securecontrolsframework/securecontrolsframework 2025.1

SCF 2025.1

on GitHub

Version 2025.1 represents a minor update, based on new and changed controls in the Secure Controls Framework (SCF). You can download the new version of the SCF and errata from:

• SCF https://securecontrolsframework.com/scf-download/
• Errata https://securecontrolsframework.com/errata/

Added Set Theory Relationship Mappings (STRM) for:

1. UK Defence Standard (Def Stan) 05-138
2. India Digital Personal Data Protection Act (DPDPA)
3. Saudi Arabia IoT CGIoT-1
4. Saudi Arabia Person Data Protection Law (PDPL)
5. Spain BOE-A-2022-7191
6. UAE National Information Assurance Framework (NIAF)
7. EU General Data Protection Regulation (GDPR)
8. US Data Privacy Framework
9. US Oregon Data Privacy Act (SB619)
10. US Texas Data Privacy & Security Act

Removed mappings to:

1. Old version of EU GDPR mapping
2. EU ePrivacy Directive
3. Czech Republic Act No. 101/2000 on the Protection of Personal Data
4. Denmark Act on Processing of Personal Data (Act No. 429 of May 31, 2000)
5. Finland Personal Data Act (986/2000)
6. France 78 17 / 2004 8021 - Information Technology, Data Files & Civil Liberty
7. Luxembourg Protection of Personals with Regard to the Processing of Personal Data
8. Portugal Act on the Protection of Personal Data
9. Slovak Republic Protection of Personal Data (122/2013)
10. UAE Data Protection Law No. 1 of 2007
11. Indonesia Government Regulation No. 82 of 2012

New controls:

1. CPL-01.3 - Ability To Demonstrate Conformity
2. CPL-02.2 - Periodic Audits
3. CPL-07 - Grievances
4. CPL-07.1 - Grievance Response
5. MON-17 - Event Log Analysis & Triage
6. MON-17.1 - Event Log Review Escalation Matrix
7. HRS-01.1 - Onboarding, Transferring & Offboarding Personnel
8. HRS-14 - Identifying Authorized Work Locations
9. HRS-14.1 - Communicating Authorized Work Locations
10. HRS-15 - Reporting Suspicious Activities
11. PES-19 - Physical Access Device Inventories
12. PRI-01.8 - Data Fiduciary
13. PRI-01.9 - Personal Data (PD) Process Manager
14. PRI-01.10 - Financial Incentives For Personal Data (PD)
15. PRI-03.9 - Continued Use of Personal Data (PD)
16. PRI-03.10 - Cease Processing, Storing and/or Sharing Personal Data (PD)
17. PRI-03.11 - Communicating Processing Changes
18. PRI-04.7 - Personal Data (PD) Collection Methods
19. PRI-05.8 - Personal Data (PD) Formats
20. PRI-07.5 - Justification To Reject Disclosure Requests
21. PRI-12.1 - Enabling Data Subjects To Update Personal Data (PD)
22. VPM-05.6 - Pre-Deployment Patch Testing
23. VPM-05.7 - Out-of-Cycle Patching

Renamed controls:

1. MON-01.8 - Security Event Monitoring
2. IRO-10.2 - Cyber Incident Reporting for Sensitive / Regulated Data
3. PRI-01.7 - Limiting Personal Data (PD) Disclosures
4. PRI-03.2 - Just-In-Time Notice & Updated Consent
5. PRI-03.3 - Prohibition of Selling, Processing and/or Sharing Personal Data (PD)
6. PRI-04.1 - Authority To Collect, Process, Store & Share Personal Data (PD)
7. PRI-04.4 - Acquired Personal Data (PD)
8. PRI-04.5 - Validate Collected Personal Data (PD)
9. PRI-04.6 - Re-Validate Collected Personal Data (PD)
   10 PRI-05 - Personal Data (PD) Retention & Disposal
10. PRI-05.1 - Internal Use of Personal Data (PD) For Testing, Training and Research
11. PRI-05.4 - Usage Restrictions of Personal Data (PD)
12. PRI-05.6 - Personal Data (PD) Inventory Automation Support
13. PRI-06 - Data Subject Empowerment
14. PRI-06.7 - Personal Data (PD) Exports
15. PRI-07.2 - Joint Processing of Personal Data (PD)
16. PRI-07.4 - Reject Unauthenticated or Untrustworthy Disclosure Requests
17. PRI-14 - Documenting Data Processing Activities
18. SAT-03.3 - Sensitive / Regulated Data Storage, Handling & Processing

Wordsmithed controls:

1. GOV-08 - Defining Business Context & Mission
2. GOV-16 - Materiality Determination
3. CRY-07 - Wireless Access Authentication & Encryption
4. DCH-18.1 - Minimize Sensitive / Regulated Data
5. NET-15.1 - Authentication & Encryption
6. PRI-01 - Data Privacy Program
7. PRI-01.4 - Data Protection Officer (DPO)
8. PRI-01.6 - Security of Personal Data (PD)
9. PRI-02 - Data Privacy Notice
10. PRI-02.1 - Purpose Specification
11. PRI-02.2 - Automated Data Management Processes
12. PRI-02.3 - Computer Matching Agreements (CMA)
13. PRI-03 - Choice & Consent
14. PRI-03.1 - Tailored Consent
15. PRI-03.2 - Just-In-Time Notice & Updated Consent
16. PRI-03.3 - Prohibition of Selling, Processing and/or Sharing Personal Data (PD)
17. PRI-03.4 - Revoke Consent
18. PRI-03.5 - Product or Service Delivery Restrictions
19. PRI-04 - Restrict Collection To Identified Purpose
20. PRI-04.1 - Authority To Collect, Process, Store & Share Personal Data (PD)
21. PRI-04.3 - Identifiable Image Collection
22. PRI-05.2 - Personal Data (PD) Accuracy & Integrity
23. PRI-05.4 - Usage Restrictions of Personal Data (PD)
24. PRI-05.5 - Inventory of Personal Data (PD)
25. PRI-06 - Data Subject Empowerment
26. PRI-06.3 - Appeal Adverse Decision
27. PRI-06.4 - User Feedback Management
28. PRI-06.5 - Right to Erasure
29. PRI-06.6 - Data Portability
30. PRI-06.7 - Personal Data (PD) Exports
31. PRI-07.4 - Reject Unauthenticated or Untrustworthy Disclosure Requests
32. PRI-09 - Personal Data (PD) Lineage
33. PRI-14 - Documenting Data Processing Activities
34. PRI-14.1 - Accounting of Disclosures
35. PRI-17 - Data Subject Communications
36. OPS-07 - Shadow Information Technology Detection
37. SAT-03.3 - Sensitive / Regulated Data Storage, Handling & Processing

Updating mappings:
 ISO 27002:2022
o GOV-09 (corrected typo)
 NIST 800-171A
o CFG-02
o MON-08