[interface] image of software security protocols (for a ai fintech company)
Risk Management

GRC Frameworks Explained: COSO, ISO 31000, ISO 27001, NIST CSF and SOC 2

July 6, 2026

GRC frameworks are structured sets of principles, controls and processes that organisations use to manage governance, risk and compliance in a consistent and auditable way. The five most widely adopted GRC frameworks are COSO, ISO 31000, ISO 27001, NIST CSF and SOC 2. This guide explains what each framework covers, who it applies to and how to choose the right combination for your organisation.

Quick Answer

GRC frameworks are the structures organisations use to govern, manage and report on risk and compliance activity.

The five frameworks in this guide: COSO (internal control and ERM), ISO 31000 (risk management principles), ISO 27001 (information security), NIST CSF (cybersecurity), SOC 2 (service organisation controls).

Most UK boards need at least two GRC frameworks working together to meet current regulatory requirements.

 

What Are GRC Frameworks and Why Do Organisations Need Them?

Most organisations face overlapping regulatory and risk obligations. UK financial services firms must comply with FCA rules, UK GDPR and increasingly DORA and NIS2. Technology companies face client-driven requirements for ISO 27001 certification and SOC 2 reports. Healthcare organisations manage CQC requirements alongside cyber threats to patient data. GRC frameworks provide a common structure for governing all of this in a way that boards can understand, report on and defend to regulators.

Without a recognised GRC framework, risk management tends to be fragmented. Different departments run separate processes, produce inconsistent data and miss cross-functional risks. A board trying to report on its risk posture or respond to a regulatory inquiry ends up reconciling incompatible formats. A GRC framework solves this by giving the organisation a shared vocabulary, a defined ownership model and clear reporting lines.

Choosing the wrong framework, or applying it incorrectly, wastes time and creates false assurance. The sections below give an accurate description of each of the five main GRC frameworks: what they are, what they cover and when to use them.

 

Framework 1: COSO - Enterprise Risk Management and Internal Control

What Is COSO?

The Committee of Sponsoring Organisations of the Treadway Commission (COSO) published its Internal Control Integrated Framework in 1992. It was updated in 2013 and remains the most widely referenced internal control framework for publicly listed companies. COSO also published its Enterprise Risk Management Integrated Framework in 2004, updated in 2017 to incorporate strategy and performance. Most references to COSO in a board or internal audit context refer to one or both of these documents.

What Does COSO Cover?

The COSO Internal Control framework has five components:

  • Control Environment: the tone, values and governance structure set by the board and senior management
  • Risk Assessment: the process for identifying and analysing risks to the achievement of objectives
  • Control Activities: the policies and procedures that ensure management directives are carried out
  • Information and Communication: the systems that support the identification, capture and exchange of information needed for control
  • Monitoring Activities: the ongoing and separate evaluations used to assess whether controls are present and functioning

The 2017 ERM update added five components at the strategic level, connecting risk management to the organisation's mission, strategy and business objectives. It introduced 20 guiding principles that guide how boards and management apply ERM across the organisation, with a clear emphasis on integrating risk thinking into strategic decision-making.

Who Uses COSO?

COSO is most common among UK subsidiaries of US-listed companies that must satisfy Sarbanes-Oxley Section 404 compliance requirements. FTSE-listed companies whose audit committees reference internal control frameworks in their annual reports also use COSO. Financial institutions whose internal audit teams apply COSO as a methodology baseline represent a large proportion of users in the UK. Any organisation that wants a board-level internal control vocabulary aligned with Big Four auditor expectations will find COSO the appropriate starting point.

When Should You Use COSO?

Use COSO when your organisation needs to strengthen its internal control environment for a financial audit, build or review an internal audit function, satisfy a parent company's SOX compliance requirements or report on risk management quality to shareholders or regulators. COSO is the governance and internal control layer on which more specific frameworks, such as ISO 27001 or NIST CSF, sit.

 

Framework 2: ISO 31000 - Risk Management Principles and Guidelines

What Is ISO 31000?

