Skip to main content

CPL-03: Cybersecurity & Data Protection Assessments

CPL 10 — Critical Detect

Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's cybersecurity and data protection policies, standards and other applicable requirements.

Control Question: Does the organization regularly review processes and documented procedures to ensure conformity with the organization's cybersecurity and data protection policies, standards and other applicable requirements?

General (51)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC1.1-POF3 CC4.1
BSI Standard 200-1 9
COBIT 2019 MEA02.01 MEA02.02 MEA02.03 MEA02.04
COSO 2017 Principle 16
CSA CCM 4 A&A-02 A&A-05 CEK-09 LOG-10 STA-11
CSA IoT SCF 2 GVN-04 SAP-10
Generally Accepted Privacy Principles (GAPP) 10.2.4
GovRAMP Low CA-02
GovRAMP Low+ CA-02
GovRAMP Moderate CA-02
GovRAMP High CA-02
IMO Maritime Cyber Risk Management 3.5.3.9
ISO/SAE 21434 2021 RQ-05-17
ISO 27001 2022 (source) 8.1 9.1 9.1(a) 9.1(b) 9.1(c) 9.1(d) 9.1(e) 9.1(f)
ISO 27002 2022 5.35 5.36 8.34
ISO 27017 2015 18.2.2
MITRE ATT&CK 10 T1190, T1195, T1195.001, T1195.002, T1210
NAIC Insurance Data Security Model Law (MDL-668) 4.C(4) 4.C(5)
NIST AI 100-1 (AI RMF) 1.0 GOVERN 1.5
NIST Privacy Framework 1.0 ID.DE-P5
NIST 800-37 R2 A-3 A-4
NIST 800-53 R4 CA-2
NIST 800-53 R4 (low) CA-2
NIST 800-53 R4 (moderate) CA-2
NIST 800-53 R4 (high) CA-2
NIST 800-53 R5 (source) CA-2
NIST 800-53B R5 (privacy) (source) CA-2
NIST 800-53B R5 (low) (source) CA-2
NIST 800-53B R5 (moderate) (source) CA-2
NIST 800-53B R5 (high) (source) CA-2
NIST 800-82 R3 LOW OT Overlay CA-2
NIST 800-82 R3 MODERATE OT Overlay CA-2
NIST 800-82 R3 HIGH OT Overlay CA-2
NIST 800-160 3.4.9
NIST 800-161 R1 CA-2
NIST 800-161 R1 C-SCRM Baseline CA-2
NIST 800-161 R1 Level 2 CA-2
NIST 800-161 R1 Level 3 CA-2
NIST 800-171 R2 (source) 3.12.1
NIST 800-171 R3 (source) 03.12.01 03.12.03
NIST 800-171A R3 (source) A.03.12.01
NIST 800-172 3.11.5e
NIST CSF 2.0 (source) ID.IM-01 ID.IM-02
PCI DSS 4.0.1 (source) 10.7 10.7.1 10.7.2 10.7.3 11.1 12.4.2
PCI DSS 4.0.1 SAQ D Merchant (source) 10.7.2 10.7.3
PCI DSS 4.0.1 SAQ D Service Provider (source) 10.7.1 10.7.2 10.7.3 12.4.2
TISAX ISA 6 1.5.2 5.2.6
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) CPL-03
SCF CORE ESP Level 1 Foundational CPL-03
SCF CORE ESP Level 2 Critical Infrastructure CPL-03
SCF CORE ESP Level 3 Advanced Threats CPL-03
US (21)
Framework Mapping Values
