Choosing a Framework for Your Organisation

You don't pick a framework in the abstract. You pick one because something in the world is asking for it. Walk through the four pressures below, and the answer usually falls out.

Pressure 1 — Industry

Some industries have framework gravity wells. If you're operating in one, the choice is mostly made for you:

• Healthcare (US) → HIPAA. Non-negotiable for protected health information.
• Payments / card processing → PCI-DSS 4.0. Required by every card brand.
• US Federal contractors → FedRAMP (cloud) or NIST 800-171 / CMMC (on-prem). Required to win federal business.
• Critical infrastructure (energy, water, transport) → sector-specific frameworks (NERC CIP, AWIA, etc.) overlay the general ones.

If none of these apply, industry isn't your driver — move on.

Pressure 2 — Region

• EU + UK → GDPR for personal data is mandatory. Most orgs pair it with ISO 27001 for security posture.
• California → CCPA / CPRA for personal data of California residents.
• UK government supply chain → Cyber Essentials (entry) or Cyber Essentials Plus (deeper).
• Australia, Singapore, etc. → local equivalents (Australian Privacy Act, Singapore PDPA) layer on top of the security framework you choose.

Region drives privacy framework choice. Security framework is usually a separate decision.

Pressure 3 — Customer demand

This is the most common driver for B2B SaaS. Your largest customer's procurement team sends a security questionnaire. The questionnaire asks "are you SOC 2 Type II certified?" or "do you have an ISO 27001 certificate?". You can either bluff with a "no, but we follow best practices…" letter (works once, never twice) or get certified.

Practical rule of thumb:

• Mostly US customers → SOC 2 Type II.
• Mostly EU customers → ISO 27001.
• Both → start with whichever your biggest current pipeline asks for, plan to add the other within 12 months. They overlap by ~70%.

Pressure 4 — Maturity

If none of the above applies and you just want to put structure around your security programme, the maturity ladder is:

1. Cyber Essentials (UK) or CIS Controls v8 IG1 (anywhere) — foundational hygiene. 6–12 weeks to implement, no certification cost in the CIS case.
2. ISO 27001 — full ISMS. 6–12 months from a clean start to certification.
3. Multi-framework — ISO 27001 + SOC 2 + a privacy framework. 12+ months and a dedicated GRC function.

Don't skip rungs. Adopting ISO 27001 with an immature programme produces an expensive certificate that doesn't change behaviour.

What you actually do in Blankitt GRC

Once you've picked a framework:

1. Activate it on the Frameworks page. Blankitt's 9 built-in frameworks (NIST CSF 2.0, ISO 27001, Cyber Essentials, SOC 2, CIS Controls v8, PCI-DSS 4.0, GDPR, HIPAA, FedRAMP) come preloaded with their full section hierarchies.
2. Walk through the section tree and map each section to existing controls in your library — or note it as a gap to address.
3. Set a target compliance percentage and start working through the gaps.

The framework is the structure. Your controls are the substance.