The Real Difference Between Frameworks and Compliance

Published On: August 15, 2017

August 14, 2017
Ed Snodgrass, CISO, Secure Digital Solutions

Frameworks are important. They lay the foundation for what will eventually be built. Whether building a structure, a vehicle, a medical device or a security program, the need to begin construction using an established set of requirements is critical. It allows for standardization of approach, measurement of quality and improvement over time.

Within the information security space, there are several established frameworks available. Some, such as ISO 27001, have been around for several years. Others are relatively new. The NIST Cybersecurity Framework (CSF) is a good example of a recently released framework that is steadily growing in popularity among security leaders. All provide an excellent starting point when building or improving an information security program and allow for a leader to choose a framework (or frameworks) best suited to accomplish organizational security objectives.

Interestingly, there also exists an industry notion of ‘compliance’ with these frameworks. This is a misnomer. Compliance obligations are typically established by governing entities and have associated penalties if evidence of compliance cannot be demonstrated.

Frameworks, by comparison, are a collection of best practices designed to provide the building blocks upon which to create or improve information security functions. There are no ‘official’ penalties if you choose not to implement a framework, but there are tremendous advantages gained by putting a framework in place.

The security program can be categorized into enterprise level functions. Each function can be assigned a responsible owner and strategic objectives can be established, built, monitored and communicated. Performance of the key functions of the program can be assessed against enterprise risk and compliance obligations. People, process and technology can be aligned in a strategic fashion versus attempting to address multiple risks or compliance obligations individually in a more tactical manner.

TrustMAPP empowers IT and Security Leaders to quickly build a prioritized, strategic roadmap. Its ease of use and incredible flexibility provides leaders a platform to measure and manage the foundational building blocks of their programs. Leaders in multiple industries are using TrustMAPP to assess and measure the capability of their organizations to mitigate enterprise risk and achieve and maintain alignment with their compliance requirements. With powerful built-in analytics and clear, concise reporting capabilities, leaders can communicate the capacity and status of their programs to executive leadership and to the Board of Directors, without the need for spreadsheets and hundreds of human hours of effort. To begin building a NIST CSF roadmap, download our white paper entitled “Roadmap to Success”.

Browse These Topics


2022 Cyber trends Affordable Information Security Platform Affordable Security Assessment Tool analyze security data findings analyze your security data Assess Company's Security Readiness ciso CISO investment strategies Common Employee Data Security Mistakes company cyber security plans company that specializes in preventing data breaches company’s Internet security cybersecurity budgeting cybersecurity is discussed in board meetings data breach readiness Data Security Data Security Tactics Facebook Safety Federal Trade Commission’s cybersecurity standards fighting security attacks financial data stolen improving the information security of your company increase cyber security across your entire company information protected from a Malicious Cyber Attack Information Security Best Practices interactive security software platform Keep Cloud Storage Secure long term information security solutions maintain a successful security roadmap predict and protect yourself from potential threats prevent a devastating security breach prevent unauthorized access to your network prioritize potential threats Real-time Cyber Security Software real time information security Recent High Profile Companies with Data Breaches reduce cyber vulnerabilities security software dashboard for your entire company security team assess risk Simple Internet Safety stay ahead of cyber security threats unintentional data leakage valuable metrics and processes verbally explain the cyber security threats victim of a cyber security breach