top of page

SCF Solution Providers

This page highlights companies that have embraced the SCF as a way to help manage cybersecurity and privacy requirements. These companies range from providing SCF-related documentation, to GRC/IRM platforms, to incident response and other technology solutions.

Premium GRC Content

Premium SCF Content - Policies, Standards, Procedures, Metrics & Other Documentation

[listed in alphabetical order]


  • ComplianceForge is a business accelerator, taking care of the tedious and time-consuming work associated with writing comprehensive cybersecurity documentation to free you up so you can do what you do best. These  editable products are meant to address your requirements from strategic concepts all the way down to day-to-day deliverables you need to demonstrate compliance with common statutory, regulatory and contractual obligations:

  • To build an audit-ready cybersecurity and privacy program, there is a need to address "the how" for certain topics, such as vulnerability management, risk management, continuity operations, vendor management and incident response. ComplianceForge did the heavy lifting by creating program-level documents to address these needs.

  • You can also leverage this premium content as an add-on to several GRC platforms (e.g., ZenGRC, MyVCMStrike, etc.).

Anchor 1

SCF Consultants / Integrators

[listed in alphabetical order]


  • HowToGRC is a cybersecurity firm focused on designing and implementing cost effective and scalable cybersecurity & privacy programs, based on the Secure Control Framework (SCF).

  • Extensive experience implementing and tailoring the Secure Controls Framework (SCF), including corresponding "SCF Premium Content" with ComplianceForge's Digital Security Program (DSP) documentation that can augment the SCF.

  • HowToGRC offers the following services:

    • Governance, Risk & Compliance (GRC) platform integration.

    • Developing a tailored cybersecurity program.

    • Capability maturity assessments. 

How To GRC.png


  • SecurityWaypoint is a specialized cybersecurity consulting company that focuses on the compliance and governance aspects of your cybersecurity and privacy needs.

  • SecurityWaypoint provides vCISO services and can help organizations implement an SCF-based cybersecurity & privacy program.

  • Extensive experience implementing and tailoring the Secure Controls Framework (SCF), including corresponding "SCF Premium Content" with ComplianceForge's Digital Security Program (DSP) documentation that can augment the SCF.

  • SecurityWaypoint offers the following services:

    • Secure Controls Framework (SCF) consulting.

    • NIST 800-171 / CMMC Gap Assessments utilizing the Secure Controls Framework (SCF).

    • Cybersecurity business planning services (CISO-level business plan).

    • Risk assessments.

    • System Security Plan (SSP) & Plan of Action & Milestones (POA&M) development. 

SCF Practitioner - SecurityWaypoint.png



Governance, Risk & Compliance (GRC) & Integrated Risk Management (IRM) Platforms

[listed in alphabetical order]


  • ControlMap, with its compliance automation platform, is on a mission to reduce the stress associated with everyday cybersecurity compliance operations and activities.

  • Automation is backed by a robust operations platform allows teams to assess the maturity of cybersecurity frameworks such as SCF, NIST CSF, etc., effortlessly.

  • Provides a fast path to success for audits such as SOC 2, ISO 27001, and other audit programs.

  • Ability to assess maturity, implement controls & track evidence collection, etc., centrally.

ControlMap logo.png
Ignyte Logo's RGB-01.png

Ignyte Assurance Platform


  • Ignyte Assurance Platform is a leader in collaborative security and integrated GRC solutions for global corporations. For corporate risk and compliance officers who depend heavily on the protection of their resources, Ignyte is the ultimate translation engine for simplifying compliance across regulations, standards and guidelines.

  • The Ignyte platform is used by leading corporations in diverse industries, such as Healthcare, Defense, and Technology.

  • Ignyte operationalizes compliance for many organizations through the use of the SCF controls and can be used to facilitate a SCF Certification, based on the SCF Information Assurance Program (IAP):

    • The IAP program leverages the SCF controls and is designed to help organizations quickly get up to speed on completing information assurance tasks; and

    • Ignyte helps organizations scale these tasks to make audit-preparation and audits much more efficient.

GRC IRM Platform


  • LogicGate utilizes the SCF to define how we map controls between the standards and regulations which are included as part of our core content repository.

  • LogicGate's flexible data mapping capabilities allow users to easily view relationships between these controls, as well as between other critical data objects, such as risks, assessments, evidence, policies, and assets. Through these relationships, risk teams can perform an assessment on one control framework and then easily determine the compliance status of a mapped control framework, helping to reduce the amount of time and effort spent by teams needing to ask for the same evidence or attestations over time.

