To meet security and privacy requirements, many organizations adopt control frameworks to provide a governance program that is:
- Consistent: An IT governance program must be consistent with enterprise executive guidance and expectations regarding organizational information security and data privacy protection goals.
- Measurable: The governance program must provide a way to determine progress and set goals. Most control frameworks contain an assessment standard or procedure to determine compliance and, in some cases, risk as well.
- Standardized: A control framework should rely on standardizations or results from one organization or part of an organization that can be compared in a meaningful way.
- Comprehensive: The selected framework should cover the minimum legal and regulatory requirements of an organization and be extensible to accommodate additional organization-specific requirements.
- Modular: A modular framework is more likely to withstand the changes of an organization because only the controls or requirements needing modification are reviewed and updated.
Useful references for establishing appropriate control frameworks include Governance of Information Security (ISO 27014:2013) and Governance of Information Technology (ISO 38501:2015).