Publication of the Security Controls Framework v2.4

2 August 2021

We are pleased to share with you the publication of the Security Controls Framework (SCF) V2.4 Part 1 and Part 2. Both tracked-changed versions and clean versions can be found on the website.

The SCF Part 2 has been updated to introduce:

  • Appendix H: Remaining non-compliances following SSC review of a second or subsequent User Security Assessment. User guidance to outline the post-SSC review Remediation Plan and validation process.
  • Appendix I: Observation scoring catalogue. This defines the ratings assigned to any observation within User Assessment Reports by the User CIO.

Further amendments have been made to the SCF Part 2 to include :

  • Amendments to Appendix G to update Security Self-Assessment (SSA) Question I from questions relating to G3.20 (Duty to Notify) to questions on the remediation of identified Vulnerabilities.
  • An amendment to Appendix B to clarify what the User CIO might expect to see with regards to good industry practice for testing schedules for compliance with G5.19.

The SECAS Validation Workbook has been updated to include the new SSA questions. You can find the new SECAS Validation Workbook (v2.1) here.

If you have any questions on the above, please contact

Thank you