The Evidence Request List (ERL) is designed to standardize and streamline the evidence request process for SCF-based assessments. The ERL identifies reasonably-expected artifacts and evidence mapped directly to SCF controls, leveling the playing field by establishing evidence expectations upfront so there are no surprises.
The SCF’s Evidence Request List (ERL) is designed to standardize and streamline the evidence request process for SCF-based assessments. However, the ERL can also be used as a guidebook for “reasonable” artifacts to demonstrate evidence of due diligence and due care for other cybersecurity and/or privacy audits or assessments.
The ERL is utilized as part of the SCF’s Conformity Assessment Program (CAP) to identify reasonably-expected artifacts and evidence to meet applicable SCF controls, since the identified evidence artifacts are mapped directly to SCF controls.
Since “time is money” when it comes to an audit or assessment, the ERL is specifically designed to make assessments more efficient and therefore less expensive. By establishing a finite, standardized list of supporting evidence upfront, both the assessor and the organization being assessed know exactly what is expected.
Included as a Tab in the SCF Download
The ERL is one of the tabs included as part of the SCF spreadsheet download. No separate download is required. When you download the SCF, the ERL is already integrated and mapped to every applicable control.
The ERL solves two of the most common complaints in cybersecurity assessments: unpredictable evidence demands and assessors making up documentation requirements on the fly.
The ERL establishes evidence expectations upfront so there are no surprises. Both the organization being assessed and the assessor know exactly what artifacts are expected before the assessment begins, eliminating the common problem of mid-assessment evidence requests that derail timelines and budgets.
The ERL prevents an assessor from literally making up documentation requirements on the fly. By defining a standardized, finite list of evidence artifacts mapped to SCF controls, the ERL creates consistency across assessors, organizations, and assessment cycles.
Since “time is money” when it comes to an audit or assessment, the ERL is specifically designed to make assessments more efficient and therefore less expensive. The organization can pre-stage evidence before the assessment begins, and the assessor can work through a structured evidence review process.
Every evidence artifact in the ERL is mapped directly to the applicable SCF controls. This ensures complete coverage. No control is assessed without defined evidence expectations, and no evidence is collected without a clear connection to a specific control requirement.
The ERL identifies "reasonable" artifacts that demonstrate evidence of due diligence and due care. This concept is critical for regulatory examinations and legal defensibility. The ERL defines what a reasonable organization should be able to produce as proof of control implementation.
The ERL is utilized as part of the SCF Conformity Assessment Program (CAP) to identify the evidence artifacts needed to meet applicable SCF controls during a formal third-party assessment. Organizations pursuing SCF-CAP certification use the ERL as their evidence preparation guide.
The ERL provides a finite list of supporting evidence that an organization is expected to produce for each applicable SCF control. Prior to the start of an assessment, the ERL is provided to the organization to allow sufficient time to accumulate reasonable evidence.
The ERL’s standardized evidence expectations allow organizations to have sufficient time to accumulate reasonable evidence to determine the adequacy of control design and operation. This structured approach transforms what is typically an ad-hoc, stressful evidence collection process into a planned, predictable activity.
Before the Assessment: The assessor or 3PAO provides the ERL to the organization being assessed. The ERL identifies exactly what evidence artifacts are expected for each in-scope SCF control.
Evidence Preparation: The organization reviews the ERL and accumulates the requested artifacts. This pre-staging period ensures evidence is organized and ready before assessor time begins.
During the Assessment: The assessor reviews submitted evidence against the ERL requirements. Findings are documented for any evidence gaps or exceptions.
Assessment Output: The ERL provides the evidentiary foundation for control-level findings, CMM scores, and the overall Report on Conformity (ROC).
The ERL tab within the SCF spreadsheet provides structured evidence expectations organized by SCF domain and control:
SCF control identifier that relates to the evidence artifact
Unique evidence artifact identification number (e.g., E-GOV-03)
Mapping to applicable SCF domains across all 33 domain areas
Area of focus (e.g., asset management, business continuity, etc.)
Evidence types (policies, standards, procedures, configurations, screenshots, logs, reports, etc.)
Evidence of Due Diligence & Due Care
The artifacts identified in the ERL represent what a reasonable organization should be able to produce as proof that controls are implemented correctly, operating as intended, and producing the desired outcome.
The ERL is designed for both sides of the assessment relationship: the organizations being assessed and the assessors conducting the evaluation.
Use the ERL to understand exactly what evidence artifacts will be expected during assessments. Pre-stage documentation, configurations, and reports so the team is prepared before the assessor arrives, reducing assessment duration and cost.
Use the ERL as the definitive guide for what “reasonable” evidence looks like for each SCF control. Build internal evidence management processes that align with ERL expectations so evidence collection becomes a continuous practice rather than a last-minute scramble.
Use the ERL as the standardized evidence request for SCF-based and CDPAS-governed assessments. The ERL eliminates the need to create custom evidence request lists for each engagement, ensuring consistency across assessments and clients.
Use the ERL as a benchmark for internal audit evidence expectations. Even for non-SCF assessments, the ERL provides a practical reference for what “reasonable” documentation standards look like across cybersecurity and privacy control domains.
Use the ERL to define evidence expectations for vendor assessments. Rather than creating ad-hoc vendor questionnaires, use the ERL’s standardized evidence list to evaluate third-party control implementation consistently across the vendor portfolio.
Use the ERL to identify the evidence artifacts needed to demonstrate compliance with privacy-related SCF controls (PRI domain). The same structured evidence approach that applies to cybersecurity controls applies equally to data protection requirements.
The ERL is the evidence layer that connects the entire SCF assessment ecosystem. It defines what proof is needed at every stage of the assessment process.
The CDPAS references the ERL in Standards 4.4 (Defined Evidence Request List) and uses it in the evidence planning and collection phases. The ERL is the operational evidence guide that assessors follow during a CDPAS-governed assessment.
The ERL evidence artifacts provide the basis for SCR-CMM maturity scoring. An assessor cannot assign a CMM score without reviewing the evidence defined in the ERL. The maturity level is determined by the quality and completeness of the evidence provided.
The USG defines what is in scope for the assessment. The ERL then defines what evidence must be collected for each in-scope control. The USG scopes the assessment boundary, and the ERL operationalizes the evidence collection within that boundary.
The SCR-RMM’s conformity assessment step (Step 10) relies on the ERL to define the evidence examined during the controls gap assessment. ERL evidence quality directly informs the risk exposure calculations in the RMM.
The ERL is a tab within the SCF spreadsheet, directly mapped to the 1,400+ controls in the SCF catalog. Every evidence artifact references the specific SCF control it supports. There is no evidence without a control, and no control without expected evidence.
The ERL is utilized as part of the SCF Conformity Assessment Program (CAP) to identify reasonably-expected artifacts and evidence. Organizations pursuing SCF-CAP certification use the ERL as their primary evidence preparation and collection guide.
The ERL plays a role at every stage of the assessment lifecycle, from pre-assessment planning through post-assessment remediation tracking.
The assessor provides the ERL to the organization before the assessment begins. The organization reviews the evidence expectations for each in-scope control and begins accumulating artifacts.
The organization stages evidence according to the ERL requirements. The assessor reviews submitted evidence against the ERL, conducts interviews for inquiry-based items, and documents any evidence gaps.
The assessor validates that submitted evidence adequately supports each control. ERL evidence quality informs CMM scoring and feeds into the overall assessment findings and Report on Conformity (ROC).
Evidence gaps identified during the ERL review are documented as findings. The organization develops remediation plans to close gaps and uses the ERL to track what evidence must be produced for re-assessment.
%20(white).png)
.png)