Graphletter turns uploaded evidence into structured compliance decisions by mapping content to SCF controls, testing against assessment objectives, and surfacing clear coverage and gaps.
Need the fast version? Upload evidence, Graphletter maps it to SCF controls, evaluates objective-by-objective, and returns coverage and prioritized gaps.
From document upload to compliance insight in six concrete steps.
What Happens
You choose the documentation artifact and upload supporting evidence such as a policy, screenshot, or record.
Why It Matters
Artifact choice determines which SCF controls are evaluated first.
Where You See It
Upload Evidence dialog in Dashboard
What Happens
Text and visual content are extracted from your file so the system can evaluate actual claims, not just filenames.
Why It Matters
Reliable extraction is the foundation for accurate assessment outcomes.
Where You See It
Assessment progress and evidence history
What Happens
Graphletter links extracted evidence to relevant SCF controls and supporting graph atoms when reliable text extraction is available.
Why It Matters
One evidence artifact can support multiple controls and framework mappings.
Where You See It
Dashboard coverage and framework views
What Happens
Each control is tested against SCF assessment objectives using pass, partial, fail, or not applicable results.
Why It Matters
Objectives make assessments testable and auditable instead of subjective.
Where You See It
Assessment Results and assessment review output
What Happens
Objective results are aggregated into control-level outcomes with confidence and reasoning.
Why It Matters
Control-level status is what drives priority decisions and reporting.
Where You See It
Analytics and control cards
What Happens
Control outcomes are projected across mapped frameworks so you can see coverage and gaps quickly.
Why It Matters
You can prioritize remediation where it has the biggest cross-framework impact.
Where You See It
Compliance Overview and Framework Explorer
How objective-level outcomes translate into action.
Evidence clearly supports the objective or control requirement.
Next: Keep evidence current and improve documentation quality if confidence is low.
Evidence supports part of the requirement but important elements are missing or unclear.
Next: Address the missing objective elements and upload updated evidence.
Current evidence does not demonstrate the requirement is met.
Next: Prioritize remediation, then upload stronger evidence mapped to the same controls.
The objective does not apply to the provided evidence or current context.
Next: Validate applicability assumptions and attach context for audit traceability.
SCF uses a Cybersecurity & Privacy Capability Maturity Model (C|P-CMM) with six levels. Graphletter assesses your evidence against these levels for each control.
No evidence of a capability to implement the control. Processes are absent or entirely ad hoc.
Efforts are ad hoc and inconsistent. Controls may exist but lack formal documentation, ownership, or repeatable processes.
Efforts are requirements-driven and formally governed at a local or regional level, but not consistent across the organization.
Efforts are standardized across the organization and centrally managed to ensure consistency. Policies, procedures, and metrics are documented and enforced.
Efforts are metrics-driven with sufficient management insight to predict performance and identify deviations proactively.
Processes are optimized through continuous feedback loops, adapting to evolving threats and organizational changes.
After assessment, each control shows its assessed maturity level, an optional target level with gap analysis, and AI-generated recommendations for reaching the next level.
Plain-language definitions with Graphletter context.
Definition: A specific security or privacy requirement from the Secure Controls Framework.
In Graphletter: The base unit Graphletter maps evidence to before showing framework-level coverage.
Where you see it: Control cards, framework explorer, exports
Definition: A testable statement used to verify whether a control is actually satisfied.
In Graphletter: Graphletter evaluates each objective separately and then rolls those results into a control-level status.
Where you see it: Assessment Results and assessment review dialogs
Definition: The expected method for checking whether an objective is met.
In Graphletter: Used as structured guidance for how evidence should be interpreted during objective evaluation.
Where you see it: Assessment objective data in API and detailed records
Definition: The condition or outcome that should be observable when a control is implemented correctly.
In Graphletter: Compared against evidence claims to determine objective-level pass, partial, or fail outcomes.
Where you see it: Assessment objective records and outputs
Definition: A defined evidence artifact type that indicates what documentation is expected.
In Graphletter: Selecting an artifact helps Graphletter identify relevant controls to assess first.
Where you see it: Upload Evidence > Documentation Artifact
Definition: Standard assessment outcomes describing whether evidence meets an objective.
In Graphletter: Objective-level outcomes that roll up into control-level status and dashboard metrics.
Where you see it: Assessment Results, control cards, reports
Definition: An estimate of how strongly the current evidence supports an assessment result.
In Graphletter: Used to flag weaker conclusions even when a control appears to pass.
Where you see it: Assessment output, analytics, report exports
Definition: Coverage means evidence supports required controls; gaps are missing, weak, or conflicting support.
In Graphletter: Graphletter classifies gaps to prioritize what evidence to add or improve next.
Where you see it: Dashboard gap summary and priority controls
Definition: SCF acts as a common layer that maps controls to many external frameworks.
In Graphletter: One mapped evidence set can influence SOC 2, ISO 27001, NIST, and other framework views.
Where you see it: Framework Explorer and framework-focused dashboard mode
How Graphletter organizes compliance data under the hood.
SCF concepts are grounded in official SCF materials and linked for reference.
Ready to apply this? Start in the Dashboard or explore control mappings in Framework Explorer.
