devguard

Frameworks

Frameworks represent structured standards and regulatory guidelines that define principles and controls to safeguard information, ensure compliance, and reinforce organizational trust and accountability.

Overview

Frameworks provide the foundation for policies, assets, and risks within devguard, ensuring consistency and alignment with international and industry-specific requirements.

Official Frameworks

Official frameworks are provided and maintained by devguard. These frameworks are immutable and updated over time, ensuring you always have access to the most accurate and up-to-date versions of global standards and regulations.

Advantages of official frameworks:

  • Centralized maintenance – updates and corrections are applied globally
  • Immutable data – ensuring audit-proof compliance evidence
  • Cross-platform consistency – controls can be referenced across assets, policies, and risks

When you adopt an official framework, all of its controls become available for integration into your governance and compliance workflows.

Available Frameworks

  • Cloud Controls Matrix (CCM) v4.0 – Defines 197 cloud-specific security controls across 17 domains, aligned with ISO 27001 and NIST. Supports risk management and compliance for modern cloud environments, with updates for Zero Trust, DevSecOps, and shared responsibility models.

  • General Data Protection Regulation (GDPR) v2018 – EU data protection law with strict requirements on personal data handling, privacy rights, and cross-border data transfers.

  • GDPR Checklist v2018 – A practical checklist that translates GDPR's legal obligations into actionable steps, covering areas like consent, data rights, breach response, and third-party contracts.

  • HIPAA v1.0 – U.S. law setting national standards for protecting patient health information, requiring safeguards for privacy and security of medical data.

  • ISO/IEC 27001:2022 – Defines requirements for an ISMS with a focus on leadership, continual improvement, and risk management. Includes Annex A with 93 controls grouped into four control themes.

  • ISO/IEC 27001:2022/Amd. 1:2024 – Introduces attributes for cybersecurity concepts and domains to enhance control mapping and alignment with ISO/IEC 27002:2022.

  • ISO/IEC 27001:2013 – Defines a risk-based approach to ISMS management with 114 controls grouped into 14 domains.

  • ISO/IEC 27002:2022 – Consolidates 93 controls into four themes with modern attributes for cybersecurity concepts and flexible control selection.

  • ISO/IEC 27002:2013 – Companion to ISO/IEC 27001:2013, providing implementation guidance for Annex A's 114 controls.

  • NIST Cybersecurity Framework 1.1 – Enhances guidance on supply chain risk, authentication, and vulnerability disclosure, covering five core functions: Identify, Protect, Detect, Respond, Recover.

  • NIST Cybersecurity Framework 2.0 – Expands scope beyond critical infrastructure, adds a sixth function (Govern), and updates for modern risks and third-party management.

  • SOC 1 – Focused on internal controls over financial reporting, used by service organizations impacting client financial statements.

  • SOC 2 – Evaluates how service providers manage data against five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.

Custom Frameworks

If official frameworks do not cover your specific needs, you can create a custom framework. Custom frameworks allow you to define organization-specific requirements, questionnaires, or country-specific standards.

When creating a custom framework, the following fields are required:

FieldDescription
Framework NameThe display name of the framework. (required)
IdentifierA unique identifier, similar to a slug. (required)
VersionThe version number of the framework. (required)
Identifier ColorThe color code chosen via the color picker for quick recognition.
DescriptionA free text description outlining the purpose and scope of the framework.

Custom frameworks are fully editable by the organization that created them, allowing you to manage and update them as requirements evolve.

Framework Adoption

Frameworks are initially inactive and must be adopted before they can be used. Adoption makes the framework available across the platform, allowing its controls to be linked to:

  • Policies
  • Assets
  • Risks

Adoption also enables coverage tracking, which appears on your dashboard and in the framework overview.

Framework Coverage

Coverage indicates how many of the framework's controls have been mapped to your organization.

  • Coverage Progress is displayed as a percentage.
  • Once all controls are mapped, the framework coverage is 100% and marked as Completed.
  • Coverage provides quick insights into your compliance health and helps highlight gaps that need attention.

Framework coverage can be explored in more detail in the Coverage section.

How is this guide?

On this page