A Framework is a tool to enable organizations to establish a roadmap for reducing technology security risk that is well aligned with organization and sector goals, considers legal/regulatory requirements and industry best practices, and reflects risk management priorities. The framework design is the key for organizations to move from Current State to Target State with ability to identify gaps, and prioritize gaps based on risk assessment
ISO Standard specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization. This International Standard also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in this International Standard are generic and are intended to be applicable to all organizations, regardless of type, size, or nature.
ISO/IEC 27000 describes the vocabulary of information security management systems, referencing the information security management system family of standards (including ISO/IEC 27003, ISO/IEC 27004 and ISO/IEC 27005), with related terms and definitions. The objective of ISO framework is to provide a common platform to compare division's technology risk readiness, policy/procedure implementation, and compliance with regulations. The ISO governance, risk, and compliance standard provide out of the box framework focused on non-technology security controls ready to implement. The framework is mapped to multiple IT security frameworks around the world and globally accepted. eInnosec experts have publications on the ISO 27001, and please refer to link below for further details.