FAQ
Frequently Asked Questions
Everything you need to know about our services and policies.
How does SCMC concretely save time in day-to-day work? +
What does SCMC do better than Excel or manual documentation? +
How does SCMC support audit readiness and traceability? +
How does SCMC improve collaboration between business, security, and management? +
Is training required? +
What is the main benefit for consulting firms? +
Is SCMC also useful for smaller organizations? +
Can multiple people work on the same project? +
How does SCMC create long-term value? +
How does SCMC prevent previous work from being lost? +
How is our data protected? +
How many projects can I create? +
How many times can I answer the same questions? +
Can I compare my answers with earlier submissions? +
If I try to add a second passkey, nothing happens. Is this an error? +
Glossary
What do the key terms mean?
Compact definitions across information security, compliance, AI governance, and data protection — usable as a quick reference.
- ISMS
- Information Security Management System. Structured framework of policies, processes and controls that systematically governs information security. Core of ISO/IEC 27001.
- ISO/IEC 27001:2022
- International standard for ISMS. The current version (2022) defines 93 Annex A controls grouped into four themes: Organizational, People, Physical, Technological.
- Annex A
- Annex of ISO/IEC 27001 with the control catalog. In the 2022 version, Annex A contains 93 controls referenced from Risk Treatment Plans.
- SoA (Statement of Applicability)
- Mandatory document for ISO 27001. Lists every Annex A control, states whether it applies and justifies the selection.
- Maturity level
- Quantitative measure of how fully a security control is implemented, usually on a 0 (not implemented) to 4 (optimized / consistently effective) scale.
- Gap analysis
- Comparison between current state and target state of a standard or framework. Yields a concrete list of gaps and action areas.
- Audit readiness
- The state in which evidence, process documentation and control assessments are organized so that an internal or external audit can proceed without lengthy preparation.
- Swiss ICT Minimum Standard
- Swiss standard for ICT security published by BACS. Structured along the five NIST functions (Identify, Protect, Detect, Respond, Recover). Mandatory for critical-infrastructure operators under the ISG.
- ISG
- Swiss Information Security Act. Revised version in force since 2025. Obliges certain operators of critical infrastructure to implement the ICT Minimum Standard.
- BACS
- Federal Office for Cybersecurity (Switzerland). Publisher of the ICT Minimum Standard and national contact point for cyber incidents.
- NIST CSF 2.0
- Cybersecurity Framework of the US National Institute of Standards and Technology, version 2.0 (2024). Six functions: Govern, Identify, Protect, Detect, Respond, Recover.
- NIS2
- EU directive on measures for a high common level of cybersecurity (Network and Information Security Directive 2). Article 21(2) lists ten mandatory measure areas.
- ICS
- Internal Control System. Structured framework of controls, ownership and evidence that safeguards business objectives and manages risk across finance, IT, operations and compliance.
- TOMs
- Technical and organizational measures. In data protection: concrete safeguards for personal data, required by GDPR Art. 32 and the Swiss revFADP.
- DPIA
- Data Protection Impact Assessment. Mandatory before processing activities with high risk to data subjects' rights and freedoms (GDPR Art. 35, revFADP Art. 22).
- revFADP
- Revised Swiss Federal Act on Data Protection, in force since 1 September 2023. Aligns Swiss data protection law largely with GDPR, with Swiss-specific provisions.
- GDPR
- EU General Data Protection Regulation (2016/679). Regulates processing of personal data in the EU, applicable to Swiss organizations with EU touchpoints.
- DPA
- Data Processing Agreement. Contract under GDPR Art. 28 between controller and processor governing the processing of personal data.
- Record of Processing Activities
- Mandatory record under GDPR Art. 30 / revFADP Art. 12. Documents all processing activities of an organization with purpose, data categories, recipients and retention.
- ISO/IEC 42001:2023
- First international standard for AI Management Systems (AIMS). Defines requirements for governance, risk management and lifecycle of AI systems.
- EU AI Act
- First comprehensive AI regulation in the EU (Regulation 2024/1689). Risk-based approach with prohibitions, GPAI obligations and high-risk AI requirements. Phased entry into force 2025–2027.
- GPAI
- General Purpose AI. Under the EU AI Act: AI models with broad applicability (e.g. large language models). Specific obligations from August 2025, stricter for GPAI with systemic risk.
- High-risk AI
- AI systems classified by the EU AI Act in sensitive use cases (recruiting, credit scoring, law enforcement, critical infrastructure). Requirements binding from August 2026.
- AI Literacy (EU AI Act Art. 4)
- Obligation in force since February 2025: providers and deployers of AI systems must ensure that involved staff have sufficient AI literacy — proportional to context and risk.
- NIST AI RMF 1.0
- AI Risk Management Framework by NIST (US). Structured approach to identify, assess and manage AI risks through four core functions: Govern, Map, Measure, Manage.
- Threat Intelligence (A.5.7)
- New control in ISO/IEC 27001:2022 Annex A. Requires the collection, analysis and dissemination of threat information to respond proactively to cyber risks.
- Cloud Security (A.5.23)
- New control in ISO/IEC 27001:2022 Annex A. Governs the selection, use, management and termination of cloud services from a security perspective.
- 72-hour notification
- Obligation under GDPR Art. 33 / revFADP: data breaches with risk to data subjects must be reported to the competent supervisory authority within 72 hours of becoming aware.
- Self-assessment
- Structured self-evaluation of an organization's security or compliance maturity. Produces a documented baseline and action list — does not replace an external audit or certificate.
- BSI standard
- Standards published by the German Federal Office for Information Security (e.g. BSI 200-2 for IT-Grundschutz, 200-3 for risk analysis). Practical risk-management framework, often adapted in Switzerland.