US C2M2 2.1 ASSET-5.E.MIL3 ASSET-5.F.MIL3 THREAT-3.F.MIL3 RISK-5.F.MIL3 ACCESS-4.F.MIL3 SITUATION-4.F.MIL3 RESPONSE-5.F.MIL3 THIRD-PARTIES-3.F.MIL3 WORKFORCE-4.F.MIL3 ARCHITECTURE-5.F.MIL3 PROGRAM-3.F.MIL3
US CERT RMM 1.2 CTRL:SG4.SP1 RISK:SG3.SP1
US CMMC 2.0 Level 2 (source) CA.L2-3.12.1
US CMMC 2.0 Level 3 (source) CA.L2-3.12.1 RA.L3-3.11.5E
US CMS MARS-E 2.0 CA-2
US DoD Zero Trust Execution Roadmap 6.6.1
US FDA 21 CFR Part 11 11.10 11.10(a) 11.10(b) 11.10(c) 11.10(d) 11.10(e) 11.10(f) 11.10(g) 11.10(h) 11.10(i) 11.10(j) 11.10(k) 11.10(k)(1) 11.10(k)(2)
US GLBA CFR 314 2023 (source) 314.4(d)(1)
US HIPAA Administrative Simplification 2013 (source) 164.306(d)(3)(i) 164.316(b)(1)(ii)
US HIPAA Security Rule / NIST SP 800-66 R2 (source) 164.306(d)(3)(i) 164.316(b)(1)(ii)
US IRS 1075 1.6 1.6.1 1.6.2 1.6.3 2.D.3 CA-2
US NISPOM 2020 8-610
US NNPI (unclass) 4.1 4.4
US SSA EIESR 8.0 5.11
US - CA CCPA 2025 7120(a) 7122(b)
US - MA 201 CMR 17.00 17.03(2)(h)
US - NV NOGE Reg 5 5.260.5(c)
US - NY DFS 23 NYCRR500 2023 Amd 2 500.2(c)
US - NY SHIELD Act S5575B 4(2)(b)(ii)(B)(4)
US - OR 646A 622(2)(B)(i) 622(2)(B)(ii) 622(2)(B)(iii) 622(2)(B)(iv)
US - TX DIR Control Standards 2.0 CA-2
EMEA (23)
Framework Mapping Values
EMEA EU EBA GL/2019/04 3.3.6(26) 3.3.6(27) 3.4.6(41) 3.4.6(42) 3.4.6(43) 3.4.6(43)(a) 3.4.6(43)(b) 3.4.6(44) 3.4.6(45) 3.4.6(46) 3.4.6(47) 3.4.6(48)
EMEA EU NIS2 21.1
EMEA EU PSD2 3 29
EMEA Germany Banking Supervisory Requirements for IT (BAIT) 5.6
EMEA Germany C5 2020 COM-03
EMEA Hungary 7
EMEA Ireland 2
EMEA Israel CDMO 1.0 3.1
EMEA Israel 16 17
EMEA Italy 31
EMEA Netherlands 12 13 14
EMEA Norway 13 14
EMEA Poland 1 36
EMEA Qatar PDPPL 11.7 11.8
EMEA Russia 7
EMEA Saudi Arabia CSCC-1 2019 1-4-1 2-13-4
EMEA Saudi Arabia ECC-1 2018 1-3-2 1-8-1
EMEA Saudi Arabia OTCC-1 2022 1-6 1-6-1 1-6-2
EMEA Saudi Arabia SAMA CSF 1.0 3.2.4 3.2.5
EMEA South Africa 8 19 21
EMEA Spain BOE-A-2022-7191 31.1 31.2 31.3 31.4 31.5 31.6 31.7
EMEA Spain 311/2022 31.1 31.2 31.3 31.4 31.5 31.6 31.7
EMEA Sweden 31
APAC (10)
Framework Mapping Values
APAC Australia Prudential Standard CPS234 30
APAC China Privacy Law 38(1) 38(2) 40
APAC India SEBI CSCRF EV.ST.S5
APAC Japan APPI 40(1) 40(2) 40(3)
APAC Japan ISMAP 4.6.1 4.6.2 4.6.2.2 4.6.2.5 4.2.6.6 4.6.2.7 18.2.2
APAC Malaysia 9
APAC New Zealand NZISM 3.6 4.3.16.C.01 6.1.7.C.01 6.1.9.C.01 23.2.18.C.01
APAC Philippines 25
APAC Singapore 24
APAC Singapore MAS TRM 2021 4.5.1
Americas (4)
Framework Mapping Values
Americas Argentina PPL 9
Americas Canada CSAG 6.10
Americas Canada ITSP-10-171 03.12.01 03.12.03
Americas Chile 7

