- A Framework Assessment comments on the Football Stadium. Is it big enough? Enough parking? Should it have a roof? A removable roof? An inflatable roof? What about food service?
- Vulnerability Assessments are the coaches and the team. They’re the ones who actually do stuff, in a public park or in Fenway Park.
There are as many different approaches to a Framework Assessments as there are models of cars. They all look at the processes (committees, reports, flow of information, all of it) of the client against that suggested by NIST or ISO. All of these Assessments are good and true as all cars have four wheels, an engine, a steering wheel etc. The difference is the level of detail you, the client, are willing to pay for, like the difference between a Toyota Yaris and the Rolls Royce Phantom. They both get you there.
C-Suite overseers and your Board of Directors like Framework Assessments because it goes directly to a Board Member’s primary job: oversight. For a board member, a Framework Assessment is their primary tool to ensure that they have been both diligent as well as effective in overseeing the company’s key responsibilities and therefore not negligent.
Our CEO used to work for McKinsey. We like Framework Assessments, particularly of the more compact and get-to-the-point kind. For the large wide-sweeping look-at-everything IMAX kind, KPMG, PWC and many other very large firms will be a better bet for you.
What a Framework Assessment does NOT do is to (i) measure your company’s risks, (b) identify where they come from, and (c) how best to reduce them. For that, you need something very different: a Vulnerability Assessment