Secure Controls Framework
↓ Download SCF
Start Here ▼
What Is The SCF?SCRMS – How To Implement The SCFSCF Domains & PrinciplesIncluded Laws, Regulations & Frameworks (LRF)Set Theory Relationship Mapping (STRM)NIST OLIR ParticipationESG Considerations
Free Content ▼
SCF DownloadRisk Management Model (SCR-RMM)Capability Maturity Model (SCR-CMM)Cybersecurity Assessment Standards (CDPAS)Mergers, Acquisitions & Divestitures (MA&D)Data Privacy Management Principles (DPMP)Evidence Request List (ERL)Unified Scoping Guide (USG)
SCF CORE
GRC Fundamentals ▼
Common Cybersecurity Frameworks
NIST CSF 2.0ISO 27001 / ISO 27002NIST SP 800-53PCI DSS
Word Crimes & Emerging Trends
Word CrimesEmerging Trends
US (FED) – CMMCUS (FED) – DFARS 252.204-70XXUS (NY) – NY DFS 23 NYCRR Part 500US (FED) – GLBAUS (FED) – HIPAA / HITECHUS (FED) – SOXUS (TX) – SB 2610EU – DORAEU – NIS2 DirectiveCIS Critical Security Controls (CSC)NIST SP 800-161NIST SP 800-171NIST SP 800-172Trust Services Criteria (SOC 2)Metaframework – HITRUSTMetaframework – Unified Compliance (UC)
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
TPRM & SCRMIntegrityResilienceMSP / MSSP Dumpster Fire
GRC Basics
The Output Of GRC PracticesCybersecurity MaterialityLaws vs Regulations vs Frameworks
Common Cybersecurity Laws
US (FED) - FedRampUS (FED) - GLBAUS (FED) - HIPAA / HITECHUS (FED) - SOXUS (CA) - CCPA / CPRAUS (TX) - SB 2610EU - DORAEU - GDPREU - NIS2 Directive
Common Cybersecurity Regulations
US (FED) - CMMCUS (FED) - DFARS 252.204-70xxUS (NY) - NY DFS 23 NYCRR Part 500
Common Cybersecurity Frameworks
CIS Critical Security Controls (CSC)ISO 27001 / ISO 27002NIST CSF 2.0NIST SP 800-53NIST SP 800-161NIST SP 800-171NIST SP 800-172PCI DSSTrust Services Criteria (SOC 2)Metaframework - HITRUSTMetaframework - Unified Compliance (UC)
Word Crimes
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
Emerging Trends
TPRM & SCRMIntegrityResilienceCybersecurity MaterialityMSP / MSSP Dumpster Fire
SCF Certified ▼
Organization-Level SCF Certifications
SCF Conformity Assessment Program (CAP)SCF Assessment Guides
SCF Training & Individual-Level Certifications
SCF PractitionerSCF ArchitectSCF Assessor
Marketplace ▼
SCF Connect (SSOT)SCF Licensed Content Providers (LCPs)Registered Provider Organizations (RPOs)Authorized Control Integrator (ACI)Authorized Solution Provider (ASP)Third-Party Assessment Organizations (3PAOs)
FAQAboutSwag

Governance · Risk · Compliance · Fundamentals

GRC Fundamentals — Governance, Risk & Compliance Explained

Understanding GRC is the foundation of every effective cybersecurity and data privacy program. The Secure Controls Framework (SCF) — the exclusive Common Controls Framework™ (CCF™) — provides the most comprehensive, free, and transparent GRC metaframework available, built by industry-leading volunteer experts.

33

SCF Domains

1,400+

Controls

200+

Laws, Regs & Frameworks

FREE

Creative Commons

Go To The SCF Download PageExplore Additional SCF Content

What Is GRC?

Governance, Risk & Compliance — The Foundation of Cybersecurity

GRC is an acronym for Governance, Risk, and Compliance — sometimes written as Governance, Risk Management and Compliance. It serves as the structured basis for an organization’s cybersecurity and data protection practices.

The inside joke in the industry is that GRC also stands for “General Reading & Comprehension” — because one of the most persistent challenges in cybersecurity is professionals failing to thoroughly read the requirements they are tasked with implementing.

At its core, GRC provides the organizational framework to define, implement, measure, and continuously improve cybersecurity controls. The SCF — as the Common Controls Framework™ — provides the most comprehensive GRC control catalog freely available, serving as the bridge between all major laws, regulations, and frameworks through a single integrated control set.

A control is power to influence or direct behaviors and events.

Controls are your cybersecurity and data privacy program. They define what must be done, who is responsible, and how it is verified — forming the operational backbone of every compliant and secure organization.

The Great Debate

The GRC Chicken vs. Egg: Which Comes First?

A central debate among GRC professionals — does Governance, Risk, or Compliance come first? The SCF provides a clear answer grounded in operational reality.

Step 1

Compliance

Compliance is the logical starting point — it is a fact-finding exercise to identify what statutory, regulatory, and contractual obligations apply to your organization. This defines the non-negotiable baseline: Minimum Compliance Requirements (MCR).

