Skip to main content

GOV-02: Publishing Cybersecurity & Data Protection Documentation

GOV 10 — Critical Govern

Mechanisms exist to establish, maintain and disseminate cybersecurity and data protection policies, standards and procedures.

Control Question: Does the organization establish, maintain and disseminate cybersecurity and data protection policies, standards and procedures?

General (50)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC1.2-POF1 CC1.4-POF1 CC2.2-POF1 CC2.2-POF7 CC5.3 CC5.3-POF1 CC7.2-POF1 P1.1-POF5
BSI Standard 200-1 4.2 7.3
COBIT 2019 APO01.09
COSO 2017 Principle 12
CSA CCM 4 A&A-01 AIS-01 BCR-01 CCC-01 CEK-01 DCS-01 DCS-02 DCS-03 DCS-04 DSP-01 GRC-01 GRC-02 HRS-01 HRS-02 HRS-03 HRS-04 IAM-01 IAM-02 IPY-01 IVS-01 LOG-01 SEF-01 SEF-02 STA-01 STA-12 TVM-01 TVM-02 UEM-01
CSA IoT SCF 2 GVN-01 GVN-02 POL-03
ENISA 2.0 SO1
Generally Accepted Privacy Principles (GAPP) 8.2.1
GovRAMP Low AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PL-01 PS-01 RA-01 SA-01 SC-01 SI-01
GovRAMP Low+ AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PL-01 PS-01 RA-01 SA-01 SC-01 SI-01
GovRAMP Moderate AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PL-01 PS-01 RA-01 SA-01 SC-01 SI-01
GovRAMP High AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PL-01 PS-01 RA-01 SA-01 SC-01 SI-01
IMO Maritime Cyber Risk Management 3.5.1 3.5.3.8 3.5.3.9
ISO/SAE 21434 2021 RQ-05-01.a RQ-05-01.b
ISO 22301 2019 5.2.1 5.2.2
ISO 27001 2022 (source) 5.1(a) 5.2 5.2(a) 5.2(b) 5.2(c) 5.2(d) 5.2(e) 5.2(f) 5.2(g) 7.5 7.5.1 7.5.1(a) 7.5.1(b) 7.5.2 7.5.2(a) 7.5.2(b) 7.5.2(c) 7.5.3 7.5.3(a) 7.5.3(b) 7.5.3(c) 7.5.3(d) 7.5.3(e) 7.5.3(f)
ISO 27002 2022 5.1 5.37
ISO 27017 2015 5.1.1 6.2.1 9.1.1
ISO 27701 2025 5.1 5.2 5.2(a) 5.2(b) 5.2(c) 5.2(d) 6.1.3(c) 7.5.1(b) 7.5.2 7.5.3
ISO 42001 2023 5.1 5.2 5.2(a) 5.2(b) 5.2(c) 5.2(d) 7.5.1 7.5.1(a) 7.5.1(b) 7.5.2 7.5.3 7.5.3(a) 7.5.3(b) A.2 A.2.2 A.2.3
MPA Content Security Program 5.1 OR-1.0 OR-3.0 OP-2.0 PS-2.0 TS-2.4 TS-2.6 TS-2.8 TS-2.11 TS-3.0
NIST AI 100-1 (AI RMF) 1.0 GOVERN 1.0 GOVERN 1.2 GOVERN 1.3 GOVERN 1.4 GOVERN 3.2 GOVERN 4.1 GOVERN 5.1 GOVERN 6.0 GOVERN 6.1 MAP 3.5
NIST AI 600-1 GV-1.5-002
NIST Privacy Framework 1.0 GV.PO-P1 GV.PO-P6 GV.MT-P3 GV.MT-P4 GV.MT-P5 GV.MT-P6 GV.MT-P7 CT.PO-P1 CT.PO-P2 CT.PO-P3 CM.PO-P1 PR.PO-P4
NIST 800-37 R2 P-5
NIST 800-53 R4 PM-1
NIST 800-53 R5 (source) AC-1 AT-1 AU-1 CA-1 CM-1 CP-1 IA-1 IR-1 MA-1 MP-1 PE-1 PL-1 PM-1 PS-1 PT-1 RA-1 SA-1 SC-1 SI-1 SR-1
NIST 800-53 R5 (NOC) (source) PM-1
NIST 800-161 R1 AC-1 AT-1 AU-1 CA-1 CM-1 CP-1 IA-1 IR-1 MA-1 MP-1 PE-1 PL-1 PS-1 RA-1 SC-1 SI-1 SR-1
NIST 800-171A (source) 3.4.9[a] 3.9.2[a]
NIST 800-171 R3 (source) 03.15.01.a
NIST 800-171A R3 (source) A.03.15.01.a[01] A.03.15.01.a[02] A.03.15.01.a[03] A.03.15.01.a[04]
NIST CSF 2.0 (source) GV.PO GV.PO-01 GV.SC-01 GV.SC-03 ID.RA
