Chapter 1

What is a Compliance Framework?

Defines what a framework actually is, the components every framework has in common, and why organisations adopt them in the first place.

2 min readLast updated 30 April 2026
Jump to section

What is a Compliance Framework?

A compliance framework is a structured set of requirements an organisation can adopt to demonstrate that it manages risk, protects information, or operates according to a defined standard. ISO 27001, NIST CSF, SOC 2, PCI-DSS — these are all frameworks. They look different on the surface, but they share a common shape.

The three building blocks

Every framework, no matter the publisher, breaks down into the same three layers:

  • Requirements — the what. A statement like "the organisation shall maintain an inventory of information assets" or "access to systems shall be limited based on the principle of least privilege". The framework's table of contents.
  • Controls — the how. A control is a specific safeguard that helps satisfy one or more requirements. "Quarterly access review" is a control. "MFA on all admin accounts" is a control. The same control can satisfy requirements from multiple frameworks at once.
  • Evidence — the proof. Documentation, screenshots, logs, signed policies — anything that demonstrates a control is operating effectively.

In Blankitt GRC, requirements live in the framework hierarchy (itsm_compliance_frameworks and its sections), controls live in your control library, and evidence is uploaded to R2 and linked back to controls.

Why organisations adopt frameworks

There are four typical drivers:

  1. Regulators — some frameworks are legally required. GDPR, HIPAA, PCI-DSS for card data. No choice; non-compliance carries fines.
  2. Customers — your largest customers may demand SOC 2 or ISO 27001 before they'll sign a contract. The framework becomes a sales prerequisite.
  3. Auditors — once you've published a SOC 2 report or ISO 27001 certificate, you've made a public commitment. An external auditor verifies on a schedule.
  4. Internal discipline — a framework gives your security and ops teams a shared vocabulary and a roadmap. Even without external pressure, this alone is often worth the cost.

Frameworks aren't a checklist

A common misconception: "we'll be compliant when we tick all the boxes". The boxes are necessary but not sufficient. A framework describes the minimum shape of a working programme — it doesn't prescribe the depth of your controls, the rigour of your testing, or the seriousness with which you respond to findings.

Two organisations can both be ISO 27001 certified and have wildly different security postures. The framework is a floor, not a ceiling.

What's next

The next chapter walks through how to choose a framework that fits your organisation. After that, we tour ISO 27001 and NIST CSF in depth, then close with a worked example of mapping a single control to multiple frameworks at once.

Still stuck? Email support or open the support widget in the bottom-right.