  • The database technology that LogicGate is built on also enables organizations to easily adjust relationships between controls and other items as regulatory requirements and standards change.





  • Ostendio is a cloud based GRC/IRM platform that leverages the Secure Control Framework and connects your data and evidence to the requirements of every framework. 

  • Ostendio enables organizations to: 

    • Understand the requirements for building their security and risk management program

    • Operationalize their security program across every member of the organization and extended third-party vendors and suppliers

    • Simplify the demonstration of compliance across over 100 laws, regulations, and industry standards, ensuring an always audit-ready security posture 

  • Ostendio fully integrates the SCF's controls and enables organizations to easily align their security program operations against over 100 security and privacy frameworks by mapping the controls necessary for any additional standard or regulation. 

  • Functionality to operationalize all security and compliance activities:

    • Risk Management: Assign, manage, and report risk at discrete levels

    • Document Management:  Store, access, and track utilization, and versioning

    • 3rd-Party Risk Management: Send, complete, review, and store all vendor documents without leaving the platform

    • Asset Management: Manage and track compliance and risk of each asset

    • Employee Training: Manage and execute security training enterprise-wide, including access to KnowBe4

    • Audit Management: Automate workflows, tasks, and actions.

    • Organizational, departmental, and individual dashboard reporting, automated workflow management, and integration with some of the world’s leading platforms including OneLogin, Microsoft and Google. 



  • ProcessUnity Cybersecurity Program Management (CPM) enables organizations to reduce and manage cybersecurity threats and risks across applications, systems, facilities and third parties.

  • The solution enables the CISO to inventory and assess high-value assets; map them to threats, risks, policies and control standards; automate reviews; and capture evidence of compliance — all on a predefined schedule.

  • ProcessUnity CPM leverages a pre-built meta-model based on the Secure Controls Framework (SCF) mapped to the most common security frameworks, including NIST Cybersecurity Framework (CSF), NIST 800-53 and ISO 27002.


Reciprocity (ZenGRC)



  • Reciprocity's ZenGRC is a cloud-based GRC/IRM platform that utilizes the SCF as an available set of cybersecurity and privacy controls.

  • ZenGRC is an easy-to-use, enterprise-grade GRC/IRM solution for compliance and risk management that offers businesses efficient control tracking, testing, and enforcement.

  • ZenGRC streamlines control management to provide tangible value because it speeds up audit and vendor management tracking and consolidates risk mitigation tasks.

  • Clients can be up and running in as little as 6-8 weeks, saving time for compliance teams to focus on security work while saving time on mundane implementation tasks.



  • SimpleRisk is a free and open source GRC tool that leverages the SCF, giving our customers what they've been asking for - an easy way to load up and utilize controls for various compliance frameworks. 

  • The SCF is a free downloadable "extra" within SimpleRisk.  Customers can go to the Configure > Register & Upgrade menu in any registered SimpleRisk instance and click "Download" to download and then install the SCF in that instance. 

  • Within SimpleRisk, clients are presented with a list of the frameworks represented with the SCF and the option to select which ones apply to their organization.  Applicable controls are automatically imported into the Governance functionality of SimpleRisk with mappings to their associated frameworks.  From there, customers can document exceptions, perform testing, and use the controls to plan mitigations for their risks.

+44 (0) 208 012 8544


  • Out-of-the-box, SureCloud contains SCF content - controls, control questions and SP-CMMC criteria.

  • SureCloud is a SaaS GRC/IRM solution that both provides simplicity that satisfies the needs of novice GRC users, but is powerful enough for an experienced risk practitioner.

  • This solution utilizes a wizard-driven interface to selecting and updating control sets quickly when regulations or standards change (e.g., update to the SCF). 

  • SureCloud is recognized on two Gartner Magic Quadrants: Integrated Risk Management and IT Vendor Risk Management



  • Is the Internal Control System (ICS) with "everything under one roof" – Data Privacy, Cyber Security, ISMS, Business Continuity, Governance, Risk- and Compliance Management.

  • Collaboration of all levels and roles of the organization "From ports to boards".

  • Licensing model involves all employees, including externals.

  • Full transparency ensuring “need to know”.

  • Fast Track onboarding.

  • Fully configurable, content and industry neutral – just upload new standards.

  • Design Award CISO Alliance Germany 2019

+41 78 881 70 04

bottom of page