Glossary

What is a Framework?

What is a Framework?

A framework is a structured set of guidelines, controls, and best practices that organizations follow to manage security, risk, and compliance. Frameworks provide a common language and systematic approach for identifying risks, implementing safeguards, and demonstrating due diligence to auditors, customers, and regulators.

Common compliance frameworks

  • ISO 27001 — an international standard for information security management systems (ISMS) with a risk-based approach to protecting information assets.
  • SOC 2 — a reporting framework developed by the AICPA based on five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.
  • HIPAA — a US law that sets requirements for protecting health information, including the Security Rule and Privacy Rule.
  • PCI DSS — a set of security standards for organizations that handle payment card data.
  • NIST CSF — a voluntary framework published by the National Institute of Standards and Technology that provides a common taxonomy for managing cybersecurity risk.

Framework vs standard vs regulation

These terms are often used interchangeably but have important distinctions:

  • Framework — a flexible structure of guidelines that can be adapted to an organization's context (e.g., NIST CSF).
  • Standard — a more prescriptive set of requirements that can be certified against (e.g., ISO 27001).
  • Regulation — a legally binding requirement enforced by a governing body (e.g., HIPAA, GDPR).

Choosing a framework

When selecting a framework, consider:

  • Customer and market requirements — enterprise buyers often require SOC 2 or ISO 27001
  • Industry regulations — healthcare organizations must comply with HIPAA; payment processors with PCI DSS
  • Geographic scope — GDPR for organizations handling EU data
  • Organizational maturity — NIST CSF is often a good starting point for organizations new to formal security programs

How episki helps

episki supports multiple frameworks in a single workspace, allowing organizations to map controls across standards and reuse evidence. Learn more on our compliance platform.

Related frameworks

soc2iso27001hipaapcinistcsf

Related terms

control-frameworkcontrol-objectivesgrc

Continue exploring

What is Access Control?

Glossary definition

episki vs Drata

See how we compare

What Makes a CISO Metric Actually Useful?

From the blog

See how episki handles this

Start a free trial and explore controls, evidence, and automation firsthand.
Start free trialBook a demo