Secure Controls Framework
↓ Download SCF
Start Here ▼
What Is The SCF?SCRMS – How To Implement The SCFSCF Domains & PrinciplesIncluded Laws, Regulations & Frameworks (LRF)Set Theory Relationship Mapping (STRM)NIST OLIR ParticipationESG Considerations
Free Content ▼
SCF DownloadRisk Management Model (SCR-RMM)Capability Maturity Model (SCR-CMM)Cybersecurity Assessment Standards (CDPAS)Mergers, Acquisitions & Divestitures (MA&D)Data Privacy Management Principles (DPMP)Evidence Request List (ERL)Unified Scoping Guide (USG)
SCF CORE
GRC Fundamentals ▼
Common Cybersecurity Frameworks
NIST CSF 2.0ISO 27001 / ISO 27002NIST SP 800-53PCI DSS
Word Crimes & Emerging Trends
Word CrimesEmerging Trends
US (FED) – CMMCUS (FED) – DFARS 252.204-70XXUS (NY) – NY DFS 23 NYCRR Part 500US (FED) – GLBAUS (FED) – HIPAA / HITECHUS (FED) – SOXUS (TX) – SB 2610EU – DORAEU – NIS2 DirectiveCIS Critical Security Controls (CSC)NIST SP 800-161NIST SP 800-171NIST SP 800-172Trust Services Criteria (SOC 2)Metaframework – HITRUSTMetaframework – Unified Compliance (UC)
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
TPRM & SCRMIntegrityResilienceMSP / MSSP Dumpster Fire
GRC Basics
The Output Of GRC PracticesCybersecurity MaterialityLaws vs Regulations vs Frameworks
Common Cybersecurity Laws
US (FED) - FedRampUS (FED) - GLBAUS (FED) - HIPAA / HITECHUS (FED) - SOXUS (CA) - CCPA / CPRAUS (TX) - SB 2610EU - DORAEU - GDPREU - NIS2 Directive
Common Cybersecurity Regulations
US (FED) - CMMCUS (FED) - DFARS 252.204-70xxUS (NY) - NY DFS 23 NYCRR Part 500
Common Cybersecurity Frameworks
CIS Critical Security Controls (CSC)ISO 27001 / ISO 27002NIST CSF 2.0NIST SP 800-53NIST SP 800-161NIST SP 800-171NIST SP 800-172PCI DSSTrust Services Criteria (SOC 2)Metaframework - HITRUSTMetaframework - Unified Compliance (UC)
Word Crimes
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
Emerging Trends
TPRM & SCRMIntegrityResilienceCybersecurity MaterialityMSP / MSSP Dumpster Fire
SCF Certified ▼
Organization-Level SCF Certifications
SCF Conformity Assessment Program (CAP)SCF Assessment Guides
SCF Training & Individual-Level Certifications
SCF PractitionerSCF ArchitectSCF Assessor
Marketplace ▼
SCF Connect (SSOT)SCF Licensed Content Providers (LCPs)Registered Provider Organizations (RPOs)Authorized Control Integrator (ACI)Authorized Solution Provider (ASP)Third-Party Assessment Organizations (3PAOs)
FAQAboutSwag
Start Here

Security, Compliance & Resilience Management System

The SCRMS is the SCF’s holistic, technology-agnostic framework for designing, implementing, and maintaining secure, compliant, and resilient capabilities — covering an organization’s People, Processes, Technology, Data, and Facilities, regardless of how or where data is stored, processed, or transmitted.

This is some text inside of a div block.

9

This is some text inside of a div block.

SCRMS Principles

This is some text inside of a div block.

4

This is some text inside of a div block.

PDCA Phases

This is some text inside of a div block.

3

This is some text inside of a div block.

Core Components

This is some text inside of a div block.

PPTDF

This is some text inside of a div block.

