Scoping involves removing baseline security controls that are not applicable, such as removing privacy controls where private data is nonexistent, whereas;
Tailoring involves modifying the baseline to become more applicable, such as changing the application timeout requirement from 10 minutes of inactivity to five.
Supplementation involves adding platform-specific or environment-specific details to your controls, such as replacing the term “operating system” with “Windows”.