The Real Difference Between Frameworks and Compliance


August 14, 2017
Ed Snodgrass, CISO, Secure Digital Solutions

Frameworks are important. They lay the foundation for what will eventually be built. Whether building a structure, a vehicle, a medical device or a security program, the need to begin construction using an established set of requirements is critical. It allows for standardization of approach, measurement of quality and improvement over time.

Within the information security space, there are several established frameworks available. Some, such as ISO 27001, have been around for several years. Others are relatively new. The NIST Cybersecurity Framework (CSF) is a good example of a recently released framework that is steadily growing in popularity among security leaders. All provide an excellent starting point when building or improving an information security program and allow for a leader to choose a framework (or frameworks) best suited to accomplish organizational security objectives.

Interestingly, there also exists an industry notion of ‘compliance’ with these frameworks. This is a misnomer. Compliance obligations are typically established by governing entities and have associated penalties if evidence of compliance cannot be demonstrated.

Frameworks, by comparison, are a collection of best practices designed to provide the building blocks upon which to create or improve information security functions. There are no ‘official’ penalties if you choose not to implement a framework, but there are tremendous advantages gained by putting a framework in place.

The security program can be categorized into enterprise level functions. Each function can be assigned a responsible owner and strategic objectives can be established, built, monitored and communicated. Performance of the key functions of the program can be assessed against enterprise risk and compliance obligations. People, process and technology can be aligned in a strategic fashion versus attempting to address multiple risks or compliance obligations individually in a more tactical manner.

TrustMAPP empowers IT and Security Leaders to quickly build a prioritized, strategic roadmap. Its ease of use and incredible flexibility provides leaders a platform to measure and manage the foundational building blocks of their programs. Leaders in multiple industries are using TrustMAPP to assess and measure the capability of their organizations to mitigate enterprise risk and achieve and maintain alignment with their compliance requirements. With powerful built-in analytics and clear, concise reporting capabilities, leaders can communicate the capacity and status of their programs to executive leadership and to the Board of Directors, without the need for spreadsheets and hundreds of human hours of effort. To begin building a NIST CSF roadmap, download our white paper entitled “Roadmap to Success”.