Secure Controls Framework
Download The SCF

Compliance (CPL)

Domain Principle

Govern security, compliance and data protection obligations to maintain defensible evidence of conformity with applicable internal and external requirements.

Domain Intent

Organizations identify, interpret, implement and maintain evidence of conformity with applicable statutory, regulatory, contractual and internal obligations to demonstrate due diligence and due care.

Domain Guide

The CPL domain is narrower than it sounds. It is not about security generally; it is specifically about identifying, interpreting and maintaining evidence of conformity with statutory, regulatory, contractual and internal obligations. The distinction matters because compliance requirements are often prescriptive in ways that general security controls are not and because compliance failures carry legal consequences that security failures may not.

 

The SCF's intent for CPL is to frame due diligence and due care. Those legal standards require not just implementing controls but documenting that you implemented them intentionally, for defensible reasons and with ongoing attention to whether requirements have changed. A security control that exists but lacks evidence of operation fails a compliance audit even if it is technically functioning.

 

Organizations often underestimate the interpretive work CPL requires. Regulatory language is frequently ambiguous, overlapping and subject to guidance documents that post-date the regulations themselves. CPL is a distinct domain because interpreting and tracking applicable obligations is a professional discipline, not a task that security engineers do automatically by implementing technical controls.