The Secure Controls Framework® (SCF) makes compliance a natural byproduct of secure and resilient practices.
It is the world's most comprehensive cybersecurity and data privacy metaframework. With 1,400+ controls across 33 domains and mappings to 200+ laws, regulations, and frameworks, the SCF is the single source of truth for building a secure, compliant, and resilient organization.
If your are unfamiliar with the SCF, please download the START HERE GUIDE to gain a solid understanding of what the SCF is and how to use it. The SCF focuses on internal controls, which are security, compliance and resilience-related policies, standards, procedures, technologies, and processes designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented, detected, and corrected.
In simple terms, the SCF is a metaframework (e.g., a “framework of frameworks”) that distills 200+ cybersecurity and data privacy laws, regulations, and frameworks into a single unified control catalog. Instead of maintaining separate control sets for HIPAA, SOC 2, ISO 27001, NIST CSF, and PCI DSS, organizations use a SCF-based Living Control Set (LCS) that satisfies all of them simultaneously, capable of changing and scaling as business processes and requirements evolve.
Common Controls Framework™ (CCF)
The SCF currently holds the rights to the Common Controls Framework™ trademark. The domains commoncontrolsframework.com and common-controls-framework.com both redirect to the SCF. This distinction is unique among all cybersecurity frameworks and furthers the claim that the it is THE common controls framework.
The SCF can be viewed as a long-term tool. This not only to helps with compliance-related efforts, but to ensure security, compliance and resilience principles are properly designed, implemented, and maintained.
The SCF helps implement a holistic approach to protecting the Confidentiality, Integrity, Availability, and Safety (CIAS) of your data, systems, applications, and processes. The approach looks at the following spheres of influence to identify applicable controls:
It is best to visualize the SCF as a buffet of 1,400+ cybersecurity and privacy controls. Once you know your applicable requirements, you select the controls that are right-sized for your organization. Every organization has unique needs, so the expectation is each organization using the SCF tailors its controls for its specific requirements.
Understanding what the SCF does and does not do is essential to using it effectively. There's no sales pitch. The SCF is free. But it's not a magic bullet either. To help answer this question, we highly encourage everyone to read the SCF Overview and Instructions.
Metaframework
For organizations with 3 or more compliance requirements (e.g., NIST CSF + ISO 27001 + HIPAA + SOC 2 + PCI DSS), the SCF is an extraordinarily efficient solution, where one well-worded control addresses multiple requirements simultaneously, since the same password requirement appears in dozens of laws and frameworks.
Cybersecurity is a protracted war on an asymmetric battlefield. As defenders, we have to work together, since we all suffer when massive data breaches occur or when cyber attacks have physical impacts.
The SCF was created to help organizations do better with their cybersecurity practices. Hackers share attack methods freely. Why shouldn't defenders share defense methods? The SCF was built by volunteers who believe that better security practices benefit everyone.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.
The SCF went live in 2018 and has grown to worldwide adoption where it is used by some of the largest corporations and governments globally. Its volunteers include auditors, engineers, architects, incident responders, consultants, and GRC specialists who donate their expertise because the security community wins when every organization has access to world-class controls guidance.
Free To Use
There is no financial incentive to push the SCF on anyone, since it is completely free. The SCF Council exists purely because improving the security posture of organizations everywhere benefits society as a whole.
Where the SCF sets itself apart from every other metaframework is the depth of supporting content included, all for free.
Each control includes maturity criteria via the SCR-CMM, defining what “right” looks like at each maturity level. This spans from basic documentation through optimized, automated controls.
Not all controls carry equal risk weight. The SCF includes proposed control weightings to help prioritize remediation and resource allocation, which are critical in risk management decisions.
Risks are mapped directly to SCF controls. The SCR-RMM describes how policies, standards, procedures, metrics, threats, and risks all connect through controls as the central nexus.
Threats are mapped to controls for threat-informed defense. Understanding which threats each control addresses helps right-size security investment based on your actual threat landscape.
The SCF is updated on a quarterly cadence (4x per year) as laws change, frameworks publish new versions, and emerging threats demand new controls. It evolves so your program stays current without heroic effort.
Import the entire SCF into your GRC platform via .CSV or NIST OSCAL JSON. Natively supported by dozens of enterprise GRC tools globally. No proprietary lock-in.
We want companies to be secure, compliant and resilient! Those are not just words, since we put a significant amount of time and energy into developing the Security, Compliance & Resilience Management System (SCRMS) that is a must-read for any CISO or GRC Director. The SCF can serve as a foundational component for your company to build secure, compliant and resilient capabilities that are able to withstand external scrutiny (e.g., regulators, class action lawsuits, insurers, etc.).
The SCF developed the SCRMS, which is a comprehensive implementation system that treats controls as the central nexus of cybersecurity and data privacy operations. Unlike traditional GRC which is often process-centric, the SCRMS is controls-centric. In the SCRMS, controls are viewed as the nexus , or central pivoting point, for an organization’s cybersecurity program. Not just policies and standards map to controls, but procedures, metrics, threats, and risks as well. This ties everything together into a cohesive, operationalizable framework that any CISO or GRC Director can implement.
The SCF focuses on internal controls. These are the cybersecurity and privacy-related policies, standards, procedures, technologies and associated processes that are designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented, detected and corrected.