PCI DSS 4.0.1 (source) 1.1.1 10.1.1 11.1.1 12.1 12.1.1 12.1.2 12.1.3 2.1.1 3.1.1 3.7.1 3.7.2 3.7.3 3.7.5 3.7.6 3.7.7 3.7.8 4.1.1 5.1.1 6.1.1 7.1.1 8.1.1 8.3.8 9.1.1
PCI DSS 4.0.1 SAQ A (source) 3.1.1
PCI DSS 4.0.1 SAQ A-EP (source) 1.1.1 2.1.1 3.1.1 4.1.1 5.1.1 6.1.1 8.1.1 8.3.8 12.1.1 12.1.2 12.1.3
PCI DSS 4.0.1 SAQ B (source) 3.1.1 12.1.1 12.1.2 12.1.3
PCI DSS 4.0.1 SAQ B-IP (source) 3.1.1 8.1.1 9.1.1 12.1.1 12.1.2 12.1.3
PCI DSS 4.0.1 SAQ C (source) 2.1.1 3.1.1 5.1.1 8.1.1 8.3.8 9.1.1 10.1.1 12.1.1 12.1.2 12.1.3
PCI DSS 4.0.1 SAQ C-VT (source) 2.1.1 3.1.1 8.1.1 9.1.1 12.1.1 12.1.2
PCI DSS 4.0.1 SAQ D Merchant (source) 1.1.1 2.1.1 3.1.1 3.7.1 3.7.2 3.7.3 3.7.5 3.7.6 3.7.7 3.7.8 4.1.1 5.1.1 6.1.1 7.1.1 8.1.1 8.3.8 9.1.1 10.1.1 11.1.1 12.1.1 12.1.2 12.1.3
PCI DSS 4.0.1 SAQ D Service Provider (source) 1.1.1 2.1.1 3.1.1 3.7.1 3.7.2 3.7.3 3.7.5 3.7.6 3.7.7 3.7.8 4.1.1 5.1.1 6.1.1 7.1.1 8.1.1 8.3.8 9.1.1 10.1.1 11.1.1 12.1.1 12.1.2 12.1.3
PCI DSS 4.0.1 SAQ P2PE (source) 3.1.1 9.1.1 12.1.1 12.1.2 12.1.3
SPARTA CM0088
TISAX ISA 6 1.1.1 1.5.1 7.1.1 9.1.1
SCF CORE Fundamentals GOV-02
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) GOV-02
SCF CORE ESP Level 1 Foundational GOV-02
SCF CORE ESP Level 2 Critical Infrastructure GOV-02
SCF CORE ESP Level 3 Advanced Threats GOV-02
US (31)
Framework Mapping Values
US C2M2 2.1 ASSET-5.C.MIL3 THREAT-3.C.MIL3 RISK-5.C.MIL3 ACCESS-4.C.MIL3 SITUATION-4.C.MIL3 RESPONSE-5.C.MIL3 THIRD-PARTIES-3.C.MIL3 WORKFORCE-4.C.MIL3 ARCHITECTURE-5.C.MIL3 PROGRAM-3.C.MIL3
US CERT RMM 1.2 EF:SG2.SP1 EF:SG2.SP2
US CJIS Security Policy 5.9.3 (source) 5.2 5.3 5.4 5.5 5.6 5.8 5.9 MA-1
US CMS MARS-E 2.0 PM-1
US DoD Zero Trust Execution Roadmap 6.1.1
US DFARS Cybersecurity 252.204-70xx 252.204-7008 252.204-7012
US DHS CISA TIC 3.0 3.UNI.PEPAR 3.UNI.IDMRP 3.UNL.GPAUD 3.PEP.WE.ACONT
US DHS ZTCF DEV-01
US FCA CRM 609.930(c)(5)
US FDA 21 CFR Part 11 11.10 11.10(j)
US FERPA (source) 1232h
US FFIEC D1.G.SP.B.4
US FINRA S-P (17 CFR §248.30)
US GLBA CFR 314 2023 (source) 314.4(c) 314.4(c)(8) 314.4(e)
US HHS 45 CFR 155.260 155.260(d) 155.260(d) 155.260(d)(1) 155.260(d)(2)
US HIPAA Administrative Simplification 2013 (source) 164.308(a)(1)(i) 164.308(a)(3)(i) 164.308(a)(4)(i) 164.308(a)(4)(ii)(A) 164.308(a)(6)(i) 164.308(a)(7)(i) 164.310(a)(1) 164.310(a)(2)(ii) 164.310(a)(2)(iv) 164.310(b) 164.310(d)(1) 164.310(d)(2)(i) 164.312(a)(1) 164.312(c)(1) 164.316(a) 164.316(b)(1)(i)
US HIPAA Security Rule / NIST SP 800-66 R2 (source) 164.308(a)(1)(i) 164.308(a)(3)(i) 164.308(a)(4)(i) 164.308(a)(4)(ii)(A) 164.308(a)(6)(i) 164.308(a)(7)(i) 164.310(a)(1) 164.310(a)(2)(ii) 164.310(a)(2)(iv) 164.310(b) 164.310(d)(1) 164.310(d)(2)(i) 164.312(a)(1) 164.312(c)(1) 164.316(a) 164.316(b)(1)(i)
US HIPAA HICP Small Practice 4.S.A 10.S.A
US HIPAA HICP Medium Practice 4.M.B
US HIPAA HICP Large Practice 4.M.B 10.M.A
