Insight On Evolving Practices: Secure Controls Framework (SCF)

Hackers share information on attack methods with other hackers, so why shouldn’t the good guys share information on how to best protect an organization? That concept led a coalition of cybersecurity and privacy experts to take action and make a difference. The result is the Secure Controls Framework (SCF). The SCF is focused on helping companies become and stay compliant with a vast array of cybersecurity and privacy requirements. The glue that ties Governance, Risk and Compliance (GRC) together is a uniform set of controls.

The goal of the SCF is to provide a free solution to businesses that addresses cybersecurity and privacy control guidance to cover the strategic, operational and tactical needs of organizations, regardless of its size, industry or country of origin.  ZenGRC is in the process of adopting the SCF as a control set that customers will be able to use. Within ZenGRC, the SCF enables companies to utilize one control set to manage multiple requirements.

Using the SCF to operationalize cybersecurity and privacy requirements involves a simple process of distilling expectations by first identifying the statutory, regulatory and contractual obligations that are applicable to your organization.

Statutory Obligations – These are US state, federal and international laws

Regulatory Obligations – These are requirements from regulatory bodies or governmental agencies

Contractual Obligations – These are requirements that are stipulated in contracts, vendor agreements, etc.

Industry-Recognized Leading Practices – These are requirements that are based on an organization’s specific industry.

Knowing these requirements allows an organization to filter the SCF to address only those controls that are applicable.

If you are interested in learning more, please contact us to request a demo or to speak with a GRC expert who can help answer any questions you may have on how the SCF would be applicable to your company.


To learn more about SCF, email your GRC Expert at [email protected].