Step 2

Governance

Once MCR and Discretionary Security Requirements (DSR) are defined, Governance operationalizes them through policies, standards, and SOPs. Governance assigns ownership via RASCI and ensures controls are built into administrative, technical, and physical requirements.

Step 3

Risk Management

Risk Management is ongoing throughout the GRC lifecycle — weighing controls, maintaining the risk register, performing assessments, and translating compliance and governance activities into an organization’s current risk posture. It defines acceptable and unacceptable risk thresholds.

The Three-Legged Stool Principle

In an ongoing GRC program, all three functions interact continuously in a “three-legged stool” approach — equal strength and importance for each function. Removing or weakening any leg causes the program to collapse. The SCF’s Integrated Controls Management (ICM) model ensures all three legs remain equally strong through the continuous Plan-Do-Check-Act (PDCA) cycle.

Deep Dive

The Three GRC Functions — Detailed Responsibilities

Function #1

Compliance

The fact-finding function. Identifies every applicable statutory, regulatory, and contractual obligation the organization must satisfy. • Annual review of applicable laws & regulations • Maintain a register of compliance requirements • Educate executive leadership on cost of non-compliance • Establish Internal Audit (IA) function • Perform pre-production control testing • Contribute findings to centralized risk register • Review policies & standards for compliance alignment

Function #2

Governance

The operationalization function. Develops policies and standards, assigns control ownership, and drives due diligence documentation. • Develop policies and standards for MCR + DSR • Assign ownership via RASCI charts • Develop Standardized Operating Procedures (SOPs) • Ensure policies reflect actual organizational practices • Coordinate with control owners and operators • Maintain evidence of due diligence • Drive control weighting with Risk Management

Function #3

Risk Management

The continuous assessment function. Maintains the risk register, weights controls, performs assessments, and enforces risk tolerance. • Assign risk weight to each cybersecurity control • Maintain centralized risk register • Perform quantitative & qualitative risk assessments • Define risk tolerance thresholds • Distinguish compliant vs. secure (MCR vs. MCR+DSR) • Translate assessment results to risk posture • Inform investment prioritization decisions

Core Concepts

MCR vs DSR — Compliant vs. Secure

Understanding the difference between Minimum Compliance Requirements and Discretionary Security Requirements is critical to building a mature GRC program. Compliant ≠ Secure.

MCR

Minimum Compliance Requirements

The absolute minimum requirements that must be addressed to comply with applicable laws, regulations, and contracts. MCRs are primarily externally-influenced. • Driven by industry, government, and regulatory bodies • Non-negotiable — must be implemented • Establishes the foundational compliance floor • Does NOT imply adequacy for security • Subject to external audit and enforcement • Defines minimum acceptable practices

DSR

Discretionary Security Requirements

Above and beyond MCR — controls that the organization self-identifies based on risk appetite. DSRs are primarily internally-influenced. • Driven by internal risk assessments and audits • Reflects the organization’s risk tolerance • Where efficiency, automation, and security are enhanced • Addresses voluntary industry best practices • Distinguishes truly secure from merely compliant • Competitive differentiator in risk management

Why This Distinction Matters for Risk Management

Without clearly defining MCR and DSR thresholds, an organization’s cybersecurity program lacks anchoring to clear requirements. Clarifying the difference between “compliant” (MCR) and “secure” (MCR + DSR) is what elevates risk management discussions from checkbox compliance to genuine risk reduction. The SCF as the Common Controls Framework™ maps every MCR and DSR to specific controls across all 33 domains.

Creative Commons — No Cost — No Registration

Start Your GRC Program With the Common Controls Framework™

Download the complete SCF — 1,400+ controls across 33 domains, mapped to 200+ laws, regulations and frameworks. Available in .csv and NIST OSCAL JSON. Free forever.

Go To The SCF Download PageExplore Additional SCF Content

Licensed under Creative Commons. Volunteer-driven by the SCF Council. Trusted by GRC professionals worldwide.

How To Implement The SCF

Security, Compliance & Resilience Management System (SCRMS)

The SCRMS is a holistic, technology-agnostic framework for designing, implementing and maintaining secure, compliant and resilient capabilities — covering an organization’s People, Processes, Technology, Data and Facilities (PPTDF).

By design, the SCRMS expands upon and modernizes traditional Information Security Management System (ISMS) models. Rather than relying on multiple siloed management systems, the SCRMS offers a broader “security, compliance and resilience ecosystem” mindset designed to provide necessary coverage for applicable risks and threats.

The SCRMS has two fundamental goals: (1) provide the structure for an entity to be secure, compliant and resilient, and (2) generate defensible evidence of due diligence and due care capable of defending the entity’s cybersecurity and data protection practices against legal challenges. Written for CISOs and GRC Directors, the SCRMS is focused on “defensible governance.”