Coverage Scope

↓ Download the SCF
↓ Download the SCF
View 9 Principles →
View 9 Principles →
Overview

A Holistic System for Secure, Compliant & Resilient Operations

The SCRMS is not a “one-size-fits-all” playbook. It is designed to be adopted and tailored to the unique size, resources, and risk circumstances of each organization.

The SCRMS expands upon and modernizes traditional Information Security Management System (ISMS) models, replacing siloed “management systems” with a single, unified operational framework that governs cybersecurity, data privacy, risk, and compliance together.

Without an overarching concept of operations for the broader GRC function, organizations find that their governance, risk, compliance, and privacy teams operate in silos — producing unclear roles, duplicated effort, and gaps in coverage. The SCRMS directly solves this.

The SCRMS is designed to be:

Framework-agnostic — leverage NIST CSF 2.0, SOC 2, ISO 27001, NIST 800-171, or any combination
Process-focused — supports the people, processes, and practices that must exist for a cybersecurity program to operate effectively
Strategically designed — addresses strategic, operational, and tactical dimensions simultaneously
Supply-chain aware — addresses both internal controls and Cybersecurity Supply Chain Risk Management (C-SCRM)
Scalable — tailorable from small businesses to large enterprises and government entities
Unified — replaces siloed ISMS, AIMS, PIMS, and other fragmented management systems with one coherent model
SCRMS Goals

What Does It Mean To Be Secure, Compliant & Resilient?

The SCRMS defines specific, actionable meaning for each of its three pillars — going beyond vague aspirations to concrete operational outcomes.

Secure

Being “secure” means the organization has implemented controls proportional to its risk profile across all five PPTDF dimensions. Security is not binary — it is a measurable, risk-based posture that evolves with threats and business context. This includes having defined policies, documented procedures, trained personnel, and verified technical controls that address the organization’s identified threats and vulnerabilities.

S

Compliant

Being “compliant” means the organization has identified all applicable Minimum Compliance Requirements (MCR) from laws, regulations, and contractual obligations — and can demonstrate adherence through evidence. Compliance is not a checkbox exercise. It requires ongoing monitoring, documentation, and audit readiness across every applicable legal and regulatory jurisdiction where the organization operates.

C

Resilient

Being “resilient” means the organization can absorb disruption, adapt to adverse events, and recover to normal operations within defined recovery time and point objectives (RTO/RPO). Resilience encompasses business continuity, disaster recovery, incident response readiness, and supply chain resilience — ensuring the organization survives and learns from adverse events.

R

Who Is the SCRMS For?

The SCRMS is designed for any organization seeking to move beyond ad-hoc security practices to a structured, sustainable, and auditable cybersecurity program.

CISOs & Security Leaders

Establish a defensible, risk-based program with clear governance lines and measurable outcomes.

GRC Professionals

Replace fragmented compliance tracking with a unified, controls-centric approach to risk and compliance management.

Compliance Officers

Map all applicable laws, regulations, and frameworks to a common control set — reducing redundancy and audit fatigue.

IT & DevSecOps Teams

Translate governance requirements into actionable technical controls mapped to actual systems, data, and processes.

How it works

Three Core Components of the SCRMS

The SCRMS is built on three interlocking components that together form a complete implementation system — from the control catalog through to day-to-day operational governance.

Secure Controls Framework (SCF)

The SCF is the foundational control catalog — a comprehensive, open-source library of cybersecurity and data privacy controls covering all 33 domains. The SCF serves as the “what” — defining the specific controls an organization needs to implement.

Controls in the SCF are mapped to 261+ laws, regulations, and frameworks via Set Theory Relationship Mapping (STRM), enabling organizations to satisfy multiple compliance obligations through a single control implementation.

Explore SCF Core →
01
02

Security, Compliance & Resilience Management System (SCRMS)

The SCRMS is the operational framework — defining “how” an organization builds and runs its cybersecurity program. It provides the governance model, principles, processes, and organizational accountability structures.

The SCRMS operationalizes the SCF control catalog through its nine principles and PDCA lifecycle, ensuring controls are not just selected but actually implemented, monitored, and continuously improved.

