Glossary

What is a Framework?

Key takeaway

A framework is a structured set of guidelines and controls organizations follow to manage security and compliance. Common examples include ISO 27001, SOC 2, and NIST CSF.

What is a Framework?

A framework is a structured set of guidelines, controls, and best practices that organizations follow to manage security, risk, and compliance. Frameworks provide a common language and systematic approach for identifying risks, implementing safeguards, and demonstrating due diligence to auditors, customers, and regulators.

What are common compliance frameworks?

  • ISO 27001 — an international standard for information security management systems (ISMS) with a risk-based approach to protecting information assets.
  • SOC 2 — a reporting framework developed by the AICPA based on five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.
  • HIPAA — a US law that sets requirements for protecting health information, including the Security Rule and Privacy Rule.
  • PCI DSS — a set of security standards for organizations that handle payment card data.
  • NIST CSF — a voluntary framework published by the National Institute of Standards and Technology that provides a common taxonomy for managing cybersecurity risk.

What is the difference between a framework, a standard, and a regulation?

These terms are often used interchangeably but have important distinctions:

  • Framework — a flexible structure of guidelines that can be adapted to an organization's context (e.g., NIST CSF).
  • Standard — a more prescriptive set of requirements that can be certified against (e.g., ISO 27001).
  • Regulation — a legally binding requirement enforced by a governing body (e.g., HIPAA, GDPR).

How do you choose a framework?

When selecting a framework, consider:

  • Customer and market requirements — enterprise buyers often require SOC 2 or ISO 27001
  • Industry regulations — healthcare organizations must comply with HIPAA; payment processors with PCI DSS
  • Geographic scope — GDPR for organizations handling EU data
  • Organizational maturity — NIST CSF is often a good starting point for organizations new to formal security programs

How does episki help with compliance frameworks?

episki supports multiple frameworks in a single workspace, allowing organizations to map controls across standards and reuse evidence. Learn more on our compliance platform.

Related frameworks

soc2iso27001hipaapcinistcsf

Related questions

Continue exploring

SOC 2 Audit Process

Framework topic

SOC 2 Availability Criteria

Framework topic

What is SOC 2 Type I/II?

Framework overview

What is Access Control?

Glossary definition

What is an Audit Trail?

Glossary definition

Drata vs Secureframe

Head-to-head comparison

episki vs Drata

See how we compare

Tips for Building a Strong Security Culture

From the blog

See how episki handles this

Start a free trial and explore controls, evidence, and automation firsthand.
Start free trialBook a demo