Secure Controls Framework
↓ Download SCF
Start Here ▼
What Is The SCF?SCRMS – How To Implement The SCFSCF Domains & PrinciplesIncluded Laws, Regulations & Frameworks (LRF)Set Theory Relationship Mapping (STRM)NIST OLIR ParticipationESG Considerations
Free Content ▼
SCF DownloadRisk Management Model (SCR-RMM)Capability Maturity Model (SCR-CMM)Cybersecurity Assessment Standards (CDPAS)Mergers, Acquisitions & Divestitures (MA&D)Data Privacy Management Principles (DPMP)Evidence Request List (ERL)Unified Scoping Guide (USG)
SCF CORE
GRC Fundamentals ▼
Common Cybersecurity Frameworks
NIST CSF 2.0ISO 27001 / ISO 27002NIST SP 800-53PCI DSS
Word Crimes & Emerging Trends
Word CrimesEmerging Trends
US (FED) – CMMCUS (FED) – DFARS 252.204-70XXUS (NY) – NY DFS 23 NYCRR Part 500US (FED) – GLBAUS (FED) – HIPAA / HITECHUS (FED) – SOXUS (TX) – SB 2610EU – DORAEU – NIS2 DirectiveCIS Critical Security Controls (CSC)NIST SP 800-161NIST SP 800-171NIST SP 800-172Trust Services Criteria (SOC 2)Metaframework – HITRUSTMetaframework – Unified Compliance (UC)
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
TPRM & SCRMIntegrityResilienceMSP / MSSP Dumpster Fire
GRC Basics
The Output Of GRC PracticesCybersecurity MaterialityLaws vs Regulations vs Frameworks
Common Cybersecurity Laws
US (FED) - FedRampUS (FED) - GLBAUS (FED) - HIPAA / HITECHUS (FED) - SOXUS (CA) - CCPA / CPRAUS (TX) - SB 2610EU - DORAEU - GDPREU - NIS2 Directive
Common Cybersecurity Regulations
US (FED) - CMMCUS (FED) - DFARS 252.204-70xxUS (NY) - NY DFS 23 NYCRR Part 500
Common Cybersecurity Frameworks
CIS Critical Security Controls (CSC)ISO 27001 / ISO 27002NIST CSF 2.0NIST SP 800-53NIST SP 800-161NIST SP 800-171NIST SP 800-172PCI DSSTrust Services Criteria (SOC 2)Metaframework - HITRUSTMetaframework - Unified Compliance (UC)
Word Crimes
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
Emerging Trends
TPRM & SCRMIntegrityResilienceCybersecurity MaterialityMSP / MSSP Dumpster Fire
SCF Certified ▼
Organization-Level SCF Certifications
SCF Conformity Assessment Program (CAP)SCF Assessment Guides
SCF Training & Individual-Level Certifications
SCF PractitionerSCF ArchitectSCF Assessor
Marketplace ▼
SCF Connect (SSOT)SCF Licensed Content Providers (LCPs)Registered Provider Organizations (RPOs)Authorized Control Integrator (ACI)Authorized Solution Provider (ASP)Third-Party Assessment Organizations (3PAOs)
FAQAboutSwag
GRC Fundamentals

Common Cybersecurity Frameworks

Cybersecurity frameworks are voluntary best-practice guidance — not laws. But they define the industry standard for "reasonable" security and are increasingly required by contract, regulation, or as a condition of doing business. Here is what the major frameworks actually are, what they require, and how the SCF CCF™ supersedes them all.

Go to the SCF Download PageIncluded Laws, Regulations & Frameworks
Common Controls Framework™

The SCF is the exclusive, trademarked Common Controls Framework™ (CCF™) — a metaframework that maps to all major cybersecurity frameworks simultaneously. Organizations implementing the SCF CCF™ satisfy NIST CSF, ISO 27001, CIS Controls, SOC 2, and 90+ other frameworks through a single unified control set.

This is the defining advantage of the SCF over any individual framework: instead of choosing one framework, the CCF™ covers all of them — with STRM-documented justification for every crosswalk mapping.

Major Cybersecurity Frameworks

The Most Widely Used Cybersecurity Frameworks

These are the frameworks most commonly required by contracts, mentioned in regulatory guidance, and used by security teams as program baselines. All are mapped in the SCF CCF™.

NIST CSF 2.0

NIST Cybersecurity Framework, Version 2.0 (2024)

Free
Voluntary
All Sectors
Created by
NIST (National Institute of Standards and Technology)
Structure
6 Functions (Govern, Identify, Protect, Detect, Respond, Recover) → Categories → Subcategories
Best for
General-purpose program baseline; widely accepted as the US de-facto standard; regulatory "reasonableness" reference
Limitation
High-level outcomes, not prescriptive controls — organizations must interpret what "reasonable" implementation looks like
SCF Coverage
100% of NIST CSF subcategories mapped to SCF controls via STRM
Deep Dive: NIST CSF 2.0 →

