Security & Privacy Metaframework

The SCF focuses on internal controls. These are the cybersecurity and privacy-related policies, standards, procedures and other processes that are designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented, detected and corrected.

A control is the power to influence or direct  behaviors and the course of events. That is precisely why the Secure Controls Framework™ (SCF) was developed – we want to influence secure practices within organizations so that both cybersecurity and privacy principles are designed, implemented and managed in an efficient and sustainable manner. The SCF is a metaframework - a framework of frameworks.







The SCF has the ambitious goal of providing FREE cybersecurity and privacy control guidance to cover the strategic, operational and tactical needs of organizations, regardless of its size, industry or country of origin.


Understanding the requirements for both cybersecurity and privacy principles involves a simple process of distilling expectations. This process is all part of documenting reasonable expectations that are “right-sized” for an organization, since every organization has unique requirements.

The approach looks at the following spheres of influence to identify applicable controls:

Statutory Obligations

These are US state, federal and international laws

Regulatory Obligations

These are requirements from regulatory bodies or governmental agencies

Contractual Obligations

These are requirements that are stipulated in contracts, vendor agreements, etc.

Industry-Recognized Leading Practices

These are requirements that are based on an organization’s specific industry.

ComplianceForge - Cybersecurity policies standards procedures and more


The SCF is designed to empower organizations to design, implement and manage both cybersecurity and privacy principles to address strategic, operational and tactical guidance. It is far more than building for compliance - we know that if you build-in security and privacy principles, complying with statutory, regulatory and contractual obligations will come naturally.

One of the main factors driving the integration of cybersecurity and privacy is the European Union’s General Data Protection Regulation (EU GDPR).


The EU GDPR has three (3) very specific requirements that require significant coordination between privacy and cybersecurity teams to accomplish:

  • Article 5 covers the principles relating to the secure processing of personal data.

  • Article 25 covers data protection by design and by default.

  • Article 35 covers the requirement to perform Data Protection Impact Assessments (DPIAs).

EU GDPR Compliance

CIAS Quadrant

For years, the "CIA Triad" defined the pillars of cybersecurity. Things have changed and it is now the "CIAS Quadrant" that governs the reasons for implementing cybersecurity and privacy controls. These four pillars are Confidentiality, Integrity, Availability and Safety. The SCF can help you implement these four principles of cybersecurity and privacy in your organization!


Confidentiality addresses preserving restrictions on information access and disclosure so that access is limited to only authorized users and services.


Integrity addresses the concern that sensitive data has not been modified or deleted in an unauthorized and undetected manner.


Availability addresses ensuring timely and reliable access to and use of information.


Safety addresses reducing risk associated with embedded technologies that could fail or be manipulated by nefarious actors.

Designed For A Modern Security Program

Listed below are the thirty-two (32) domains that make up the SCF. There are approximately 750 controls that are categorized within these domains to make it easier to manage. Each domain has a three-letter identifier, which is included in the control name to make it easy to understand what the focus of the control is.

cybersecurity documentation - editable policies standards procedues EU GDPR NIST 800-171

Secure Controls Framework Council, LLC (SCF Council) disclaims any liability whatsoever for the use of this website or the Secure Controls Framework™ (SCF). Use at your own risk.


If you have compliance questions, you should consult a cybersecurity or privacy professional to discuss your specific needs. This website is for educational purposes only and does not render professional services advice - it is not a substitute for dedicated professional services. There is no endorsement of any kind in the company listing of SCF Solution Providers - It is entirely your responsibility to conduct appropriate due care and due diligence in selecting and engaging with a consultant to assist in your implementation of the SCF.

SCF Council does not warrant or guarantee that the information will not be offensive to any user. User is hereby put on notice that by accessing and using the website, user assumes the risk that the information and documentation contained in the web site may be offensive and/or may not meet the needs and requirements of the user. The entire risk as to the use of this website, or its contents, is assumed by the user. ​


SCF Council reserves the right to refuse service, in accordance with applicable statutory and regulatory parameters.

© 2021. Secure Controls Framework Council, LLC


  • White LinkedIn Icon