Secure Controls Framework (SCF)

In 2018, we will launch the Secure Controls Framework (SCF) to create what we hope will be a new industry framework for cybersecurity and privacy controls.

The SCF leverages both cybersecurity and privacy requirements to help companies operationalize both cybersecurity and privacy by default, with an eye towards EU GDPR. The objective is Cybersecurity for Privacy by Design (C4P). With the SCF and products from our partners at ComplianceForge, companies will have the policies, control objectives, standards, guidelines, controls and procedures to build a world-class cybersecurity program.  

The SCF is a “best in class” approach to building a hybrid framework for cybersecurity and privacy controls. It allows companies to align with more than just ISO or NIST by having a common framework of controls that are customizable for a company, based on their needs.

There will be no charge for companies to use the SCF – users will just have to register for an account to be able to custom generate their own control set or download the entire SCF. 

  • Industry Frameworks 


    • AICPA SOC 2 (2016)         

    • AICPA SOC 2 (2017)

    • CIS CSC v6.1

    • COBIT v5

    • CSA CCM v3.0.1

    • ENISA v2.0

    • ISO 27002 v2013

    • ISO 27018 v2014

    • NIST 800-53 rev 4

    • NIST 800-53 rev 5 [draft]

    • NIST 800-171 rev 1

    • NIST Cybersecurity Framework rev 1

    • PCI DSS v3.2        

    • UL 2900-1

  • US Federal Data Security Laws

    • COPPA

    • DFARS 252.204-70xx

    • FACTA

    • FAR 52.204-21

    • FDA 21 CFR 11

    • FedRAMP [moderate]

    • FINRA

    • GLBA

    • HIPAA

    • NERC CIP

    • NISPOM

    • SOX

  • US State Data Security Laws 

    • CA SB 1386

    • MA 201 CMR 17.00

    • NY DFS 23 NYCRR500

    • OR 646A

  • Europe, Middle East & Africa (EMEA) - Data Protection Acts 

    • ePrivacy [draft]

    • GDPR

    • Austria

    • Belgium

    • Czech Republic

    • Denmark

    • Finland

    • France

    • Germany

    • Greece

    • Hungary

    • Ireland

    • Israel

    • Italy

    • Luxembourg

    • Netherlands

    • Norway

    • Poland

    • Portugal

    • Russia

    • Slovak Republic

    • South Africa

    • Spain

    • Sweden

    • Switzerland

    • Turkey

    • UAE

    • UK          

  • Asia Pacific (APAC) - Data Protection Acts 

    • Australia

    • China DNSIP

    • Hong Kong

    • India ITR

    • Indonesia

    • Japan

    • Malaysia

    • New Zealand

    • New Zealand NZISM

    • Philippines

    • Singapore

    • Singapore MAS TRM

    • South Korea

    • Taiwan  

  • Americas - Data Protection Acts 

    • Argentina

    • Bahamas

    • Canada

    • Chile

    • Columbia

    • Costa Rica

    • Mexico

    • Peru

Contact Us

Privacy Notice


Verutus, LLC

1002A North Springbrook Rd #229
Newberg, OR 97132

Cookie Policy

This website is for educational purposes only and does not render professional services advice and is not a substitute for dedicated professional services. If you have compliance questions, you should consult a cybersecurity or privacy professional to discuss your specific needs. Verutus, LLC (Verutus) disclaims any liability whatsoever for any documentation, information, or other material which is or may become a part of the website. Verutus does not warrant or guarantee that the information will not be offensive to any user. User is hereby put on notice that by accessing and using the website, user assumes the risk that the information and documentation contained in the web site may be offensive and/or may not meet the needs and requirements of the user. The entire risk as to the use of this website is assumed by the user. Verutus reserves the right to refuse service, in accordance with applicable statutory and regulatory parameters.

© 2021 by Verutus, LLC.