Why do we use the SCF™?

The SCF advances how cybersecurity and privacy controls are used

The SCF™ advances how cybersecurity and privacy controls are used

At the strategic, operational and tactical layers of an organisation, regardless of its size or industry.


The SCF™ is Secure by Design & Default

Understanding the requirements for both cybersecurity and privacy principles involves a simple process of distilling expectations. This process is all part of documenting reasonable expectations that are “right-sized” for an organisation, since every organisation has unique requirements.

It is best to visualise the SCF™ as a buffet of cybersecurity and privacy controls, where there is a selection of 740+ controls available to you. Once you know what is applicable to you, you can generate a customised control set that gives you the controls you need to address your statutory, regulatory and contractual obligations. 


Designing & Building An Audit-Ready Cybersecurity & Privacy Program

Building a security program that routinely incorporates security and privacy practices into daily operations requires a mastery of the basics.

Think of the SCF™ as a toolkit for us to help you  build out your overall security program domain-by-domain so that cybersecurity and privacy principles are designed, implemented and managed by default!

The SCF has been Localised by firmguard to incorporate all local security and privacy standards

The SCF™  has understandably been built primarily to incorporate North American & European Security & Privacy Standards.  However, it has provided the framework and principles by which FirmGuard was already operating and delivering projects.  We've taken this and extended its reach for the ANZ and JAPAC region and will continue to work with the SCF™ to incorporate all locally relevant standards.

We have incorporated the following local & regional standards:


  • APRA Prudential Standard CPS234
  • APRA Prudential Guideline CPG235
  • Privacy Act of 1998
  • Australian Government Information Security Manual (ISM)

New Zealand

  • RBNZ Cyber Security & Regulatory Framework 
  • Privacy Act of 1993
  • NZ Information Security Manual (ISM)


  • Monetary Authority of Singapore (MAS) Technology Risk Management (TRM) Guidelines

The Secure Controls Framework™

The information on this page has been reproduced, adapted and localised to JAPAC and ANZ by FirmGuard with the kind permission of the team at the Secure Controls Framework™ (SCF).  For further information on the SCF™ please refer to their website