You Are Here
03

SCRMS-PIG: Prioritized Implementation Guide

The SCRMS-PIG is a “how-to-GRC” playbook — a step-by-step guide for prioritizing and sequencing SCRMS implementation based on an organization’s risk profile, maturity level, and compliance obligations.

Rather than leaving organizations to figure out where to start, the PIG provides concrete, sequenced guidance for standing up each component of the SCRMS in a logical order that generates early wins while building toward a mature program.

Download the SCF →
scope of coverage

People, Processes, Technology, Data & Facilities

The SCRMS is explicitly designed to address cybersecurity and data privacy holistically across all five dimensions of an organization — not just technology.

Most security frameworks focus primarily on technology controls. The SCRMS recognizes that security failures often originate in people (insider threats, training gaps), processes (undefined procedures, poor change management), and facilities (physical access, environmental controls) — not just technology.

People

Training, awareness, hiring, HR security, insider threat, access governance

Processes

Policies, standards, procedures, change management, incident handling

Technology

Systems, networks, endpoints, cloud, applications, tooling, configurations

Data

Classification, handling, retention, privacy, encryption, data governance

Facilities

Physical security, environmental controls, data center access, visitor management

controls-centric mindset

SCRMS: Controls at the Center of Everything

The SCRMS treats controls as the central nexus of cybersecurity and data privacy operations. Unlike traditional GRC which is often process-centric, the SCRMS is controls-centric — enabling every organizational function to map to a common control language.

must have

Minimum Compliance Requirements (MCR)

MCR defines the non-negotiable, mandatory requirements your organization must implement based on applicable laws, regulations, and contractual obligations. Failure to meet MCR creates legal exposure, regulatory sanctions, or contract breaches.

MCR is your compliance baseline — the floor below which you cannot go without accepting unacceptable legal liability. Every applicable law, regulation, and contractual requirement is analyzed to build your MCR.

Mandatory
Statutory
Regulatory
Contractual
nice to have

Discretionary Security Requirements (DSR)

DSR defines additional security practices an organization chooses to implement based on risk appetite, business strategy, or industry best practices — beyond what is strictly mandated. These improve security posture without being legally required.

DSR is your security aspirational ceiling — controls that harden your posture beyond the compliance floor, chosen based on threat intelligence, risk assessments, and strategic security goals.

Voluntary
Risk-Based
Best Practice
plan, do, check, act

A PDCA Approach to Cybersecurity Governance

The SCRMS uses the Plan-Do-Check-Act (PDCA) cycle as its foundational operational model — a logical way to design, build, operate, and improve a cybersecurity program over time.

P

Plan

Define scope, applicable laws/regs/frameworks, and risk appetite. Identify MCR and DSR. Select applicable SCF controls. Build your Minimum Security Requirements (MSR) blueprint.

D

Do

Implement selected controls. Publish policies, standards, and procedures. Assign stakeholder accountability. Leverage the SCRMS as a “paint by numbers” implementation guide.

C

Check

Assess control effectiveness via the SCF Conformity Assessment Program (SCF-CAP). Measure maturity using the SCR-CMM. Monitor using built-in risk and threat catalogs.

A

Act

Remediate gaps from the Check phase. Update controls as laws change via the Living Control Set. Continuously improve. Prove compliance to regulators, auditors, insurers, and customers.

