Choosing a framework
The Framework Library has 80+ frameworks. Picking the right one is the first decision of the Diagnose phase — it determines what gets scored, what the gaps are, and what the deck says. This page is a practical guide to that choice.
Start from the engagement's objective
Match the framework to what the engagement is for, not just the standard you know best.
| If the engagement is about… | Reach for… |
|---|---|
| Passing or preparing for a specific audit or certification | The matching Standard — e.g. SOC 2, ISO/IEC 27001, ISO 9001, B Corp |
| Meeting a regulator's expectations | The matching Regulation — e.g. EU AI Act, FCA Consumer Duty, CSRD / ESRS, HIPAA |
| Benchmarking capability and building a roadmap | A maturity Model — e.g. NIST CSF, DevOps & DORA, Customer Experience, Organizational Health |
Each framework page is tagged Standard, Model, or Regulation at the top, and has a When to use it section with the concrete triggers that make it the right pick.
Account for the client's jurisdiction
Many frameworks have a UK-specific counterpart, flagged UK-specific on the page. When the client operates in the UK — especially in regulated sectors — prefer the local scheme:
- Cybersecurity — Cyber Essentials, NCSC CAF, NHS DSPT
- Finance & Risk — FCA Operational Resilience, FCA Consumer Duty, SM&CR, UK Corporate Governance Code
- Technology / public sector — GDS Service Standard, NHS DTAC
- Operations / healthcare — CQC Fundamental Standards, Clinical Safety (DCB0129/0160)
- Sustainability — UK SDR & SECR
- Data & AI — UK AI Regulation (DSIT), UK GDPR
Browse by practice
If you know the domain but not the framework, open the practice and scan its catalogue — each lists every framework with a one-line "use it when":
- Cybersecurity · Data & AI · Technology · Finance & Risk · Operations · Growth · Strategy & Transformation · Sustainability · Human Capital
You can run more than one
Frameworks aren't mutually exclusive. A single engagement often runs several — for example an ISMS readiness review alongside a privacy assessment, or a maturity model to set the roadmap and a regulation to test compliance. You can select multiple frameworks in Diagnose, and each produces its own scored, cited findings.
When nothing fits: author your own
If your firm's methodology isn't represented, encode it as a custom framework on the Enterprise plan — see Framework Authoring.