Academy

Coming Soon to a Bookshelf Near You (....or not): The ABCs of Customized Frameworks

Natasha Vasileva
March 28, 2024
Learn with anecdotes why customizable frameworks can help improve your Compliance posture

Let’s talk about books – because, to be honest, who doesn’t enjoy the opportunity to sit back and relax with a great book? Now consider the books themselves – they can be just so incredibly different from each other — from covers and chapters, to genres and plots. Some may be good to have in your home library, to read from time to time, while others, you’d go back to almost every single day.

And when it comes to organizing your beloved books, you probably place your dearest on eye-level for easier access, whereas less favorite ones will sit higher or lower. In essence, what you end up with is a customized library, designed in a way that responds to your needs precisely. The customized bookshelf of your dreams, if you will.

Your Fave Books = Your Customized Framework

It’s well known that here at anecdotes, we love a good analogy so you know there’s a lead-in to Compliance somewhere here.

Today, we’re exploring customizable frameworks. A customizable framework is any framework in use that is not based on a specific standard/regulation, but rather is tailored to the specific needs of an organization. This framework is most often composed of essential controls from the organization’s compliance program, and is most likely composed of governance related controls, as well as technical controls. Alternatively, custom frameworks may be composed of solely technical controls from critical systems, as to perform continuous monitoring for business-critical assets. It’s also important to note that not many organizations fully take controls out of the box if they are trying to meet the full scope of their security, as some frameworks miss things entirely and do not accurately represent the full picture of the company. Hence, the need for, ya know, customization.

SOC 2, ISO 27001, and other frameworks are great for audits that are scheduled a few years in advance. However, on a day-to-day basis, you need a certain number of books – errr, controls – to be able to stay on top of your Compliance posture and extract relevant insights any time you want. This important step is key to having continuous control monitoring over your organization and can become the foundation of being able to "test once, use many times", which will ultimately reduce audit burdens, allowing you to focus on more important things, like overall posture and maturity.

It’s like that shelf in your library with only your most carefully hand-picked, and beloved books. This shelf is sacred; if a book gets placed there, you know it's a really special one. While books on other shelves may be opened only once in a while (like once or twice a year), those on “the sacred shelf” draw your attention almost everyday — reading them makes you a better, more capable person.

Why Do You Need a Customizable Framework?

Well, the first reason is simple — controls tend to overlap across established frameworks, which leads us to one of the reasons why customized frameworks became a thing: Compliance leaders in companies with extensive tech stacks and diverse product lines are not new to a big pile of frameworks, and thus controls, to take care of. Aside from that, they typically have a list of their own unique business requirements. To streamline their daily activities, they create custom lists of controls that overlap, thus requiring the same evidence along with above-mentioned unique business controls.

Another example of a situation in which you may want to leverage a customized framework is for audit prep. In such cases, an auditor may lay out a single list of controls, instead of giving you three different lists, that will only take up your time on linking repetitive evidence to each control siloed by framework.

Lastly, and this goes back to that maturity thing, with customized frameworks, you can tailor your program to mirror your organization while being able to map evidence, whether it be custom evidence or out of the box evidence.

Conclusion

Customized frameworks make your daily Compliance efforts or audit preparation more structured and palatable, and less time consuming and tiresome, so you can concentrate on important undertakings, like improving your Compliance posture. With all that extra time, maybe you can put it towards building that bookshelf you've always wanted – or write your own best seller, The Life and Times of a Compliance Leader. Who knows – maybe it’ll end up on someone else’s carefully curated bookshelf one day.

Natasha Vasileva
Travel enthusiast, book worm and marketing lover❤️. Hates onions. Don't ask why.