SCF Controls Platform
Features

The Full GRC Lifecycle —
In One Platform

Built on the Secure Controls Framework™, we cover controls, evidence, vendors, risks, and audits — with evidence maturity grounded in the SCF model, AI-assisted where it helps, human-led where it matters.

The SCF is a comprehensive cybersecurity and data privacy metaframework maintained by a global community of volunteer specialists.

What Makes Us Different

These capabilities set us apart from compliance tracking tools. We are a full-lifecycle GRC operations platform.

Evidence Assessment

New

AI-assisted, human-led — focus on the gaps that matter

Upload evidence and get AI-assisted completeness scoring, gap flags, and recommendations grounded in SCF maturity criteria. Every assessment is human-reviewed — you decide when a control is ready.

  • AI-assisted content analysis (human sign-off required)
  • Gap identification and recommendations
  • Evidence health scoring with readiness tracking
  • Four-rule validation engine on every file

Vendor Management & TPRM

New

Third-party risk management, AI-assisted and human-led

Structured vendor lifecycle management with AI-assisted research, DPSIA security assessments, risk scoring, and assessment report generation. You approve the risk posture, not the model.

  • AI-assisted vendor security research (human-reviewed)
  • DPSIA security impact assessments
  • Risk scoring engine
  • Assessment report generation with PDF export

Audit Engagement Workspaces

New

Structured audit preparation from scoping to sign-off

Purpose-built workspaces for audit engagements. Organise evidence against controls, track readiness, and prepare structured audit packages.

  • Engagement-based audit workspaces
  • Evidence-to-control mapping per engagement
  • Readiness tracking and scoring
  • Structured audit preparation workflows

Evidence Maturity Advisory

Unique

Know your evidence collection maturity — and how to improve it

Most platforms track what evidence you need. We show you how mature your collection methods are and how to move up the curve — with clear provenance at every level.

  • L0-L5 maturity model aligned with C|P-CMM
  • Visual distribution chart on dashboard
  • Per-evidence upgrade recommendations
  • ROI calculations for automation benefits

Example Advisory

Evidence: "User Access Review Export"
Current Method: Manual (L2)
Current System: Okta
Recommendation: "Okta provides an API for user exports. Implementing scheduled API calls would move this to L4, saving approximately 4 hours per quarterly review."

Framework Gap Analysis

Enhanced

See exactly which controls you are missing

Visual gap analysis with one-click scoping. See 47 gaps in ISO 27001? Expand to see which domains — then add them all with one click.

  • Gap count badges on framework cards
  • Expandable domain-by-domain breakdown
  • "Add to Scope" per control
  • "Add All" bulk action per domain
  • Real-time gap count updates

Risk Module with 5x5 Matrix

Enhanced

Visual risk management with custom organisation risks

Interactive 5x5 likelihood/impact matrix with pre-seeded SCF risk codes, custom organisation-defined risks, configurable risk profiles, and bidirectional risk-control linking.

  • Colour-coded cells (green/yellow/orange/red)
  • Inherent vs residual risk toggle
  • Custom organisation-defined risk entries
  • Configurable organisation risk profile
  • See which controls address each risk (from SCF catalogue)

Consultant Portal

Built-In

Manage all your clients from one dashboard

Purpose-built for GRC consultants. Invite clients via secure token-based email, compare compliance across organisations, and identify common gaps.

  • Cross-organisation compliance comparison
  • Quick-switch between client organisations
  • Aggregate posture visualisation
  • Standard templates across engagements

Core Capabilities

1,451 Security Controls

Powered by the Secure Controls Framework™ (SCF), a comprehensive cybersecurity and data privacy metaframework. We implement the full SCF control catalogue so you can operationalise best practices from day one.

  • Full SCF control catalogue included
  • Privacy-focused controls
  • Risk management controls
  • Operational and technical security controls

354+ Framework Mappings

Automatically map controls to regulatory frameworks worldwide. Implement once, comply with many.

  • ISO 27001, ISO 27701, ISO 22301
  • SOC 2 Type I & II, SOC 1
  • GDPR, CCPA, LGPD
  • NIST CSF, NIST 800-53
  • PCI-DSS, HIPAA, HITRUST
  • FedRAMP, CMMC, ITAR

Evidence Management

Full evidence lifecycle: drag-and-drop upload to Azure Blob Storage, AI-assisted content assessment (human sign-off), four-rule validation, health scoring, and review/approval workflows.

  • Evidence Requirement Library (ERL)
  • Drag-and-drop file upload with preview
  • AI-assisted content assessment, human-reviewed
  • Evidence health scoring and readiness tracking

Real-time Dashboards

Visual compliance status at a glance with drill-down capabilities, capability posture scoring, and maturity distribution charts.

  • Compliance score tracking
  • Capability posture dashboard (KSI-aligned)
  • Framework cards grouped by geography/type
  • Evidence readiness and due-soon views

Additional Features

Multi-tenant Architecture

Complete tenant isolation with per-organisation API keys and invitation-based onboarding.

Evidence Inbox (Webhook API)

Webhook-based evidence ingestion. Connect your tools to push evidence directly, with clear provenance on every artefact.

Capability Posture

KSI-aligned capability themes with posture scoring across your organisation.

Full Audit Trail

Middleware-level audit capture for all mutations with timestamps and user attribution.

API & Integrations

Comprehensive REST API with per-org API keys. MCP integration for AI-native workflows.

Control State Tracking

Track controls as "Ready for Review" or "Monitored" with full audit history.

Technology Registry

Map your tech stack to evidence capabilities. Track which systems provide which evidence.

Custom Organisation Risks

Add organisation-specific risks beyond the pre-seeded SCF codes. Link custom risks to controls.

Compliance Tracking vs Full-Lifecycle GRC

Traditional Tools

  • Tell you what evidence you need
  • Basic vendor questionnaires
  • Manual evidence review cycles
  • Separate tools for audit preparation
  • $400+/month entry pricing

SCF Controls Platform

  • AI-assisted evidence review, human sign-off
  • AI-assisted vendor research, human-led DPSIA
  • Webhook-based evidence ingestion
  • Built-in audit engagement workspaces
  • AI that assists, humans that decide

Ready to Get Started?

Start free and see how SCF Controls Platform can run your entire GRC program.