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to regularly review processes and documented procedures to ensure conformity with the organization's cybersecurity and data protection policies, standards and other applicable requirements.

Level 1 — Performed Informally

Compliance (CPL) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • IT personnel use an informal process to govern statutory, regulatory and contractual compliance obligations.
  • IT personnel self-identify a set of controls that are used to conduct cybersecurity and data privacy control assessments.
  • IT personnel perform internal assessments of cybersecurity and data privacy controls to determine compliance status.
Level 2 — Planned & Tracked

Compliance (CPL) efforts are requirements-driven and formally governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Compliance activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data privacy controls that are appropriate to address applicable statutory, regulatory and contractual requirements for compliance activities.
  • Cybersecurity personnel use a defined set of controls to conduct cybersecurity and data privacy control assessments, as defined by the applicable statutory, regulatory and contractual requirements.
  • Cybersecurity personnel either use an impartial member of its team or a third-party assessor to perform an independent assessment of cybersecurity and data privacy controls.
Level 3 — Well Defined

Compliance (CPL) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Ensures data/process owners understand their requirements to manage applicable cybersecurity and data privacy controls through oversight and written guidance. o Provides applicable stakeholders with status reports on control execution to enable security controls oversight. o Works with data/process owners and asset custodians to document and validate the scope of cybersecurity and data privacy controls to ensure statutory, regulatory and/ or contractual compliance obligations are met. o Conducts cybersecurity and data privacy control assessments, on a regular cadence that is defined by the applicable statutory, regulatory and contractual requirements.

  • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data privacy controls to ensure compliance requirements are identified and documented.
  • The GRC function, or similar function:
  • Cybersecurity and data privacy controls are centrally managed through a technology solution (e.g., GRC solution) to assign controls, track control activities and report on compliance efforts.
  • Cybersecurity personnel either use an impartial member of its team or a third-party assessor to perform an independent assessment of cybersecurity and data privacy controls.
Level 4 — Quantitatively Controlled

Compliance (CPL) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data privacy controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to regularly review processes and documented procedures to ensure conformity with the organization's cybersecurity and data protection policies, standards and other applicable requirements.

Assessment Objectives

  1. CPL-03_A01 the frequency at which to assess controls in the system and its environment of operation is defined.
  2. CPL-03_A02 an appropriate assessor or assessment team is selected for the type of assessment to be conducted.
  3. CPL-03_A03 the security requirements for the system and its environment of operation are assessed per an organization-defined frequency to determine if the requirements have been satisfied.
  4. CPL-03_A04 individuals or roles to whom control assessment results are to be provided are defined.
  5. CPL-03_A05 a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment.
  6. CPL-03_A06 a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness.
  7. CPL-03_A07 a control assessment plan is developed that describes the scope of the assessment, including the assessment environment.
  8. CPL-03_A08 a control assessment plan is developed that describes the scope of the assessment, including the assessment team.
  9. CPL-03_A09 a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities.
  10. CPL-03_A10 the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment.
  11. CPL-03_A11 the security requirements for the system and its environment of operation are assessed <A.03.12.01.ODP[01]: frequency> to determine if the requirements have been satisfied.

Evidence Requirements

E-CPL-05 Internal Audit (IA) Findings

Documented evidence of a centrally-managed and prioritized repository Internal Audit (IA) findings.

Compliance
E-CPL-07 Control Assessments

Documented evidence of internal or third-party control assessments to provide governance oversight of cybersecurity & data privacy controls.

Compliance

Technology Recommendations

Micro/Small

  • Information Assurance Program (IAP)
  • Control Validation Testing (CVT) / Security Test & Evaluation (STE)
  • Governance, Risk and Compliance (GRC) solution (e.g., SCFConnect, SureCloud, Ostendio, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)

Small

  • Information Assurance Program (IAP)
  • Control Validation Testing (CVT) / Security Test & Evaluation (STE)
  • Governance, Risk and Compliance (GRC) solution (e.g., SCFConnect, SureCloud, Ostendio, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)

Medium

  • Information Assurance Program (IAP)
  • Control Validation Testing (CVT) / Security Test & Evaluation (STE)
  • Governance, Risk and Compliance (GRC) solution (e.g., SCFConnect, SureCloud, Ostendio, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)

Large

  • Information Assurance Program (IAP)
  • Control Validation Testing (CVT) / Security Test & Evaluation (STE)
  • Governance, Risk and Compliance (GRC) solution (e.g., SCFConnect, SureCloud, Ostendio, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)

Enterprise

  • Information Assurance Program (IAP)
  • Control Validation Testing (CVT) / Security Test & Evaluation (STE)
  • Governance, Risk and Compliance (GRC) solution (e.g., SCFConnect, SureCloud, Ostendio, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free