US IRS 1075 1.8.2 2.C.2 PM-1
US SSA EIESR 8.0 5.1 5.2
US TSA / DHS 1580/82-2022-01 III.B III.B.1.d III.C III.C.1 III.C.1.a III.C.1.b III.C.3 III.D
US - AK PIPA 45.48.530
US - CA CCPA 2025 7123(b)(1)
US - MA 201 CMR 17.00 17.03(1) 17.04 17.03(2)(b)(2)
US - NV NOGE Reg 5 5.260.6
US - NY DFS 23 NYCRR500 2023 Amd 2 500.11(a) 500.13(a) 500.14(a)(1) 500.15(a) 500.2(b)(2) 500.3 500.3(a) 500.3(b) 500.3(c) 500.3(d) 500.3(e) 500.3(f) 500.3(g) 500.3(h) 500.3(i) 500.3(j) 500.3(k) 500.3(l) 500.3(m) 500.3(n) 500.3(o) 500.5 500.7(b) 500.8(a)
US - TX DIR Control Standards 2.0 PM-1
US - TX SB 820 11.175(b)
US - VT Act 171 of 2018 2447(b)(3)
EMEA (24)
Framework Mapping Values
EMEA EU EBA GL/2019/04 3.4.1(28) 3.4.1(29) 3.4.5(38)
EMEA EU DORA 6.2 9.4(a) 9.4(d) 9.4(e) 9.4(f)
EMEA EU GDPR (source) 24.2
EMEA EU NIS2 21.1 21.2(a) 21.2(b) 21.2(c) 21.2(d) 21.2(e) 21.2(f) 21.2(g) 21.2(h) 21.2(i) 21.2(j)
EMEA EU NIS2 Annex 1.1.1(f) 1.1.1(i) 1.1.1(k) 11.1.1 5.1.6 7.1 9.1
EMEA EU PSD2 3
EMEA Austria Sec 14 Sec 15
EMEA Belgium 16
EMEA Germany Banking Supervisory Requirements for IT (BAIT) 4.2 4.3 4.8
EMEA Germany C5 2020 OIS-01 OIS-02 SP-01
EMEA Israel CDMO 1.0 1.1 4.1 4.25 5.2 5.3 9.1 10.1 11.2 12.1 13.1 14.1 15.1 17.1 18.1 20.1 21.1 22.1 24.1 25.1
EMEA Nigeria DPR 2019 4.1(1)
EMEA Qatar PDPPL 8.4
EMEA Saudi Arabia IoT CGIoT-1 2024 1-2-1
EMEA Saudi Arabia ECC-1 2018 1-3-1 1-3-3
EMEA Saudi Arabia OTCC-1 2022 1-1 1-1-1
EMEA Saudi Arabia SACS-002 TPC-25
EMEA Saudi Arabia SAMA CSF 1.0 3.1.3
EMEA Spain BOE-A-2022-7191 12.1 12.1(a) 12.1(b) 12.1(c) 12.1(d) 12.1(e) 12.1(f) 12.2 12.6 12.6(a) 12.6(b) 12.6(c) 12.6(d) 12.6(e) 12.6(f) 12.6(g) 12.6(h) 12.6(i) 12.6(j) 12.6(k) 12.6(l) 12.6(m) 12.6(n) 12.6(ñ) 12.7
EMEA Spain 311/2022 12.1 12.1(a) 12.1(b) 12.1(c) 12.1(d) 12.1(e) 12.1(f) 12.2 12.6 12.6(a) 12.6(b) 12.6(c) 12.6(d) 12.6(e) 12.6(f) 12.6(g) 12.6(h) 12.6(i) 12.6(j) 12.6(k) 12.6(l) 12.6(m) 12.6(n) 12.6(ñ) 12.7
EMEA Spain CCN-STIC 825 6.1 [ORG.1] 6.2 [ORG.2]
EMEA UK CAF 4.0 A1 B1 B1.b
EMEA UK CAP 1850 A1 A5
EMEA UK DEFSTAN 05-138 1100 1101 2100 2101
APAC (9)
Framework Mapping Values
APAC Australian Privacy Principles APP 1
APAC Australia ISM June 2024 ISM-0047 ISM-0888 ISM-1478 ISM-1551 ISM-1602 ISM-1784 ISM-1785
APAC Australia Prudential Standard CPS234 18 19
APAC India SEBI CSCRF GV.PO.S1
APAC Japan ISMAP 4.4.1 4.4.4 4.4.5 4.4.5.1 4.4.5.3 4.5.1 4.5.2 4.5.3 4.5.3.1 4.6 4.6.1 4.8.1 4.8.1.1 4.8.2 4.8.2.1 4.8.2.2 5.1.1
APAC New Zealand HISF 2022 HHSP01 HML01 HMS02 HSUP01
APAC New Zealand HISF Suppliers 2023 HML01 HSUP01
APAC New Zealand NZISM 3.6 5.1.7.C.01 5.1.14.C.01 5.1.16.C.01 5.1.16.C.02 5.1.17.C.01 5.1.18.C.01 5.1.19.C.01 5.1.20.C.01 5.1.20.C.02 5.2.3.C.01 5.2.3.C.02
APAC Singapore MAS TRM 2021 3.2.1
Americas (3)
Framework Mapping Values
Americas Canada CSAG 6.1 6.3
Americas Canada OSFI B-13 1 3
Americas Canada ITSP-10-171 03.15.01.A

