> For the complete documentation index, see [llms.txt](https://surecloud.gitbook.io/surecloud-docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://surecloud.gitbook.io/surecloud-docs/integrations/surecloud-control-framework/overview.md). # Overview **One control library. Fifteen frameworks. Zero crosswalk spreadsheets.** The SureCloud Control Framework is a unified library of **162 cybersecurity, privacy, and risk controls** spanning **20 operational domains** — pre-mapped to the regulatory frameworks your customers, your auditors, and your board care about. It's the operating backbone of SureCloud's Continuous Control Monitoring (CCM) platform, and the reference our customers use to plan, evidence, and demonstrate compliance at audit. If you've ever spent a week stitching together your own ISO-to-SOC-2-to-NIST crosswalk in a spreadsheet, this is the alternative. ## What's inside * **162 controls** across the full lifecycle — from executive governance through cloud and AI. * **20 control domains** structured to match how security and risk teams actually operate. * **259 continuous control tests** (CCM Tests) mapped to the controls — every "what" backed by a "how to evidence it". * **174 standardised evidence types** an auditor will recognise — RACI matrices, board minutes, training records, scan reports, and more. * **15 regulatory frameworks** cross-mapped at the control level, with citation IDs against every applicable clause. ## Frameworks mapped Every control on this site lists the specific clauses, articles, and criteria it satisfies across: * **ISO/IEC 27001:2022** — Information security management * **ISO/IEC 27017:2015** — Cloud-specific security controls * **ISO/IEC 42001:2025** — AI management systems * **SOC 2** — All five Trust Services Criteria (Common Criteria, Confidentiality, Availability, Processing Integrity, Privacy) * **NIST CSF v2.0** — Cybersecurity Framework * **NCSC CAF v4.0** — UK Cyber Assessment Framework * **Cyber Essentials Plus v3.2** — UK government baseline * **DORA** — EU Digital Operational Resilience Act * **GDPR** — EU General Data Protection Regulation * **PCI-DSS** — Payment Card Industry Data Security Standard * **SCF** — Secure Controls Framework Citations are listed by identifier only (e.g. `5.1`, `A.5.4`, `CC1.2`, `GV.RR-01`). For the full citation text, refer to the source standard. ## How each control page is structured Every control page follows the same three-section anatomy so you can find what you need in seconds: 1. **Control Description** — what the control is, why it matters. 2. **Linked Tests** — the specific CCM tests that verify the control is in place, each with its test type and the example evidence an auditor will expect. 3. **Regulatory Citations** — a table listing the citation IDs from every applicable framework, so you can move from a SureCloud control to the underlying standard (and back again) without a crosswalk. ## How to use this library **Building or rationalising your control set.** Start from a recognised baseline rather than authoring from scratch. Adopt the SureCloud controls relevant to your scope, drop the ones that aren't, and you have a defensible, framework-aligned control library in days rather than months. **Preparing for an audit.** Open the control pages for the scope being audited and you have the test list, the evidence types, and the framework citations in one place. Hand it to your auditor; you've just compressed weeks of audit prep into an afternoon. **Demonstrating coverage to customers and regulators.** When a prospect's security questionnaire asks "how do you address ISO 27001 clause 5.1?" — the answer is a single page on this site listing the control, the tests that prove it, and the evidence on file. **Adopting a new framework.** If you already meet the SureCloud controls and a new framework lands on your desk (DORA, ISO 42001), the citation tables tell you where you already have coverage and where the genuine gaps are. ## Navigation Use the sidebar to browse by Control Domain, or search by Control ID (e.g. `SC-IAM-004`) or framework citation (e.g. `CC1.2`). Every page is cross-referenced — you'll never need to leave the docs to follow a thread. ## Tests Each control on this site links to one or more **tests** — automated and manual checks that confirm the control is operating as designed, not just documented as designed. CCM tests live inside the SureCloud platform; when run on a schedule, they convert the framework from a static document into a living measurement of your compliance posture. This site is the reference; the platform is the engine. *** *Ready to take a tour? Open any domain in the sidebar — `Governance, Risk & Compliance (GRC)` is a good place to start.* --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://surecloud.gitbook.io/surecloud-docs/integrations/surecloud-control-framework/overview.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.