Framework Assessments

There is often confusion about how a Framework Assessment is different from a Vulnerability Assessment. A good analogy comes from sports:

  • A Framework Assessment comments on the Football Stadium. Is it big enough? Enough parking? Should it have a roof? A removable roof? An inflatable roof? What about food service?
  • Vulnerability Assessments are the coaches and the team. They’re the ones who actually do stuff, in a public park or in Fenway Park.
NIST volumeFramework studies are done by comparing the client to the process suggested by some expert. In the US, the NIST framework is, by far, the most commonly used because of how complete, detailed, and documented it is. NIST (National Institute of Science and Technology) has documented this framework over a set of books which are all available from Amazon. In the rest of the world, it is ISO 31000 or 27000 Frameworks. ISO is headquartered in Geneva.

There are as many different approaches to a Framework Assessments as there are models of cars. They all look at the processes (committees, reports, flow of information, all of it) of the client against that suggested by NIST or ISO. All of these Assessments are good and true as all cars have four wheels, an engine, a steering wheel etc. The difference is the level of detail you, the client, are willing to pay for, like the difference between a Toyota Yaris and the Rolls Royce Phantom. They both get you there.

C-Suite overseers and your Board of Directors like Framework Assessments because it goes directly to a Board Member’s primary job: oversight. For a board member, a Framework Assessment is their primary tool to ensure that they have been both diligent as well as effective in overseeing the company’s key responsibilities and therefore not negligent.

Our CEO used to work for McKinsey. We like Framework Assessments, particularly of the more compact and get-to-the-point kind. For the large wide-sweeping look-at-everything IMAX kind, KPMG, PWC and many other very large firms will be a better bet for you.

What a Framework Assessment does NOT do is to (i) measure your company’s risks, (b) identify where they come from, and (c) how best to reduce them. For that, you need something very different: a Vulnerability Assessment