Framework Management
Framework Management
Section titled “Framework Management”The SCF Controls Platform provides powerful tools for managing compliance frameworks: the Control Library, the Mapping Matrix, and Scope by Framework bulk scoping.
Scope by Framework
Section titled “Scope by Framework”The Scope by Framework feature allows you to bulk-scope all controls mapped to one or more compliance frameworks with a single action. This is the fastest way to build your control baseline when adopting a new framework.
How It Works
Section titled “How It Works”- Navigate to Control Scoping (checkbox icon in sidebar)
- Click the Scope by Framework button in the sidebar
- The Framework Selection Modal opens showing all 260+ available frameworks
- Select one or more frameworks you need to comply with
- Preview shows how many controls will be added
- Click Add to Scope to bulk-scope all mapped controls
Key Features
Section titled “Key Features”| Feature | Description |
|---|---|
| Multi-select | Select multiple frameworks at once (e.g., ISO 27001 + SOC 2) |
| Preview counts | See exactly how many controls will be added before confirming |
| Additive only | Never overwrites existing selections — only adds new controls |
| Deduplication | Controls mapped to multiple frameworks are only added once |
| Selection reason | Automatically records why controls were scoped |
Example Workflow
Section titled “Example Workflow”Scenario: Your organization needs to comply with both ISO 27001:2022 and PCI DSS v4.0.
- Open Control Scoping
- Click Scope by Framework
- Select “ISO/IEC 27001:2022” and “PCI DSS v4.0.1”
- Preview shows: “316 controls from ISO 27001 + 364 controls from PCI DSS = 412 unique controls to add (268 overlap)”
- Click Add to Scope
- All 412 unique controls are now in scope with implementation status “Not Started”
Control Library
Section titled “Control Library”The Control Library is your reference for browsing all 1,451 SCF controls. Access it by clicking the Book icon in the sidebar.
Interface Overview
Section titled “Interface Overview”The Control Library uses a split-panel layout:
Left Panel — Control List
- Stats header — Shows filtered count vs. total controls
- Search bar — Filter by control ID, name, description, or domain
- Filters dropdown — Filter by domain, NIST CSF function, or control weight
- Control cards — Each displays ID, name, badges, domain, artifact count, and framework count
Right Panel — Control Details
When you select a control, the detail panel shows:
| Section | Content |
|---|---|
| Header | Control ID, name, domain, NIST CSF function |
| Description | Full control description |
| Control Question | Assessment question for the control |
| Maturity Roadmap | C|P-CMM guidance for each maturity level (0-5) |
| Business Size Guidance | Implementation guidance by organization size |
| Related Artifacts | Evidence items required |
| Framework Mappings | Which frameworks this control satisfies |
| Risk & Threat Context | Associated risks and threats |
Searching and Filtering
Section titled “Searching and Filtering”Search across multiple fields simultaneously:
- Control ID (e.g., “GOV-01”)
- Control name (e.g., “access review”)
- Description text
- Domain name
Filter by specific attributes using the collapsible Filters dropdown:
| Filter | Options |
|---|---|
| Domain | 32 SCF domains (AST, BCR, CFG, CRY, etc.) |
| NIST CSF Function | Identify, Protect, Detect, Respond, Recover, Govern |
| Control Weight | 0 (Minimal) to 10 (Critical) |
Control Card Information
Section titled “Control Card Information”Each control card displays:
- SCF ID badge — Unique identifier (e.g., GOV-01)
- NIST CSF function pill — Color-coded: Identify (blue), Protect (green), Detect (amber), Respond (red), Recover (purple), Govern (gray)
- Control weight badge — Importance rating 0-10
- Control name — Brief description of the control
- Domain — Control category
- Metadata — Artifact count and framework count
Mapping Matrix
Section titled “Mapping Matrix”The Mapping Matrix visualizes how SCF controls map to compliance frameworks. Access it by clicking the Grid icon in the sidebar.
Understanding the Matrix
Section titled “Understanding the Matrix”The matrix displays:
- Rows — SCF controls (ID and name)
- Columns — Compliance frameworks (ISO 27001, SOC 2, NIST, etc.)
- Cells — An “X” indicates the control maps to that framework
Hover over any “X” to see the tooltip showing:
- SCF control ID
- Framework name
- Specific requirement references (e.g., “A.9.1.1”, “CC6.1”)
Header Controls
Section titled “Header Controls”| Control | Function |
|---|---|
| Legend button | Show/hide implementation status color guide |
| Show scoped only | Filter to only display controls you’ve selected |
| Stats | Shows control count and framework count |
Implementation Status Colors
Section titled “Implementation Status Colors”When you have scoped controls, the matrix rows are color-coded by implementation status:
| Color | Status |
|---|---|
| Green | Implemented |
| Blue | In Progress |
| Gray | Not Started |
| Orange/Red | At Risk |
| Light Gray | Not Applicable |
| Yellow | Deferred |
Click the Legend button to see the full color guide.
