Secure Controls Framework
↓ Download SCF
Start Here ▼
What Is The SCF?SCRMS – How To Implement The SCFSCF Domains & PrinciplesIncluded Laws, Regulations & Frameworks (LRF)Set Theory Relationship Mapping (STRM)NIST OLIR ParticipationESG Considerations
Free Content ▼
SCF DownloadRisk Management Model (SCR-RMM)Capability Maturity Model (SCR-CMM)Cybersecurity Assessment Standards (CDPAS)Mergers, Acquisitions & Divestitures (MA&D)Data Privacy Management Principles (DPMP)Evidence Request List (ERL)Unified Scoping Guide (USG)
SCF CORE
GRC Fundamentals ▼
Common Cybersecurity Frameworks
NIST CSF 2.0ISO 27001 / ISO 27002NIST SP 800-53PCI DSS
Word Crimes & Emerging Trends
Word CrimesEmerging Trends
US (FED) – CMMCUS (FED) – DFARS 252.204-70XXUS (NY) – NY DFS 23 NYCRR Part 500US (FED) – GLBAUS (FED) – HIPAA / HITECHUS (FED) – SOXUS (TX) – SB 2610EU – DORAEU – NIS2 DirectiveCIS Critical Security Controls (CSC)NIST SP 800-161NIST SP 800-171NIST SP 800-172Trust Services Criteria (SOC 2)Metaframework – HITRUSTMetaframework – Unified Compliance (UC)
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
TPRM & SCRMIntegrityResilienceMSP / MSSP Dumpster Fire
GRC Basics
The Output Of GRC PracticesCybersecurity MaterialityLaws vs Regulations vs Frameworks
Common Cybersecurity Laws
US (FED) - FedRampUS (FED) - GLBAUS (FED) - HIPAA / HITECHUS (FED) - SOXUS (CA) - CCPA / CPRAUS (TX) - SB 2610EU - DORAEU - GDPREU - NIS2 Directive
Common Cybersecurity Regulations
US (FED) - CMMCUS (FED) - DFARS 252.204-70xxUS (NY) - NY DFS 23 NYCRR Part 500
Common Cybersecurity Frameworks
CIS Critical Security Controls (CSC)ISO 27001 / ISO 27002NIST CSF 2.0NIST SP 800-53NIST SP 800-161NIST SP 800-171NIST SP 800-172PCI DSSTrust Services Criteria (SOC 2)Metaframework - HITRUSTMetaframework - Unified Compliance (UC)
Word Crimes
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
Emerging Trends
TPRM & SCRMIntegrityResilienceCybersecurity MaterialityMSP / MSSP Dumpster Fire
SCF Certified ▼
Organization-Level SCF Certifications
SCF Conformity Assessment Program (CAP)SCF Assessment Guides
SCF Training & Individual-Level Certifications
SCF PractitionerSCF ArchitectSCF Assessor
Marketplace ▼
SCF Connect (SSOT)SCF Licensed Content Providers (LCPs)Registered Provider Organizations (RPOs)Authorized Control Integrator (ACI)Authorized Solution Provider (ASP)Third-Party Assessment Organizations (3PAOs)
FAQAboutSwag
Start Here

Cybersecurity ESG Considerations

The SCF added ESG-specific controls to identify potentially harmful compliance requirements with life-changing implications — particularly those arising from hostile nations and oppressive regimes — and to elevate those decisions to executive leadership where they belong.

3
ESG Pillars
4
Dedicated Controls
Executive
Decision Escalation
Anti-
Virtue Signaling
Explore SCF DomainsView ESG Controls

Framework Context

What Is Environmental, Social & Governance (ESG)?

ESG is a concept that covers how an organization impacts the natural world, manages its stakeholder relationships, and how its executive leadership governs the organization — and it is easily abused.

ESG is only as good as the executive leadership team involved in enforcing those self-imposed mandates. Any critical review of an ESG program should evaluate exceptions management practices to determine if ESG is merely “virtue signaling” to promote the organization through fraudulent marketing purposes, or if the organization is willing to operationalize difficult decisions that could lead to lost profits in the pursuit of being a good corporate citizen. The SCF Council is fundamentally against ESG virtue signaling, since it offers no benefit to society in any form.

🌱

Environmental

How an entity impacts the natural world — energy consumption and efficiency, carbon footprint, waste management, pollution, and other environmental factors.

👥

Social

How an entity manages relationships with stakeholders including employees, customers, local communities, and vendors — covering labor practices, human rights, diversity, inclusion, health and safety, and community engagement.

🏛️

Governance

How an entity is led and managed by executive leadership — executive compensation, shareholder rights, board structure, ethical business practices, transparency, and accountability.

