Information and cyber security compliance is complex, but having a framework for implementation makes it approachable.
The Dilemma: Your small/medium enterprise (SME) is growing. That’s a good thing, right? In some respects yes, but as your business grows, so will your regulatory and compliance overhead. Customers demand that you meet certain information security or cybersecurity requirements, government or industry bodies mandate specific compliance requirements, and even internal business needs may dictate the use of specific governance frameworks.
How do you manage these disparate requirements? A single set of information and cyber security controls, mapped to your various compliance requirements, can help bring order to the chaos. Sales enablement, regulatory audits going smoothly, and reduced costs for compliance are all benefits a unified set of controls can provide.
The Secure Controls Framework (SCF) is a free-to-use tool provided by a company called Verutus (closely related to Compliance Forge, who make some great tools & templates for a variety of compliance needs), and can be accessed here: https://www.securecontrolsframework.com/. It contains over 740 controls across 32 domains. That sounds overwhelming, but don’t worry! It’s quite thorough, and you are able to pick only the SCF Domains you need to implement. These include basics like Asset Management and Cryptographic Protections, along with more comprehensive topics such as Privacy and Project & Resource Management.
There are a number of SCF Controls within each domain. These are tagged with an ID number that includes an abbreviation of the domain, e.g., Security & Privacy Governance Control #1 is GOV-01. Each control comes with a relatively easy to read description, which is important for a business implementing compliance, infosec, or cyber security for the first time. There’s also a set of helpful guidance called “Methods to Comply with SCF Controls”, which gives both first time implementers and seasoned security pros a quick and easy starting point.
The SCF has two major benefits. First is its mixture of comprehensiveness and simplicity. The 32 domains cover the vast majority of compliance, InfoSec, and cyber security needs for many, many businesses. However, the Control language is still approachable enough to be useful by novices - you don’t need decades of experience in any of these fields to implement business processes and tools that meet the SCF Controls.
The second benefit SCF offers is an extensive list of cross-references. The controls are mapped to 100 other security and compliance frameworks from a variety of sources, including:
So does that mean SCF will make you globally compliant with all these 100 frameworks? Not quite, as there may be some regional nuances you need to take into account. However, having a unified set of controls that allow you to check multiple boxes across several industry and country frameworks certainly gives you a leg up!
There are two paths that can help you launch a compliance program based on the SCF, differentiated by what’s driving your compliance initiative.
An increased understanding of the importance of cybersecurity has led to a large number of frameworks, audit reports, and tools designed to help. Unfortunately, this abundance makes the approach to securing your small/medium enterprise more confusing than ever. Which framework is right? How do you get started? Which part of the framework should you address first? SCF aims to simplify this situation, which makes it ideal for an SME who wants to kickstart efforts to secure their businesses. This is the same idea driving Zeguro’s Virtual Cybersecurity Officer. We take the guesswork out of identifying and mitigating your cyber risks, allowing you to focus on growing your business on a cyber-secure footing.