SCF Organizations Seeking Certification (OSC)
The Secure Controls Framework Conformity Assessment Program (SCF CAP) is an organization-level conformity assessment. The SCF CAP is designed to utilize tailored cybersecurity and privacy controls that specifically address the applicable statutory, regulatory and contractual obligations an Organization Seeking Certification (OSC) is required to comply with. By using the metaframework nature of the SCF, an OSC is able to perform a conformity assessment that spans multiple cybersecurity and privacy-specific laws, regulations and frameworks.
Earning a SCF Certified™ designation is meant to signify an accomplishment, rather than be viewed as a “participation ribbon” that has little practical value for the OSC or stakeholders in the OSC’s supply chain to understand the OSC’s security posture. The SCF CAP is focused on using the SCF as the control set to provide a company-level certification. While the SCF-CAP shares some similarities with other existing, single-focused certifications (e.g., ISO 27001, CMMC, FedRAMP, etc.), the SCF CAP is unique in its metaframework approach to covering cybersecurity and data protection requirements that span multiple laws, regulations and frameworks.
SCF Conformity Assessment Program (SCF CAP)
The SCF CAP is designed for cybersecurity & privacy practitioners by cybersecurity & privacy practitioners. This concept is based on the need within the industry for a tailored conformity assessment solution that is capable of addressing several key considerations:
- View compliance as a natural by-product of secure practices;
- Scale to address multifaceted operational requirements (e.g., laws, regulations and frameworks);
- Acknowledge the stated risk tolerance of the OSC since not all organizations have the same risk tolerance;
- Minimize the risk of “gaming” the certification process that provides no useful insights into the security posture of the OSC;
- Utilize technology to make the assessment process more efficient to drive down labor-related assessment costs; and
- Leverage existing industry recognized practices, where possible.
Who Is The SCF-AB?
The Secure Controls Framework Accreditation Body (SCF-AB) is a US-based, for-profit company that the Secure Controls Framework Council authorizes to operate an organization level cybersecurity and privacy-specific conformity assessment process. The SCF-AB is governed by a board of advisors, consisting of recognized Subject Matter Experts (SMEs) within the cybersecurity and privacy industries.
Why Is There Another Certification?
Regardless of the industry, there is a definitive need for a third-party verified certification that assesses tailored cybersecurity and privacy controls that could impact the OSC and its supply chain stakeholders. The SCF CAP was designed to deliver an organization-level certification that is industry-recognized, earned through a qualified third-party assessor’s review of supporting evidence of a control’s effectiveness.
As cybersecurity and data protection operations are multi-faceted, the SCF CAP is designed to ensure that assessed controls reflect the real-world requirements faced by the OSC from a statutory, regulatory and contractual perspective. An assessment that only covers a part of an OSC’s cybersecurity and privacy program results in an inaccurate and incomplete report on the OSC’s overall security posture, providing a false sense of security to the OSC.
The SCF CAP is designed for cybersecurity & privacy practitioners by cybersecurity & privacy practitioners. This concept is based on the need within the industry for a tailored conformity assessment solution that is capable of addressing several key considerations:
- View compliance as a natural by-product of secure practices;
- Scale to address multifaceted operational requirements (e.g., laws, regulations and frameworks);
- Acknowledge the stated risk tolerance of the OSC since not all organizations have the same risk tolerance;
- Minimize the risk of “gaming” the certification process that provides no useful insights into the security posture of the OSC;
- Utilize technology to make the assessment process more efficient to drive down labor-related assessment costs; and
- Leverage existing industry recognized practices, where possible.
How Long Is An OSC’s SCF Certification Valid?
SCF Certification is valid for two (2) years from the date the OSC earns the SCF Certified™ designation, with the requirement for annual passing self-attestation through a First Party Declaration (1PD) to maintain the SCF Certified™ designation.
To become SCF Certified™, an OSC must successfully demonstrate appropriate evidence to a SCF Assessor, that works for a Third-Party Assessment Organization (3PAO). Only a 3PAO can issue the SCF Certified™ designation to an OSC. You can find listings for 3PAOs, SCF Assessors and SCF-knowledgeable consultants on the SCF Marketplace.
Where Do I Go To Get Started?
To get started, read this document to understand the SCF CAP and its supporting processes.
You can locate SCF-AB accredited 3PAOs on the SCF Marketplace website. Prior to working with a 3PAO, the OSC is required to perform its own First-Party Declaration (1PD) that it has performed its own internal assessment. Assuming the OSC has appropriate evidence to support its 1PD, it is eligible to engage with a 3PAO for a third-party assessment. This is designed to manage expectations, so an OSC goes into a SCF assessment with a solid understanding of its control strength and available evidence to support its 1PD claims.
SCF CAP Process Flow Diagram
This graphic below shows a high-level process flow of the SCF CAP.
