A framework is an extensible structure for describing a set of concepts, methods, and technologies as an integrated set of policies and procedures designed to assist management to achieve its goals and objectives. Therefore, a compliance framework is the structure you build around your compliance program.

Frameworks have become a necessary means to distill and harmonize the various controls forced upon the IT world as a result of the increasing number of regulatory guidelines burdening today's organizations. It is not uncommon for a single mid-sized organization to fall under Gramm-Leach-Bliley, HIPAA, PCI-DSS, and multiple state and international privacy regulations.

No matter how many regulatory guidelines an organization falls under, what each organization must do is

1. Review each authority document.

2. Determine the IT control requirements specific to that document.

3. Determine if those controls are in-scope for their organization and the information they manage.

4. Implement the appropriate in-scope controls.

5. Conduct a series of audits to ensure the organization's compliance level.

Frameworks provide assistance for this process by creating a set of controls that can (hopefully) encompass or at least accommodate the various regulatory statutes that crop up. In so doing, the statute can then be compared to the framework and where the two match, the organization following the framework can attest that they have put into place controls that meet those found in the statute. For instance, NIST 800-53 is a widely known and used IT Control framework within the US. It has more controls defined than does the HIPAA statute, and therefore can (and is) used by many as a base framework in which the HIPAA statute's controls can be correlated.

In short, a compliance framework is a way of developing common IT controls that can be used across multiple regulatory statutes.