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to establish, maintain and disseminate cybersecurity and data privacy policies, standards and procedures.

Level 1 — Performed Informally

Cybersecurity & Privacy Governance (GOV) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • No formal cybersecurity and/ or data privacy principles are identified for the organization.
  • No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.
  • Governance efforts are narrowly-limited to certain compliance requirements.
  • Formal roles and responsibilities for cybersecurity and/ or data privacy may exist.
  • Cybersecurity and data privacy governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.
  • Basic cybersecurity policies and standards are documented [not based on any industry framework]
  • Basic procedures are established for important tasks, but are ad hoc and not formally documented.
  • Documentation is made available to internal personnel.
  • Organizational leadership maintains an informal process to review and respond to observed trends.
Level 2 — Planned & Tracked

Cybersecurity & Privacy Governance (GOV) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Cybersecurity and data privacy governance activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for cybersecurity and data privacy governance activities.
  • The Chief Information Officer (CIO), or similar function, analyzes the organization's business strategy and prioritizes the objectives of the security function, based on business requirements.
  • A qualified individual is assigned the role and responsibilities to centrally manage, coordinate, develop, implement and maintain a cybersecurity and data privacy program (e.g., cybersecurity director or Chief Information Security Officer (CISO)).
  • No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing cybersecurity personnel.
  • Compliance requirements for cybersecurity and data privacy are identified and documented.
  • Cybersecurity policies and standards exist that are aligned with a leading cybersecurity framework (e.g., SCF, NIST 800-53, ISO 27002 or NIST Cybersecurity Framework).
  • Controls are assigned to sensitive/regulated assets to comply with specific compliance requirements.
  • Procedures are established for sensitive/regulated obligations, but are not standardized across the organization.
  • Documentation is made available to internal personnel.
Level 3 — Well Defined

Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Statutory, regulatory and contractual compliance requirements for cybersecurity and data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements.
  • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability.
  • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity and data privacy.
  • Controls are standardized across the organization to ensure uniformity and consistent execution.
  • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization.
  • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization.
  • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity and data protection controls for each system, application and/ or service of which they have accountability.
  • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer).
  • Risk management processes are defined, to include materiality considerations.
Level 4 — Quantitatively Controlled

Cybersecurity & Privacy Governance (GOV) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics are developed that provide management insight, per a quantitative understanding of process capabilities, to predict optimal performance, ensure continued operations and identify areas for improvement.
  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to establish, maintain and disseminate cybersecurity and data privacy policies, standards and procedures.

