Skip to main content

Choosing a framework

The Framework Library has 80+ frameworks. Picking the right one is the first decision of the Diagnose phase — it determines what gets scored, what the gaps are, and what the deck says. This page is a practical guide to that choice.

Start from the engagement's objective

Match the framework to what the engagement is for, not just the standard you know best.

If the engagement is about…Reach for…
Passing or preparing for a specific audit or certificationThe matching Standard — e.g. SOC 2, ISO/IEC 27001, ISO 9001, B Corp
Meeting a regulator's expectationsThe matching Regulation — e.g. EU AI Act, FCA Consumer Duty, CSRD / ESRS, HIPAA
Benchmarking capability and building a roadmapA maturity Model — e.g. NIST CSF, DevOps & DORA, Customer Experience, Organizational Health

Each framework page is tagged Standard, Model, or Regulation at the top, and has a When to use it section with the concrete triggers that make it the right pick.

Account for the client's jurisdiction

Many frameworks have a UK-specific counterpart, flagged UK-specific on the page. When the client operates in the UK — especially in regulated sectors — prefer the local scheme:

Browse by practice

If you know the domain but not the framework, open the practice and scan its catalogue — each lists every framework with a one-line "use it when":

You can run more than one

Frameworks aren't mutually exclusive. A single engagement often runs several — for example an ISMS readiness review alongside a privacy assessment, or a maturity model to set the roadmap and a regulation to test compliance. You can select multiple frameworks in Diagnose, and each produces its own scored, cited findings.

When nothing fits: author your own

If your firm's methodology isn't represented, encode it as a custom framework on the Enterprise plan — see Framework Authoring.