SCF Controls

Cybersecurity Controls to Address ESG Practices

The SCF added ESG-specific controls to identify potentially harmful compliance requirements that have profound, life-changing implications from complying with laws or regulations from a hostile nation or oppressive regime.

The goal of these ESG-specific controls is to elevate risk and decision-making away from cybersecurity and data privacy practitioners by directing those issues to the entity’s executive leadership to address the moral and ethical dimensions, since those are business decisions — not technical ones.

GOV-04

Forced Technology Transfer

Mechanisms exist to avoid and/or constrain the forced exfiltration of sensitive or regulated information (e.g., Intellectual Property) to the host government for purposes of market access or market management practices.

DCH-26

Data Localization

Mechanisms exist to constrain the impact of “digital sovereignty laws” that require localized data within the host country, where data and processes may be subjected to arbitrary enforcement actions that potentially violate other applicable statutory, regulatory and/or contractual obligations.

CPL-06

Government Surveillance

Mechanisms exist to constrain the host government from having unrestricted and non-monitored access to the organization’s systems, applications, and services that could potentially violate other applicable statutory, regulatory and/or contractual obligations.

GOV-13

State-Sponsored Espionage

Mechanisms exist to constrain the host government’s ability to leverage the organization’s technology assets for economic or political espionage and/or cyberwarfare activities.

Why these controls matter: These controls are not about technical implementation — they are about ensuring that when an organization faces a legal or regulatory demand that conflicts with its values, security posture, or obligations to other jurisdictions, that conflict is surfaced to executive leadership and the board rather than being quietly handled at the technical level.

ESG Integrity

Beware of ESG Virtue Signaling

ESG is only meaningful when an organization is genuinely willing to make difficult — and potentially costly — decisions in pursuit of its stated values.

The SCF Council’s position: ESG virtue signaling — promoting an organization’s ESG credentials without the substance to back them up — is disingenuous and offers no benefit to society in any form. Any critical review of an entity’s ESG program should evaluate whether it is genuinely operationalized or merely performative.

❌ Virtue Signaling ESG

Performative ESG that exists primarily for marketing purposes:

  • Purchasing carbon credits to offset rather than reduce manufacturing emissions
  • Selectively enforcing supply chain prohibitions (e.g., ignoring Uyghur forced labor)
  • Publishing ESG reports without verifiable metrics or independent audit
  • Complying with harmful foreign government surveillance demands quietly

✅ Genuine ESG Practice

Substantive ESG that requires real decisions and trade-offs:

  • Choosing the harder right over the easier wrong, even at cost
  • Escalating government surveillance demands to board-level review
  • Enforcing supply chain standards consistently, not selectively
  • Maintaining transparency through independently verifiable reporting

Fraud Magazine has published on concerns related to abusing ESG principles — the real existence of fraudulent ESG practices puts the entire concept of ESG on shaky ground. The issue of choosing the harder right over the easier wrong is at the heart of what genuine ESG practice demands.

Decision Framework

ESG as an Executive Decision — Not a Technical One

When cybersecurity practitioners encounter a legal or regulatory requirement that conflicts with the organization’s values, security posture, or obligations to other jurisdictions, that is not a technical decision — it is a business decision that must be escalated.

⬆️

Escalate to Leadership

SCF ESG controls are designed to surface decisions requiring moral and ethical judgment to C-suite executives and the board — not leave them at the practitioner level.

⚖️

Balance Competing Obligations

When laws from hostile governments conflict with GDPR, HIPAA, or other obligations, executives must weigh the competing demands and determine which take precedence — a business judgment call.

📋

Document the Decision

Whatever decision is made must be formally documented in the risk register with executive sign-off, creating a clear record that the organization consciously accepted or rejected the obligation.

Additional SCF Content

Explore Further

Dive deeper into the SCF ecosystem and related resources.

SCF Domains & Principles

Explore the full set of SCF domains, principles, and how they map to your compliance obligations.

SCRMS

Learn about the Secure Controls Risk Management System and how it integrates with ESG considerations.

What Is SCF?

Understand the purpose and structure of the Secure Controls Framework and why it exists.

Download SCF

Download the latest version of the SCF spreadsheet to use in your organization’s compliance program.

Address ESG Risks in Your Cybersecurity Program

The SCF provides ESG-specific controls that escalate moral and ethical decisions to executive leadership — where they belong. Download the free SCF and start building an ESG program with substance.

Download Free SCF
Explore SCF Domains
Secure Controls Framework

FREE cybersecurity metaframework. Creative Commons licensed. Volunteer-driven. Used worldwide.

Terms and Conditions
Download the SCF
Join the SCF Discord
Blog
Sponsors
Donate to the SCF
Privacy Notice
Cookie Notice

Start Here

Free Content

Resources

© 2026 Secure Controls Framework Council. Common Controls Framework™ is a registered trademark.

Sitemap