✓ Framework-agnostic — align with NIST CSF, SOC 2, ISO 27001, PCI DSS and more ✓ Three components: the SCF itself, the SCRMS document, and the SCRMS-PIG ✓ Controls-centric Integrated Controls Management (ICM) approach ✓ Defines MCR (must have) and DSR (nice to have) for a tailored control set ✓ PDCA-based governance: Plan, Do, Check & Act cycle

Phase 1

PLAN

Define policies, standards and controls. Establish context by identifying applicable compliance requirements, internal directives and risk profile. Directly influences tools and services the organization purchases.

Phase 2

DO

Implement controls — the “security glue” that makes processes, applications, systems and services secure. Develop procedures (control activities) that operationalize each control. Assign stakeholder accountability.

Phase 3

CHECK

Maintain situational awareness through metrics, analytics, audits and assessments. Monitor control effectiveness and tie results to a longer-term trend analysis that informs leadership decisions.

Phase 4

ACT

Manage risk by addressing real deficiencies and possible threats. Evolve processes to adapt to the changing compliance landscape, technology changes and resource constraints. Feed findings back into planning.

SCRMS Is Not a Framework — It’s Defensible Governance

The SCRMS is not a new compliance framework, not a replacement for NIST or ISO, and not a tool or platform. It is a way to make security decisions defensible and a bridge between executives and practitioners. The companion SCRMS-PIG provides a 30-step prioritized implementation guide for accelerating adoption.

Why SCF?

The Most Comprehensive GRC Metaframework Available

The SCF — the Common Controls Framework™ — is uniquely positioned as the world’s most comprehensive, transparent, and freely available GRC control catalog.

Common Controls Framework™ (CCF™)

The SCF holds exclusive trademark rights to the Common Controls Framework™ designation. Domains common-controls-framework.com and commoncontrolsframework.com both resolve to the SCF.

Living Control Set (LCS)

As a Living Control Set, the SCF is continuously updated by volunteer industry-leading cybersecurity and GRC experts — never stale, never static. Always current with the latest regulatory and threat landscape.

NIST IR 8477 STRM Transparency

The SCF uses Set Theory Relationship Mapping (STRM) per NIST IR 8477 to validate all framework mappings. This provides unprecedented transparency and trust in how the SCF relates to other standards.

GRC Platform Integration

Used by leading GRC platforms worldwide. Importable as .csv or NIST OSCAL-compliant JSON — enabling seamless integration into any GRC tooling ecosystem.

200+ Framework Mappings

A single SCF control implementation satisfies requirements across 200+ laws, regulations, and frameworks simultaneously — the ultimate control economy for compliance-driven organizations.

Free. Always. Creative Commons.

Volunteer-driven by industry-leading experts and released under Creative Commons licensing. No cost. No registration. No vendor lock-in. Pure community value.

Creative Commons — No Cost — No Registration

Start Your GRC Program With the Common Controls Framework™

Download the complete SCF — 1,400+ controls across 33 domains, mapped to 200+ laws, regulations and frameworks. Available in .csv and NIST OSCAL JSON. Free forever.

Go To The SCF Download PageExplore Additional SCF Content

Licensed under Creative Commons. Volunteer-driven by the SCF Council. Trusted by GRC professionals worldwide.

GRC Fundamentals Topics

Explore Every GRC Concept

Assurance

The Output of GRC Practices

How GRC functions produce cybersecurity assurance — what due diligence and due care evidence looks like, and how it supports audit and legal defensibility.

Materiality

Cybersecurity Materiality

How to define what is material to your cybersecurity program — which risks, controls, and incidents rise to the level of requiring board-level attention and SEC disclosure.

Structure

Laws vs Regulations vs Frameworks

The critical distinctions between legally enforceable laws, binding regulations, and voluntary frameworks — and how each interacts with your compliance obligations.

Terminology

Word Crimes

Common GRC terminology misuses — Policy vs Standard vs Procedure, Risk vs Threat, Strategy vs Tactics, and Inheritance vs Reciprocity, all clarified.

Trends

Emerging GRC Trends

TPRM & SCRM, integrity requirements, organizational resilience, and the ongoing MSP/MSSP accountability landscape — what’s shaping GRC programs today.

Free Resource

Download the CCF™

The complete Common Controls Framework™ — 1,400+ controls, 200+ mappings, all 33 domains. Free forever under Creative Commons. No registration required.

Get Started

Start Your GRC Program With the Common Controls Framework™

Download the complete SCF — 1,400+ controls across 33 domains, mapped to 200+ laws, regulations and frameworks. Available in .csv and NIST OSCAL JSON. Free forever.

Go To The SCF Download PageExplore Additional SCF Content

Licensed under Creative Commons. Volunteer-driven by the SCF Council. Trusted by GRC professionals worldwide.

Secure Controls Framework

FREE cybersecurity metaframework. Creative Commons licensed. Volunteer-driven. Used worldwide.

Terms and Conditions
Download the SCF
Join the SCF Discord
Blog
Sponsors
Donate to the SCF
Privacy Notice
Cookie Notice

Start Here

Free Content

Resources

© 2026 Secure Controls Framework Council. Common Controls Framework™ is a registered trademark.

Sitemap