Understanding the difference between Minimum Compliance Requirements and Discretionary Security Requirements is critical to building a mature GRC program. Compliant ≠ Secure.
Controls that represent the minimum bar required by external obligations, including laws, regulations, and contracts. These are non-negotiable; not implementing them creates legal or contractual exposure.
Controls selected based on the organization's own risk appetite and judgment. These go beyond the minimum and represent best-practice enhancements driven by internal risk management.
Why This Distinction Matters for Risk Management
Without clearly defining MCR and DSR thresholds, an organization’s cybersecurity program lacks anchoring to clear requirements. Clarifying the difference between “compliant” (MCR) and “secure” (MCR + DSR) is what elevates risk management discussions from checkbox compliance to genuine risk reduction. The SCF maps every MCR and DSR to specific controls across all 33 domains.
The SCF implements the PDCA (Plan-Do-Check-Act) cycle as the foundational approach to building and operating a cybersecurity program. Each phase maps directly to the SCRMS and the SCF control structure.
Define scope, applicable laws/regs/frameworks, and risk appetite. Identify MCR and DSR. Select applicable SCF controls. Build your Minimum Security Requirements (MSR) blueprint.
Implement selected controls. Publish policies, standards, and procedures. Assign stakeholder accountability. Leverage the SCRMS as a “paint by numbers” implementation guide.
Assess control effectiveness via the SCF Conformity Assessment Program (SCF-CAP). Measure maturity using the SCR-CMM. Monitor using built-in risk and threat catalogs.
Remediate gaps from the Check phase. Update controls as laws change via the Living Control Set. Continuously improve. Prove compliance to regulators, auditors, insurers, and customers.
The SCF is built on the principle that security and privacy must be “baked in” and not bolted on. Two complementary design philosophies underpin the entire framework.
Security by Design means security is addressed at the strategic, operational, and tactical levels that are built into the design of systems, processes, and products from the start rather than applied as an afterthought. The SCF’s 33-domain structure enforces SbD by providing controls at every layer of the organization that range from governance (GOV) through technical controls (NET, IAC, CRY) and operations (IRO, MON, VPM). Requirements originate from statutory law, regulatory agencies, contractual obligations, and industry best practices. The SCF distills all of these into a single, consistent security design language.
Privacy by Design is the principle that privacy must be proactively embedded into the design of IT systems, business practices, and physical infrastructure that are not added on, but built as a default. The SCF’s Privacy (PRI) domain contains 40+ controls aligned to GDPR, CCPA/CPRA, PIPEDA, and global privacy regulations, covering DSARs, PIAs, DPIAs, consent management, and more. The SCF treats cybersecurity and privacy as inseparable where both are necessary conditions of a mature, defensible program that can withstand external scrutiny. The SCF distills all of these into a single, consistent privacy design language.
The SCF uses the NIST IR 8477 Set Theory Relationship Mapping (STRM) methodology, which is a transparent, rigorous approach to crosswalking disparate laws, regulations and frameworks.
Unlike frameworks that use subjective “close enough” mapping, the STRM methodology applies set theory concepts (e.g., subset, superset, intersection and equal) to define the precise relationship between any two controls in different frameworks.
The SCF participates in the NIST OLIR (Online Informative Reference) program to provide machine-readable, NIST-registered control crosswalks.
NIST OLIR
The SCF participates in the NIST OLIR program to provide machine-readable, NIST-registered crosswalks that are publicly available and independently verifiable.
Now that you understand what the SCF is, dive deeper into each component of the framework.
Learn how to implement the SCF using the Security, Compliance & Resilience Management System, the "how to use the SCF" guide for CISOs and GRC directors.
Explore all 33 SCF domains interactively. Search, filter by category, and understand the principles governing each area of cybersecurity and data privacy.
Understand NIST IR 8477 Set Theory Relationship Mapping, the transparent methodology behind the SCF's crosswalking of 200+ frameworks.
Download the SCF now as an Excel spreadsheet, CSV, or via GitHub. No cost, no friction, no registration required. Start building today.
%20(white).png)
The SCRMS is the "how-to" guide for implementing the SCF. It provides a structured, Plan-Do-Check-Act cycle for building and maintaining a cybersecurity and privacy program using the SCF as the foundation.
The SCF is built on the principle that security and privacy must be "baked in" and not bolted on. Two complementary design philosophies underpin the entire framework.
Security by Design means security is addressed at the strategic, operational, and tactical levels. It is built into the design of systems, processes, and products from the start rather than applied as an afterthought. The SCF's 33-domain structure enforces SbD by providing controls at every organizational layer, from governance (GOV) through technical controls (NET, IAC, CRY) and operations (IRO, MON, VPM). Requirements originate from statutory law, regulatory agencies, contractual obligations, and industry best practices. The SCF distills all into a single, consistent security design language usable by teams at any scale.
Privacy by Design is the principle that privacy must be proactively embedded into the design of IT systems, business practices, and physical infrastructure, not added on but built as a default state. The SCF's Privacy (PRI) domain contains 40+ controls aligned to GDPR, CCPA/CPRA, PIPEDA, and global privacy regulations, covering DSARs, PIAs, DPIAs, consent management, and more. The SCF treats cybersecurity and privacy as inseparable. Both are necessary conditions of a mature, defensible program that can withstand external scrutiny from regulators and auditors.
.png)