The Ultimate Guide to Governance Frameworks

If you are new to leading tech teams, you may have heard about governance but were unsure what it is or how it applies to IT or building software. Put simply, governance gives your team structure, guidelines, and ways to measure success.

From IT governance to risk management, quality control to cybersecurity, there’s a governance framework for nearly every aspect of your organization. This blog post will provide a comprehensive overview of the most widely used frameworks, empowering you to select the ones that best fit your needs.

I’ve compiled this list as a start to understand more about the ecosystem of governance frameworks, and to get a better understanding of where they can best apply to businesses at different stages of their journey.

Core Governance Frameworks

  • COSO (Committee of Sponsoring Organizations): A comprehensive framework for internal control and enterprise risk management (ERM). COSO helps organizations establish sound oversight, effective risk mitigation, and ethical conduct across operations.

  • ISO/IEC 38500: Corporate Governance of Information Technology: Provides principles and a framework for executives and boards to evaluate, direct, and monitor their organization’s use of IT.

  • ISO/IEC 20000: IT Service Management (ITSM): An international standard focused on defining and managing the quality of IT services. It outlines best practices for aligning IT services with business needs.

  • ITIL (Information Technology Infrastructure Library): A widely-used ITSM framework. ITIL provides detailed guidance on processes and practices for delivering and managing IT services throughout their lifecycle.

Project Management Frameworks

  • PRINCE2 (Projects in Controlled Environments): A structured, process-based project management methodology widely used in the UK and Europe. Emphasizes planning, control, and organization.

  • PMBOK (Project Management Body of Knowledge): A guide, rather than a strict methodology, outlining project management knowledge areas and processes. Published by the Project Management Institute (PMI), it’s widely recognized.

Enterprise Architecture Framework

  • TOGAF (The Open Group Architecture Framework): A high-level approach to designing, planning, implementing, and governing an enterprise’s IT architecture. Aids in aligning IT with business goals.

Process Improvement Frameworks

  • CMMI (Capability Maturity Model Integration): Helps organizations improve process maturity across various areas (e.g., development, services). Emphasizes continuous improvement with levels of capability and maturity.

  • NIST (National Institute of Standards and Technology) Cybersecurity Framework: A voluntary framework focused on managing cybersecurity risk. Provides a structure for organizations to assess and improve their ability to prevent, detect, and respond to cyber threats.

  • BiSL/DID (Business Information Services Library/Data, Information, Decisions): Frameworks focused on functional management (BiSL) and information management (DID) in organizations.

Agile Framework

  • Agile: An umbrella term for iterative and incremental software development methodologies (e.g., Scrum, Kanban). Agile emphasizes flexibility, collaboration, and delivering working software frequently.

Quality & Security Frameworks

  • ISO 27000 Series: A family of standards focused on information security management systems (ISMS). ISO 27001 is the core standard outlining ISMS requirements.

  • TQM (Total Quality Management): A management philosophy focusing on continuous improvement across all organizational processes through customer focus.

  • Six Sigma: A data-driven quality improvement methodology aimed at reducing defects and variability in processes.

  • LEAN: Focuses on maximizing customer value while minimizing waste in processes. Emphasizes streamlining and flow.

  • ISO 9000 Series: Quality management standards that provide a framework for consistent product and service quality.

Specialized Frameworks

  • Val IT: A governance framework focused on value creation from IT investments.

  • FAIR (Factor Analysis of Information Risk): A framework for quantifying and managing information security and operational risk.

  • DEFT: A streamlined framework tailored for small to medium-sized enterprises focused on IT governance and processes.

IT Governance Frameworks

  • COBIT (Control Objectives for Information and Related Technologies): Issued by ISACA, COBIT focuses on IT governance and management. It provides goals and processes for aligning IT with business objectives.
  • IT4IT: An open standard from The Open Group, providing a vendor-neutral reference architecture and value chain model for managing the business of IT.

Risk Management Frameworks

  • ISO 31000: Risk Management: Provides guidelines and principles for managing risk across an organization.
  • NIST Risk Management Framework (RMF): A comprehensive framework designed specifically for the US federal government, but with broader applicability, emphasizing cybersecurity risk management.

Security Frameworks

  • PCI DSS (Payment Card Industry Data Security Standard): Mandatory for organizations handling credit card information, ensuring secure processing, storage, and transmission of cardholder data.
  • CIS (Center for Internet Security) Controls: A prioritized set of actions for cyber defense. Provides specific best practices to mitigate common cyber-attacks.

Compliance Frameworks

  • HIPAA (Health Insurance Portability and Accountability Act): US law governing the privacy and security of protected health information (PHI).
  • GDPR (General Data Protection Regulation): European Union regulation focused on data privacy and protection for individuals within the EU.
  • SOX (Sarbanes-Oxley Act): US law centered on financial reporting and internal controls within publicly traded companies.

Industry-Specific Frameworks

  • FFIEC Cybersecurity Assessment Tool: A framework used by US regulatory bodies to assess financial institutions’ cybersecurity maturity and preparedness.
  • NIST Framework for Improving Critical Infrastructure Cybersecurity: Specific for US critical infrastructure sectors, promoting a risk-based approach to cybersecurity.


Governance frameworks are essential for organizations to manage risk, ensure compliance, and align IT with business objectives. They provide a structured approach to managing and improving processes, services, and security. By understanding the various frameworks available, you can select the ones that best fit your organization’s needs and goals.

In coming posts I hope to dive deeper into some of these frameworks, and provide more practical advice on how to implement them in your organization.