Difference Between Standards and Frameworks
The terms standard and framework have distinct differences and should not be used interchangeably. A standard is typically more rigid than a framework. A standard will typically outline a specific way of achieving a control objective. For example, a standard may say an application must use a complex password of at least eight characters.
A framework tends to provide broad guidance and allows flexibility on how to achieve the control objectives. A framework is designed to be applied across multiple situations and allows for more judgment. Part of the intent of a framework is to ensure that all core risk topics are considered and appropriately applied. For example, a framework may say that administrative accounts must have elevated authentication and be closely monitored.
Notice the contrast between a standard and a framework. The framework requires administrative accounts to enhance authentication but does not specify the “how.” This may mean the use of complex passwords as in the example of the standard or it may result in the use of multifactor authentication. As such, standards typically list a set of controls that are prescriptive and must be followed exactly, while frameworks tend to focus more on required outcomes leaving it up to the organization to determine the best method to implement.
Other terms you will come across as an auditor include policy, standards, procedures, guidelines, and baselines. For the purpose of this chapter, we will discuss standards and frameworks in detail. However, it is important to understand the basic content of each of these documents, which provide differing levels of guidance and rules. Table 4-1 are examples of common documents which provide varying levels of guidance.
TABLE 4-1 Description of standards, procedures, guidelines, and baselines.
| Title | Description |
|---|---|
| IT Policy | A set of rules on how technology assets within an organization should be used and operated. Additionally, a policy defines core roles and responsibilities. |
| Standards | Mandatory actions, explicit rules, or controls that are designed to support and conform to a policy. A standard should make a policy more meaningful and effective by including accepted specifications for hardware, software, or behavior. Standards should always point to the policy to which they relate. |
| Procedures | Written steps to execute policies through specific, prescribed actions; this is the how in relation to a policy. Procedures tend to be more detailed than policies. They identify the method and state, in a series of steps, exactly how to accomplish an intended task, achieve a desired business or functional outcome, and execute a policy. |
| Guidelines | An outline for a statement of conduct. This is an additional (optional) document in support of policies, standards, and procedures and provides general guidance on what to do in particular circumstances. Guidelines are not requirements to be met but are strongly recommended. |
| Baselines | Platform-specific rules that are accepted across the industry as providing the most effective approach to a specific implementation. |
Think of standards and framework as complementary pair in which a framework provides structure and standards provides the rules within the confine of the framework. Consider the roadway system as a framework with the traffic rules being the standard by which we operate the car.