NIST SP 800-53

Security and Privacy Controls for Federal Systems

Free
Federal / High-Rigor
Created by
NIST — the most comprehensive US government control catalog
Structure
20 control families; 1,000+ controls and enhancements; baseline variants (Low/Moderate/High)
Best for
Federal agencies (required by FISMA); FedRAMP cloud authorization; high-security commercial environments
Limitation
Highly prescriptive and comprehensive — significant implementation overhead for non-federal organizations
SCF Coverage
Full NIST SP 800-53 Rev 5 mapped to SCF via STRM
Deep Dive: NIST SP 800-53 →

ISO 27001 / 27002

International Standard for Information Security Management

Paid Standard
Certifiable
Global
Created by
ISO / IEC — international standards body
Structure
ISMS requirements (ISO 27001) + implementation guidance (ISO 27002); 93 controls in 4 themes; formal certification via accredited body
Best for
Organizations selling to EU enterprise customers; international supply chains; formal third-party certification needs
Limitation
Certification requires paid auditor; standard text requires purchase; less prescriptive than NIST
SCF Coverage
Full ISO 27001:2022 Annex A mapped to SCF controls
Deep Dive: ISO 27001/2 →

CIS Controls v8

Center for Internet Security Critical Security Controls

Free
Prioritized
Practical
Created by
Center for Internet Security (CIS) — community-developed
Structure
18 control groups; 153 safeguards; three Implementation Groups (IG1/2/3) based on organization size and risk
Best for
Practical, prioritized starting point; SMBs using IG1; technically-oriented security teams; quick wins identification
Limitation
Not comprehensive enough for regulatory compliance on its own; limited privacy and GRC coverage
SCF Coverage
All CIS v8 safeguards mapped to SCF controls
Deep Dive: CIS Controls →

SOC 2

Service Organization Control 2 — Trust Services Criteria

Audit Required
B2B / SaaS
US
Created by
AICPA (American Institute of CPAs)
Structure
Trust Service Criteria: Security (required) + Availability, Confidentiality, Privacy, Processing Integrity (optional); Type I or Type II reports
Best for
SaaS and cloud companies; B2B vendor assurance; customer security questionnaire replacement
Limitation
Requires licensed CPA firm audit; significant cost; report confidential and not publicly shareable without NDA
SCF Coverage
All SOC 2 Trust Service Criteria mapped to SCF controls
Deep Dive: SOC 2 →

PCI DSS v4.0

Payment Card Industry Data Security Standard

Free (Standard)
Audit Often Required
Payments
Created by
PCI Security Standards Council (Visa, Mastercard, Amex, Discover, JCB)
Structure
12 requirements; 300+ sub-requirements; Cardholder Data Environment (CDE) scoping; SAQ or QSA assessment
Best for
Any organization accepting, processing, storing, or transmitting payment card data — contractually required by card brands
Limitation
Highly prescriptive; technically complex CDE scoping; not a general security framework — narrow payment card focus
SCF Coverage
All PCI DSS v4.0 requirements mapped to SCF controls
Deep Dive: PCI DSS →

HITRUST CSF

Health Information Trust Alliance Common Security Framework

Subscription Required
Healthcare
Certifiable
Created by
HITRUST Alliance — a healthcare industry consortium
Structure
19 domains; control selection based on risk factors; three assurance levels (e1 / i1 / r2); requires HITRUST-authorized assessor
Best for
Healthcare vendors and covered entities; organizations replacing multiple HIPAA questionnaires with one certification
Limitation
Significant cost (licensing + assessor); complex scoping; primarily US healthcare focus
SCF Coverage
The SCF does not map to HITRUST CSF
Deep Dive: HITRUST →
Framework Comparison

Major Frameworks — Feature Comparison

How the most common cybersecurity frameworks compare across key features — cost, certifiability, privacy coverage, GRC breadth, and SCF mapping status.

Framework
Free?
Certifiable?
Privacy Coverage?
GRC Coverage?
MCR-Tagged?
Mapped in SCF?
SCF
✓ Free
✓ SCF-CAP
✓ Full
✓ Full
✓ Yes
✓ It IS the map
NIST CSF 2.0
✓ Free
— No
Partial
✓ Yes
— No
✓ Yes
NIST SP 800-53
✓ Free
— FedRAMP
✓ Yes
✓ Yes
— No
✓ Yes
ISO 27001/2
— Paid
✓ Yes
ISO 27701
Partial
— No
✓ Yes
CIS Controls v8
✓ Free
— No
— No
Partial
— No
✓ Yes
SOC 2
— Paid Audit
✓ Yes
Optional
Partial
— No
✓ Yes
PCI DSS v4
Std Free / Audit Paid
✓ QSA/SAQ
— No
— No
— No
✓ Yes
HITRUST CSF
— Subscription
✓ Yes
Partial
Partial
— No
— No
Get Started

One Framework Covers Them All

Download the SCF CCF™ and access all 1,400+ controls with full crosswalk mappings to every framework on this page — and 88 more.

Go to the SCF Download PageIncluded Laws, Regulations & Frameworks
Secure Controls Framework

FREE cybersecurity metaframework. Creative Commons licensed. Volunteer-driven. Used worldwide.

Terms and Conditions
Download the SCF
Join the SCF Discord
Blog
Sponsors
Donate to the SCF
Privacy Notice
Cookie Notice

Start Here

Free Content

Resources

© 2026 Secure Controls Framework Council. Common Controls Framework™ is a registered trademark.

Sitemap