Publication of SCF and AI V2.0

19 June 2020

We are pleased to share with you the publication of the Security Controls Framework (SCF) V2.0 Part 1, Part 2 and the Agreed Interpretations (AI) V2.0. Both tracked Changed Versions and clean versions can be found on the website.

We have updated the SCF Part 1, Section 4.5 relating to the Timing of Second and Subsequent Assessments.  The SSC has clarified that Users must now ensure that any subsequent assessments following Second Year Security Assessments, must be scheduled to ensure they are completed within 12 months of the previous assessments fieldwork end date.

In addition, we have also updated the SCF Part 2 and the Agreed Interpretations.  Suppliers and Shared Resource Providers may now be requested to provide evidence of independent CREST or CHECK testing of Separation. For further detail on this, please refer to Appendix B and SEC Obligation G3.11 of the SCF and Section 4 of the AI.

Please note a technical issue is causing the Agreed Interpretations to show as V1.10 Version 2.0 on Clause Match – this will be fixed with the next release.