SCrms principles

Nine Principles for a Sustainable Cybersecurity Program

There are nine principles associated with the SCRMS. Together they form a complete operational methodology — from initial scoping through continuous program evolution.

principle 1

Establish Context

Establishing context is both a due diligence and due care element of a cybersecurity program, since context changes with time. Considerations include: mission/vision/strategy; statutory, regulatory, and contractual requirements; fiscal constraints; organizational structure; applicable geographic-specific requirements; and internal and external stakeholder expectations.

principle 2

Identify Applicable Controls

A tailored set of cybersecurity and data protection controls must exist for a SCRMS implementation. This control set must be tailored to the organization’s unique requirements — a combination of Minimum Compliance Requirements (MCR) and Discretionary Security Requirements (DSR). This blend of “must have” and “nice to have” establishes the organization’s tailored control set.

principle 3

Define Maturity Expectations

The organization must define maturity expectations for its cybersecurity and data protection controls. From the SCRMS perspective, maturity expectations define entity-specific “what right looks like” for control implementation and ongoing operation. These maturity-based criteria apply across People, Processes, Technologies, Data, and Facilities (PPTDF) and directly support the organization’s security, compliance, and resilience goals.

principle 4

Publish Governance Documentation

Governance documentation is the written foundation of a cybersecurity program. This includes policies, standards, procedures, guidelines, and plans. Without published documentation, controls cannot be consistently applied, audited, or enforced. The SCF provides a direct mapping between controls and the governance documentation required to support them.

principle 5

Assign Stakeholder Accountability

Every control must have an owner. Accountability structures ensure that cybersecurity responsibilities are clearly assigned to specific roles across the organization — not just the security team. This includes executives (risk ownership), managers (policy enforcement), and operational staff (procedure execution). Undefined accountability is one of the most common root causes of control failures.

principle 6

Prioritize Capabilities According to Risk

Not all controls carry equal risk weight. Organizations with finite resources must prioritize implementation based on risk exposure, compliance criticality, and threat relevance. The SCRMS provides guidance for risk-based prioritization so that the most impactful controls are implemented first — ensuring early risk reduction even before a complete control set is in place.

principle 7

Maintain Situational Awareness

Situational awareness is achieved through continuous monitoring, metrics collection, and periodic assessments. This principle covers logging, monitoring, alerting, and audit programs. Without situational awareness, organizations cannot detect incidents, measure control effectiveness, or demonstrate compliance. The SCRMS aligns this principle directly to the Check phase of the PDCA cycle.

principle 8

Manage Risk

Risk management is the engine of the SCRMS Act phase. It encompasses: identifying and treating current deficiencies, assessing emerging threats and vulnerabilities, making risk acceptance decisions, tracking remediation, and reporting risk status to stakeholders. The SCF’s risk management controls (GOV, RSK domains) provide the specific control requirements for building a functional risk management function.

principle 9

Evolve Processes

The SCRMS is a living system. Cybersecurity threats, business contexts, and regulatory landscapes all change over time. Organizations must build continuous improvement into the SCRMS lifecycle — reviewing the program periodically, updating controls and governance documentation, reassessing risk, and incorporating lessons learned from incidents and audits into the next planning cycle.

what to explore next

Continue Building Your SCF Program

Now that you understand how the SCRMS works, explore the core tools and resources you’ll need to implement it.

01

Download the SCF

Get the full SCF spreadsheet — the control catalog, STRM mappings, and domain structure that powers the SCRMS.

02

SCF Domains & Principles

Explore all 33 SCF domains and understand how the Universal Control Taxonomy organizes every control.

03

Included LRF Coverage

See all 261+ laws, regulations, and frameworks mapped in the SCF — your complete compliance coverage map.

04

STRM Methodology

Understand how Set Theory Relationship Mapping (NIST IR 8477) proves SCF controls satisfy LRF requirements.

Start Implementing the SCRMS Today

The SCF and SCRMS are free and open-source. Download the full control catalog and begin building your tailored cybersecurity program.

↓ Free SCF Download
Explore SCF Core
Secure Controls Framework

FREE cybersecurity metaframework. Creative Commons licensed. Volunteer-driven. Used worldwide.

Terms and Conditions
Download the SCF
Join the SCF Discord
Blog
Sponsors
Donate to the SCF
Privacy Notice
Cookie Notice

Start Here

Free Content

Resources

© 2026 Secure Controls Framework Council. Common Controls Framework™ is a registered trademark.

Sitemap