts, when applicable. o Provides senior leaders with insights into the appropriateness of the organization's technology and information governance processes through recurring audits on pertinent cybersecurity and data privacy-related topics. o Governs changes to compliance operations to ensure its stability, reliability and ongoing improvement.

  • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to ensure compliance requirements are identified and documented.
  • The GRC function, or similar function:
  • Cybersecurity and data privacy controls are centrally managed through a technology solution (e.g., GRC solution) to assign controls, track control activities and report on compliance efforts.
  • An Audit Committee, or similar function:
Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to provide a cybersecurity and data protection controls oversight function that reports to its executive leadership.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to provide a cybersecurity and data protection controls oversight function that reports to its executive leadership.

Assessment Objectives

  1. CPL-02_A01 a compliance catalog of applicable laws, regulations and contractual obligations are documented.
  2. CPL-02_A02 a continuous monitoring strategy is developed for cybersecurity / data privacy controls.
  3. CPL-02_A03 continuous control monitoring is implemented in accordance with the organization's continuous monitoring strategy.
  4. CPL-02_A04 the frequency of cybersecurity / data privacy control assessments is defined.
  5. CPL-02_A05 cybersecurity / data privacy controls are assessed with the defined frequency to determine if the controls are effective in their application.
  6. CPL-02_A06 cybersecurity / data privacy controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls.
  7. CPL-02_A07 personnel or roles to whom the cybersecurity / data privacy status of the system is reported are defined.
  8. CPL-02_A08 the frequency at which the cybersecurity / data privacy status of the system is reported is defined.
  9. CPL-02_A09 system-level continuous monitoring includes reporting the cybersecurity / data privacy status of the system to pertinent personnel or roles according to an organization-defined frequency.
  10. CPL-02_A10 control monitoring metrics are defined.
  11. CPL-02_A11 system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy.
  12. CPL-02_A12 system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring.
  13. CPL-02_A13 system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information.
  14. CPL-02_A14 the personnel or roles for reporting the security status of organizational systems to is/are defined.
  15. CPL-02_A15 the personnel or roles for reporting the privacy status of organizational systems to is/are defined.
  16. CPL-02_A16 the frequency at which to report the security status of organizational systems is defined.
  17. CPL-02_A17 the frequency at which to report the privacy status of organizational systems is defined.
  18. CPL-02_A18 an organization-wide continuous monitoring strategy is developed.
  19. CPL-02_A19 continuous monitoring programs are implemented that include establishing metrics to be monitored.
  20. CPL-02_A20 continuous monitoring programs are implemented that establish frequency for monitoring.
  21. CPL-02_A21 continuous monitoring programs are implemented that establish frequency for assessment of control effectiveness.
  22. CPL-02_A22 continuous monitoring programs are implemented that include monitoring metrics on an ongoing basis in accordance with the continuous monitoring strategy.
  23. CPL-02_A23 continuous monitoring programs are implemented that include correlating information generated by control assessments and monitoring.
  24. CPL-02_A24 continuous monitoring programs are implemented that include analyzing information generated by control assessments and monitoring.
  25. CPL-02_A25 continuous monitoring programs are implemented that include response actions to address the analysis of control assessment information.
  26. CPL-02_A26 continuous monitoring programs are implemented that include response actions to address the analysis of monitoring information.
  27. CPL-02_A27 continuous monitoring programs are implemented that include reporting the security status of organizational systems to personnel or roles frequency.
  28. CPL-02_A28 continuous monitoring programs are implemented that include reporting the privacy status of organizational systems to personnel or roles frequency.
  29. CPL-02_A29 a system-level continuous monitoring strategy is developed.
  30. CPL-02_A30 ongoing monitoring is included in the continuous monitoring strategy.
  31. CPL-02_A31 security assessments are included in the continuous monitoring strategy.

Evidence Requirements

E-CPL-07 Control Assessments

Documented evidence of internal or third-party control assessments to provide governance oversight of cybersecurity & data privacy controls.

Compliance
E-CPL-09 Non-Compliance Oversight Reporting

Documented evidence of governance oversight reporting of non-compliance to the organization's executive leadership.

Compliance
E-GOV-04 Charter - Data Privacy Steering Committee

Documented evidence of an executive steering committee, or advisory board, that is formed to perform oversight of privacy management decisions and is comprised of key cybersecurity, technology, risk, privacy and business executives.

Cybersecurity & Data Protection Management
E-GOV-05 Charter - Audit Committee

Documented evidence of an executive steering committee, or advisory board, that is formed to perform oversight of internal and external audit management decisions and is comprised of key cybersecurity, technology, risk, privacy and business executives.

Cybersecurity & Data Protection Management
E-GOV-06 Charter - Risk Committee

Documented evidence of an executive steering committee, or advisory board, that is formed to perform oversight of risk management decisions and is comprised of key cybersecurity, technology, risk, privacy and business executives.

Cybersecurity & Data Protection Management
E-GOV-13 Measures of Performance (Metrics)

Documented evidence of formal measure of performance that are used to track the health of the cybersecurity & data protection program (e.g., metrics, KPIs, KRIs).

Cybersecurity & Data Protection Management
E-RSK-03 Plan of Actions & Milestones (POA&M) / Risk Register

Documented evidence of a POA&M, or risk register, that tracks control deficiencies from identification through remediation.

Risk Management

Technology Recommendations

Micro/Small

  • SCF Integrated Controls Management (ICM) model (https://securecontrolsframework.com/integrated-controls-management)
  • Governance, Risk and Compliance (GRC) solution (e.g., SCFConnect, SureCloud, Ostendio, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)

Small

  • SCF Integrated Controls Management (ICM) model (https://securecontrolsframework.com/integrated-controls-management)
  • Governance, Risk and Compliance (GRC) solution (e.g., SCFConnect, SureCloud, Ostendio, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)

Medium

  • SCF Integrated Controls Management (ICM) model (https://securecontrolsframework.com/integrated-controls-management)
  • Governance, Risk and Compliance (GRC) solution (e.g., SCFConnect, SureCloud, Ostendio, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)
  • Steering committee

Large

  • SCF Integrated Controls Management (ICM) model (https://securecontrolsframework.com/integrated-controls-management)
  • Governance, Risk and Compliance (GRC) solution (e.g., SCFConnect, SureCloud, Ostendio, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)
  • Steering committee

Enterprise

  • SCF Integrated Controls Management (ICM) model (https://securecontrolsframework.com/integrated-controls-management)
  • Governance, Risk and Compliance (GRC) solution (e.g., SCFConnect, SureCloud, Ostendio, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)
  • Steering committee

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free