Standard vs. Framework

Glossary of the Settlement Integrity Institute · v1.0 · Group III — Distinctions

Definition

A standard is a specification, published by an institution with the standing to publish it, that prescribes requirements against which a subject can be assessed and a determination rendered. A framework is an organized set of considerations, principles, or domains intended to guide analysis, planning, or judgment, but which does not by itself prescribe the criteria against which a determination is rendered. A standard produces findings; a framework produces orientation.

Notes

Both are useful; they do different work. The NIST Cybersecurity Framework is a framework — it organizes cybersecurity considerations into functions and categories that practitioners use to structure programs, but it does not prescribe the criteria against which a cybersecurity posture is found compliant or non-compliant.1 ISO/IEC 27001 is a standard — it prescribes requirements for an information security management system against which an organization is certified or not certified.2 The COSO Internal Control — Integrated Framework is a framework — it organizes the components of internal control; the auditing standards under PCAOB and the assessment requirements under SOX 404 are the standards against which controls are evaluated.3

The distinction matters for the architecture of an institution. A body that publishes frameworks is in the orientation business; a body that publishes standards is in the determination business. The disciplines are different — public methodology, due process for changes, governance over interpretation, inspection of consistent application. A framework can be adopted; a standard must be applied. The Operational Suitability Standard is a standard. It prescribes the criteria against which the Operational Readiness Assessment renders its finding. The Trust Fabric is a framework — it organizes the domains in which Operational Suitability must be established. Both are necessary; conflating them collapses the institutional discipline that each requires.

See also

Methodology Authority · Operational Suitability · Trust Fabric · Operational Readiness Assessment

References

  1. National Institute of Standards and Technology, NIST Cybersecurity Framework 2.0, NIST CSWP 29 (February 26, 2024). nist.gov
  2. International Organization for Standardization & International Electrotechnical Commission, ISO/IEC 27001:2022 — Information Security, Cybersecurity and Privacy Protection — Information Security Management Systems — Requirements. iso.org
  3. Committee of Sponsoring Organizations of the Treadway Commission, Internal Control — Integrated Framework (2013). coso.org