If you have ever felt that NIS2, DORA, ISO 27001, GDPR and your customers' questionnaires are all asking for slightly different versions of the same thing, you are right. The Secure Controls Framework (SCF) is built on exactly that insight, and it is free.
What the SCF actually is
The SCF is a free metaframework, a "framework of frameworks." Instead of being yet another standard to comply with, it is a single, unified catalogue of cybersecurity and data-privacy controls that has already been mapped to a huge range of external requirements. In its current form it offers more than 1,400 controls across 33 domains, cross-mapped to 200+ laws, regulations and frameworks, including ISO 27001/27002, NIST CSF 2.0, NIST 800-53 and 800-171, PCI DSS, SOC 2, GDPR, and the newer EU regimes such as NIS2 and DORA.
It is released free under Creative Commons by a community of practitioners, and is importable into any modern GRC platform as a spreadsheet or as machine-readable NIST OSCAL. There is no licence fee and no vendor lock-in.
The promise of the SCF is simple: implement a control once, and demonstrate it against every framework that asks for it.
Why it is so useful
- Do it once, prove it many times. Because each SCF control is mapped to the relevant clauses across dozens of frameworks, you build and operate a control a single time and reuse the evidence for ISO 27001, NIS2, DORA, SOC 2 and more. This is the antidote to running parallel, duplicated compliance programmes.
- It stays current. The SCF is a "living" control set, when a new law such as DORA or NIS2 lands, the mappings are updated, so your control library does not silently fall behind the regulatory landscape.
- The mappings are rigorous. The SCF uses a transparent, set-theory-based mapping methodology (aligned to NIST IR 8477) rather than vague "related to" crosswalks, so you can trust and defend the relationships in front of an auditor.
- It comes with more than controls. A single download includes maturity criteria for each control (a capability maturity model), proposed risk weightings, and risk and threat catalogues, the supporting machinery of a real programme, not just a list.
- It is free and open. For SMEs especially, getting an enterprise-grade control catalogue at no cost lowers the barrier to doing GRC properly.
How it fits with ISO 27001 and the rest
The SCF does not replace ISO 27001, and you cannot be "certified to the SCF", it is a control catalogue, not a certifiable standard. Think of it as the connective tissue. You still certify to ISO 27001 where it matters commercially; you still meet NIS2 and DORA as law. But underneath, a single SCF-based control set drives all of them, so you assess risk once, implement once, and map the same evidence outward to each obligation. That is precisely the "one backbone, many regulations" model we advocate.
Practical tips: putting the SCF to work
- Scope before you adopt. 1,400 controls is a catalogue, not a to-do list. Select the controls relevant to your risk, sector and obligations, do not try to implement everything.
- Pick your primary frameworks. Decide which regimes you must satisfy (say ISO 27001 + NIS2 + DORA), then use the SCF mappings to find the common control set behind them.
- Use the maturity model honestly. Rate where each control really is today, the SCF capability levels make a credible, board-ready improvement story.
- Import it into your GRC tooling. Load the SCF (CSV or OSCAL) so mappings, evidence and reporting live in one place rather than scattered spreadsheets.
- Keep it updated. Refresh from the living version periodically so new regulatory mappings flow into your programme.
- Mind the licensing. The SCF is free under Creative Commons, respect the attribution terms when you build on it.
The bottom line
The SCF will not pass an audit for you, and it is not a silver bullet. But as a free, rigorously mapped, continuously maintained control catalogue, it is one of the most practical tools available for organisations that are tired of treating every regulation as a separate project. Build your controls once, map them everywhere, and spend your energy on protection and evidence rather than reinventing the same control set for the next framework.
Want one control set behind every obligation?
We help organisations build a single, SCF-informed control backbone that satisfies ISO 27001, NIS2, DORA and customer due diligence at once, assessed once, proven many times.
Book a 20-minute discovery callThis article is general information from circl3.tech, not legal or licensing advice. The Secure Controls Framework is maintained independently and released under Creative Commons; figures cited reflect the framework at the time of writing and evolve over time.