Supported Frameworks
Section titled “Supported Frameworks”The platform includes mappings to 260+ compliance frameworks from the Secure Controls Framework (SCF). This comprehensive coverage spans government, industry, and international standards.
Framework Categories
Section titled “Framework Categories”The platform supports frameworks across these categories:
US Federal & Government
- NIST SP 800-53 (R4 and R5, all baselines)
- FedRAMP (R4, R5, High/Moderate/Low/Tailored)
- NIST SP 800-171 (R2 and R3)
- NIST Cybersecurity Framework v2.0
- CMMC 2.0 (all levels)
- CJIS Security Policy
- IRS 1075
- MARS-E 2.0
Industry Standards
- PCI DSS v4.0.1 (all SAQ types)
- SOC 2 (AICPA Trust Services Criteria)
- HIPAA Security Rule
- Cloud Controls Matrix (CCM) v4
- CIS Controls v8.1
- COBIT 2019
International Standards
- ISO/IEC 27001:2022
- ISO/IEC 27002:2022
- ISO/IEC 27017:2015 (Cloud)
- ISO/IEC 27018:2019 (Privacy)
- ISO/IEC 27701:2025 (Privacy)
- ISO/IEC 42001:2023 (AI)
- ISO 22301:2019 (Business Continuity)
European Frameworks
- EU NIS2 Directive
- EU DORA (Digital Operational Resilience)
- EU AI Act
- BSI Standard 200-1
- Cloud Computing Compliance Criteria (C5)
- ENS (Spain National Security Scheme)
Asia-Pacific Frameworks
- Australian ISM (June 2024)
- New Zealand NZISM v3.6
- Japan ISMAP
- Singapore MAS TRM
- Korea FSI Guidelines
Specialized Frameworks
- NIST AI RMF 1.0
- NIST SP 800-161 R1 (Supply Chain)
- NIST SP 800-82 (ICS/OT Security)
- TISAX ISA 6 (Automotive)
- MPA Content Security v5.1 (Media)
- NERC CIP 2024 (Energy)
Top Frameworks by Control Coverage
Section titled “Top Frameworks by Control Coverage”| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 R5 | 777 |
| NIST SP 800-53 R4 | 652 |
| IRS 1075 | 445 |
| GovRAMP High | 441 |
| FedRAMP R5 High | 423 |
| SOC 2 (TSC 2022) | 412 |
| NIST SP 800-171 R3 | 408 |
| PCI DSS v4.0.1 | 364 |
| ISO/IEC 27002:2022 | 316 |
| NIST CSF v2.0 | 253 |
Use Cases
Section titled “Use Cases”Starting a New Compliance Program
Section titled “Starting a New Compliance Program”- Open Control Scoping
- Click Scope by Framework
- Select your target framework(s)
- Review the preview count
- Click Add to Scope
- Your baseline is established with all required controls
Multi-Framework Compliance
Section titled “Multi-Framework Compliance”- Use Scope by Framework to select all required frameworks
- Open the Mapping Matrix to see coverage overlap
- Focus implementation on controls that satisfy multiple frameworks
- Use the matrix to verify complete coverage
Audit Preparation
Section titled “Audit Preparation”- Open the Mapping Matrix
- Enable Show scoped only
- Find your target framework column
- Verify all controls show “X” marks (coverage)
- Check implementation status colors are green (implemented)
Gap Analysis
Section titled “Gap Analysis”- Open the Mapping Matrix
- Identify framework columns with missing “X” marks
- Click on controls to view details
- Use Scope by Framework to add missing controls
Best Practices
Section titled “Best Practices”When Starting a Compliance Program
Section titled “When Starting a Compliance Program”- Use Scope by Framework first — Bulk-scope your primary framework
- Layer additional frameworks — Add secondary frameworks incrementally
- Review overlaps — Use the Mapping Matrix to understand multi-framework controls
- Prioritize by weight — Focus on high-weight controls (8-10) first
For Ongoing Compliance
Section titled “For Ongoing Compliance”- Check the Matrix regularly — Verify coverage as frameworks are updated
- Review new SCF releases — As SCF adds controls, assess relevance
- Document decisions — Use selection reasons in Control Scoping
Related Guides
Section titled “Related Guides”- Control Management — Scope and track control implementation
- Dashboard Overview — See framework coverage metrics
- Evidence Management — Track evidence for controls