The Real Difference Between Frameworks and Compliance

Published On: August 15, 2017

August 14, 2017
Ed Snodgrass, CISO, Secure Digital Solutions

Frameworks are important. They lay the foundation for what will eventually be built. Whether building a structure, a vehicle, a medical device or a security program, the need to begin construction using an established set of requirements is critical. It allows for standardization of approach, measurement of quality and improvement over time.

Within the information security space, there are several established frameworks available. Some, such as ISO 27001, have been around for several years. Others are relatively new. The NIST Cybersecurity Framework (CSF) is a good example of a recently released framework that is steadily growing in popularity among security leaders. All provide an excellent starting point when building or improving an information security program and allow for a leader to choose a framework (or frameworks) best suited to accomplish organizational security objectives.

Interestingly, there also exists an industry notion of ‘compliance’ with these frameworks. This is a misnomer. Compliance obligations are typically established by governing entities and have associated penalties if evidence of compliance cannot be demonstrated.

Frameworks, by comparison, are a collection of best practices designed to provide the building blocks upon which to create or improve information security functions. There are no ‘official’ penalties if you choose not to implement a framework, but there are tremendous advantages gained by putting a framework in place.

The security program can be categorized into enterprise level functions. Each function can be assigned a responsible owner and strategic objectives can be established, built, monitored and communicated. Performance of the key functions of the program can be assessed against enterprise risk and compliance obligations. People, process and technology can be aligned in a strategic fashion versus attempting to address multiple risks or compliance obligations individually in a more tactical manner.

TrustMAPP empowers IT and Security Leaders to quickly build a prioritized, strategic roadmap. Its ease of use and incredible flexibility provides leaders a platform to measure and manage the foundational building blocks of their programs. Leaders in multiple industries are using TrustMAPP to assess and measure the capability of their organizations to mitigate enterprise risk and achieve and maintain alignment with their compliance requirements. With powerful built-in analytics and clear, concise reporting capabilities, leaders can communicate the capacity and status of their programs to executive leadership and to the Board of Directors, without the need for spreadsheets and hundreds of human hours of effort. To begin building a NIST CSF roadmap, download our white paper entitled “Roadmap to Success”.

Browse These Topics


boost the protection of your data bridge the gap in your information security challenges build a cyber safe firm business decisions around security Challenges Facing Chief Information Security Officers CISO program efficacy CISO program management cyber security cyber security goals Cybersecurity management Cyber Security Mistakes cybersecurity performance management cyber security platform cyber security team Effective Data Security Measures effectively communicate with board members regarding cyber issues or threats elevate your security confidence elevating information security elevating your information security levels Identify Potential Security Weaknesses Implementing a Comprehensive Cyber Security Plan Implementing Strong Cyber Security Protocols Implementing strong security software protocols improve cyber security protocols Information Security Programs information security protection agency information security risk management information security solutions information security trends managing your information security effectively maturity of your information security and privacy programs measure security levels measure your security proprietary software can help you to protect your company Protect Against Costly Security Breach Protect Customer Data Protect Cyber Network risk management advisor risks of a data breach roadmap to better information security robust security monitoring service successful information security technology advancement top notch security software for your company traveling to high risk countries