Assessment Objectives

  1. GOV-02_A01 cybersecurity / data privacy policies are developed and documented.
  2. GOV-02_A02 policies needed to satisfy the security requirements for the protection of sensitive / regulated data are developed and documented.
  3. GOV-02_A03 policies needed to satisfy the security requirements for the protection of sensitive / regulated data are disseminated to organizational personnel or roles.
  4. GOV-02_A04 procedures needed to satisfy the security requirements for the protection of sensitive / regulated data are developed and documented.
  5. GOV-02_A05 procedures needed to satisfy the security requirements for the protection of sensitive / regulated data are disseminated to organizational personnel or roles.
  6. GOV-02_A06 the cybersecurity / data privacy policies address purpose.
  7. GOV-02_A07 the cybersecurity / data privacy policies address scope.
  8. GOV-02_A08 the cybersecurity / data privacy policies address roles.
  9. GOV-02_A09 the cybersecurity / data privacy policies address responsibilities.
  10. GOV-02_A10 the cybersecurity / data privacy policies address management commitment.
  11. GOV-02_A11 the cybersecurity / data privacy policies address coordination among organizational entities.
  12. GOV-02_A12 the cybersecurity / data privacy policies address compliance.
  13. GOV-02_A13 the cybersecurity / data privacy policies are consistent with applicable laws, regulations and contractual obligations.
  14. GOV-02_A14 personnel or roles to whom the cybersecurity / data privacy policies are to be disseminated is/are defined.
  15. GOV-02_A15 the cybersecurity / data privacy policies are disseminated to personnel or roles.
  16. GOV-02_A16 the official is designated to manage the development, documentation and dissemination of the cybersecurity / data privacy policies and procedures.
  17. GOV-02_A17 an official to manage the governance of cybersecurity / data privacy policies and procedures is defined.
  18. GOV-02_A18 policies needed to satisfy the security requirements for the protection of CUI are developed and documented.
  19. GOV-02_A19 policies needed to satisfy the security requirements for the protection of CUI are disseminated to organizational personnel or roles.
  20. GOV-02_A20 procedures needed to satisfy the security requirements for the protection of CUI are developed and documented.
  21. GOV-02_A21 procedures needed to satisfy the security requirements for the protection of CUI are disseminated to organizational personnel or roles.

Evidence Requirements

E-GOV-08 Cybersecurity & Data Protection Policies

Documented evidence of an appropriately-scoped cybersecurity & data protection policies. Policies are high-level statements of management intent from an organization's executive leadership that are designed to influence decisions and guide the organization to achieve the desired outcomes. Policies are enforced by standards and further implemented by procedures to establish actionable and accountable requirements.

Cybersecurity & Data Protection Management
E-GOV-09 Cybersecurity & Data Protection Standards

Documented evidence of an appropriately-scoped cybersecurity & data protection standards. Standards are mandatory requirements regarding processes, actions and configurations. Standards are intended to be granular and prescriptive to ensure systems, applications and processes are designed and operated to include appropriate cybersecurity & data protection protections

Cybersecurity & Data Protection Management
E-GOV-11 Cybersecurity & Data Protection Procedures

Documented evidence of an appropriate appropriately-scoped cybersecurity & data protection procedures. Procedures are a documented set of steps necessary to perform a specific task or process in conformance with an applicable standard. Procedures help address the question of how the organization actually operationalizes a policy, standard or control. The result of a procedure is intended to satisfy a specific control. Procedures are also commonly referred to as “control activities.”

Cybersecurity & Data Protection Management

Technology Recommendations

Micro/Small

  • ComplianceForge - Cybersecurity & Data Protection Program (CDPP) (https://complianceforge.com)
  • SCFConnect (https://scfconnect.com)

Small

  • ComplianceForge - Cybersecurity & Data Protection Program (CDPP) (https://complianceforge.com)
  • SCFConnect (https://scfconnect.com)

Medium

  • ComplianceForge - Digital Security Program (DSP) (https://complianceforge.com)
  • ComplianceForge - Cybersecurity & Data Protection Program (CDPP) (https://complianceforge.com)

Large

  • ComplianceForge - Digital Security Program (DSP) (https://complianceforge.com)
  • ComplianceForge - Cybersecurity & Data Protection Program (CDPP) (https://complianceforge.com)

Enterprise

  • ComplianceForge - Digital Security Program (DSP) (https://complianceforge.com)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free