Frameworks

Getting started with Frameworks

title: Getting started with Frameworks description: Introduction and navigation of compliance frameworks in Tidal Control sidebar_position: 1

Getting started with Frameworks

What are compliance frameworks?

Compliance frameworks are structured sets of requirements that help organizations implement security and compliance measures. These frameworks provide guidelines for effective governance, risk management and compliance processes.

Examples of frameworks in Tidal Control:

  • ISO 27001 - International standard for information security
  • GDPR - General Data Protection Regulation for privacy
  • SOC 2 - Service Organization Control for cloud services
  • NIST - National Institute of Standards and Technology frameworks
  • CIS Controls - Center for Internet Security security measures
  • ISO 9001 - International standard for quality
  • ISO 42001 - International standard for responsible A.I.

Why use frameworks?

Benefits for your organization:

  • Structure and direction - Clear roadmap for compliance implementation
  • Audit readiness - Preparation for external certifications and audits
  • Risk management - Systematic approach to security risks
  • Best practices - Proven methods from the industry
  • Stakeholder trust - Demonstrable compliance for customers and partners

The "Test once, use often" principle

Tidal Control is built on an efficient approach: one control can cover multiple framework requirements. This saves time and resources in compliance implementation.

Practical example:

  • A firewall control can cover:
    • ISO 27001 requirement A.8.22 (Network segmentation)
    • SOC 2 CC6.1 (Logical access security)
    • NIST 800-53 AC-4 (Information flow control)

Benefits of reuse:

  • Less duplication - Implement once, comply with multiple standards
  • Consistent execution - Same quality across frameworks
  • Resource efficiency - Team doesn't need to do the same work multiple times
  • Holistic compliance - Integrated approach instead of isolated frameworks
Tip

Smart compliance: Start with the framework most relevant to your organization. Add frameworks later that have significant overlap to maximize benefit from existing controls.

Navigating the Frameworks overview page

Understanding page layout

The Frameworks page shows all available compliance frameworks in a tile-based overview. Each framework is displayed as a tile with essential information.

Frameworks overview

What you see in the overview:

  • Framework tiles - Individual tiles per compliance standard
  • Search bar - Quickly find specific frameworks
  • Status indication - Visual distinction between active and inactive frameworks

Understanding framework tiles

Information per framework tile:

  • Framework name and version - For example "ISO27001:2022" or "GDPR:2020"
  • Description - Brief explanation of the framework purpose
  • 2x2 icon with number - Number of requirements in the framework
  • Clipboards icon with number - Number of unique controls linked to these requirements

Example of tile information:

ISO27001:2022
ISO/IEC 27001 Information security management systems

šŸ”µ 123  šŸ“„ 75

This means: 123 references (requirements) and 75 linked controls.

Active vs inactive frameworks

Recognizing status:

  • Active frameworks - Full color tiles, framework is being used
  • Inactive frameworks - Gray tiles with "Start" button

When is a framework active?

  • At least 1 control is linked to a framework reference

Activating inactive frameworks:

  1. Click "Start" button on gray framework tile
  2. Framework opens with all available references
  3. Link first control to a reference to complete activation

Framework types and applications

Certifiable/Reportable standards

ISO 27001 - Information Security Management

  • Purpose: Systematic information security management
  • For whom: All organizations processing sensitive information
  • Focus: Management systems, risk assessment, control implementation
  • Certification: External audit by accredited certification body

ISO 9001 - Quality Management

  • Purpose: Optimize quality management systems
  • For whom: Organizations wanting to demonstrate process quality
  • Focus: Customer satisfaction, continuous improvement, process approach
  • Certification: External audit by accredited certification body

SOC 2 - Service Organization Control

  • Purpose: Trust services for cloud and SaaS providers
  • For whom: Technology service providers with B2B customers
  • Focus: Security, availability, processing integrity, confidentiality
  • Reporting: Type I (design) and Type II (operational effectiveness)

Laws and regulations

GDPR - General Data Protection Regulation

  • Purpose: Privacy protection for EU citizens
  • For whom: All organizations processing EU personal data
  • Focus: Data subject rights, privacy by design, breach notification
  • Sanctions: Up to 4% of annual turnover for non-compliance

NIS 2 - Network and Information Security Directive

  • Purpose: Cybersecurity for critical sectors and important entities
  • For whom: Energy, transport, banking services, digital infrastructure, government
  • Focus: Risk management, incident reporting, cybersecurity governance
  • Sanctions: Up to ā‚¬10 million or 2% of annual turnover (essential entities), ā‚¬7 million or 1.4% (important entities), plus personal management liability

EU AI Act - Artificial Intelligence Act

  • Purpose: Safe and trustworthy AI development and use
  • For whom: Organizations developing, importing or using AI systems in EU
  • Focus: Risk-based approach, prohibited AI practices, high-risk AI requirements
  • Sanctions: Up to ā‚¬35 million or 7% of annual turnover for prohibited AI practices, lower percentages for other violations

Other standards

NIST Cybersecurity Framework

  • Purpose: Cybersecurity risk management
  • For whom: Critical infrastructure and large organizations
  • Focus: Identify, Protect, Detect, Respond, Recover
  • Flexibility: Adaptable to organization-specific needs

CIS Controls

  • Purpose: Prioritized cybersecurity best practices
  • For whom: Organizations seeking practical security guidelines
  • Focus: 18 prioritized controls from basic to advanced
  • Implementation: Step-by-step guidance with metrics
Tip

Check the Frameworks page for an overview of all supported frameworks.

Searching and filtering frameworks

Using search functionality

  1. Click in search bar at the top of the Frameworks page
  2. Type framework name or part of it
  3. Results filter automatically while typing
  4. Clear search with X-button to show all frameworks

Effective search terms:

  • "ISO" - Shows all ISO related frameworks
  • "2022" - Filters on specific versions
  • "Security" - Finds frameworks with security focus
  • "Data" - Shows data protection related frameworks

Framework selection

For starting organizations:

  • Start with one primary framework relevant to your industry
  • ISO 27001 for general information security and for EU-based SaaS and cloud services
  • GDPR when processing personal data
  • SOC 2 for SaaS and cloud services with focus on expansion to the USA

For advanced implementations:

  • Expand with frameworks important to your (new) customers
  • Leverage synergies between related standards
  • Optimize coverage through strategic control mapping
Tip

Prevent framework fatigue: Don't implement more than 2-3 frameworks simultaneously. Focus on quality over quantity and use the same controls across multiple frameworks for greater efficiency.

Next steps

Now that you know how the Frameworks page works:

  • Explore frameworks relevant to your organization
  • Activate your first framework with the "Start" button
  • Begin control linking for core requirements
  • Monitor progress via dashboard indicators
Next
Activating frameworks and linking controls