What is the Secure Controls Framework (SCF)?
The SCF is a comprehensive cybersecurity and data privacy control framework designed to help organizations implement and manage information security, risk management and compliance requirements. It contains over 1,300 controls organized into 33 domains and helps organizations align controls with laws, regulations, and frameworks while supporting risk management programs.
What is a SCF Domain?
The SCF contains 33 domains that create a "best in class" approach to structuring cybersecurity and data protection controls in a logical arrangement. These range from Governance and Asset Management to Vulnerability Management and Web Security, providing user-friendly taxonomy for discussing controls.
What is a SCF Control?
In the context of cybersecurity, a control is the nexus of a cybersecurity program that is used to manage risks through preventing, detecting or lessening the ability of a particular threat from negatively impacting business processes. Learn more about SCF controls.
What is a SCF Control Question?
The SCF Control Question is just the SCF Control reworded in the format of a question. This helps with Third-Party Risk Management (TPRM) processes by having the SCF control worded in question format.
What is SCF control weighting?
SCF utilizes relative control weighting, since not all controls have equal value when comparing risks. Controls are ranked 1-10, with 10 being "extremely important" and representing controls organizations would require.
What is an Evidence Request List (ERL)?
The ERL is designed to standardize and streamline the evidence request process for a SCF-based assessment and serves as a guideline for "reasonable" artifacts demonstrating due diligence across audits.
What is "premium content" for SCF Connect?
Premium content includes the Digital Security Program (DSP) from ComplianceForge, providing thirty-three (33) domains that define a modern, digital security program with policies, controls, standards, and metrics aligned to SCF.
What is PPTDF?
PPTDF stands for People, Processes, Technologies, Data & Facilities and focuses on control applicability across these five categories to determine whether controls logically apply to specific organizational elements.
What is the SCF Maturity Model?
The Cybersecurity & Data Privacy Capability Maturity Model (C|P-CMM) is built directly into the SCF, where each of the SCF's controls has corresponding L0-L5 criteria defined.
What is the SCF Risk Model?
The Cybersecurity & Data Privacy Risk Management Model (C|P-RMM) is designed to be an integral tool of an organization's ability to demonstrate evidence of due diligence and due care.
What is the SCF Conformity Assessment Program (SCF CAP)?
The SCF CAP is an organization-level conformity assessment designed to utilize tailored controls addressing statutory, regulatory, and contractual obligations. SCF Connect serves as the Single Source of Truth (SSOT) for the SCF CAP.
What is a GRC tool?
A GRC (Governance, Risk & Compliance) tool helps organizations manage their security governance programs, assess and mitigate risks, and maintain compliance with regulatory requirements. SCF Connect is a GRC platform built natively on the Secure Controls Framework, providing a unified approach to managing controls across 200+ compliance frameworks from a single common control set.
What is a common control set?
A common control set is a unified catalog of security and privacy controls that maps to multiple compliance frameworks simultaneously. Instead of managing separate control lists for NIST 800-53, ISO 27001, SOC 2, HIPAA, and other frameworks individually, a common control set like the SCF lets you implement one control and automatically satisfy requirements across all mapped frameworks. This eliminates duplicated effort and ensures consistent coverage.
How does SCF Connect compare to other GRC platforms?
Unlike traditional GRC platforms that treat frameworks as isolated checklists, SCF Connect is built natively on the Secure Controls Framework — the most comprehensive common control set available. This means every control you implement automatically maps to 200+ frameworks. Combined with the SCRMS methodology, SCF Connect goes beyond compliance to help you build a security program that addresses both regulatory obligations and actual risk.
Can SCF Connect help with HIPAA, SOC 2, or ISO 27001 compliance?
Yes. SCF Connect supports all major compliance frameworks including HIPAA, SOC 2, ISO 27001, NIST 800-53, CMMC, PCI DSS, GDPR, FedRAMP, and 200+ others. When you select your applicable frameworks, SCF Connect automatically identifies the required controls and generates evidence request lists specific to each framework, streamlining your path to audit readiness.
What is audit readiness?
Audit readiness means your organization has implemented the necessary controls, collected supporting evidence, and documented your security program to the point where you can confidently undergo a formal audit or assessment. SCF Connect helps you achieve audit readiness through structured control scoping, maturity assessments, evidence management, and comprehensive reporting — ensuring nothing falls through the cracks before your assessor arrives.