ISO 31000 is an international standard published by the International Organisation for Standardisation (ISO) in 2009 and updated in 2018. Unlike ISO 27001, it is not a certifiable standard. Organisations cannot obtain an ISO 31000 certificate. It is a principles-based framework that provides guidance on how to design, implement, evaluate and improve a risk management process across any type of organisation, in any sector and at any scale.

What Does ISO 31000 Cover?

ISO 31000 2018 is built around three core elements:

  • Principles: 11 principles that define what effective risk management looks like, including integration with governance, a structured and comprehensive approach, and a commitment to continual improvement
  • Framework: guidance on how to design the governance structures, accountability mechanisms and resources needed to embed risk management across the organisation
  • Process: a seven-step process covering communication and consultation, scope, context and criteria, risk assessment (identification, analysis and evaluation), risk treatment, recording and reporting, and monitoring and review

The standard is deliberately non-prescriptive. It sets out the what and why of risk management without specifying the how. This makes it adaptable to any industry, size or complexity of organisation. HM Treasury's Orange Book, the UK government's guide to risk management, draws explicitly on ISO 31000 and is required reading for public sector risk professionals.

Who Uses ISO 31000?

ISO 31000 is used by boards and risk committees wanting a recognised framework for setting risk appetite and governance structures. Risk managers looking for a universal risk language that works across business units also use it. Organisations building an enterprise risk management function for the first time find it an accessible starting point. Public sector bodies, NHS trusts and central government departments use it to align with the Orange Book.

When Should You Use ISO 31000?

Use ISO 31000 when your organisation needs to establish a board-level risk management framework, align different business units to a single risk methodology, satisfy a regulator's expectation of good risk governance or use it as the foundational layer beneath more specific frameworks. ISO 31000 works well as the strategic risk management layer above which ISO 27001 (information security) and NIST CSF (cybersecurity) sit as specialist frameworks.

 

Framework 3: ISO 27001 - Information Security Management

What Is ISO 27001?

ISO/IEC 27001 is an international standard for information security management systems (ISMS). First published in 2005 and updated in 2013, it was significantly revised in 2022. The current version is ISO 27001:2022. It is a certifiable standard: accredited third-party certification bodies conduct audits and issue certificates confirming conformity. The 2022 revision contains 93 controls across four themes, replacing the 114 controls in Annex A of the 2013 edition.

What Does ISO 27001 Cover?

ISO 27001 covers the full lifecycle of information security management. Clauses 4 to 10 set out the management system requirements, covering context, leadership, planning, support, operation, performance evaluation and improvement. Annex A contains 93 controls across four themes: Organisational, People, Physical and Technological.

The 2022 edition introduced 11 new controls that reflect the current threat landscape:

  • Threat intelligence: collecting and analysing information about current and emerging threats
  • Information security for use of cloud services: defining and managing controls for cloud environments
  • ICT readiness for business continuity: planning for information and communications technology availability during disruption
  • Physical security monitoring: surveillance and monitoring of physical areas
  • Configuration management: documenting and maintaining secure configurations across all systems
  • Information deletion: ensuring information is deleted when it is no longer needed
  • Data masking: protecting sensitive information through masking, tokenisation or anonymisation
  • Data leakage prevention: detecting and preventing unauthorised disclosure of information
  • Web filtering: managing access to external websites and web-based services
  • Secure coding: applying secure development practices across the software development lifecycle
  • Monitoring activities: monitoring systems, networks and applications for anomalous behaviour

Who Uses ISO 27001?

ISO 27001 certification is required or expected by UK financial services firms handling client data under FCA rules. Healthcare organisations processing patient data under UK GDPR rely on it. Technology and SaaS companies find enterprise clients increasingly require a valid ISO 27001 certificate as a procurement condition. Managed service providers and cloud companies competing for government or regulated-sector contracts need it. Any organisation that has experienced a data breach and needs to demonstrate improved security posture will also use it.

When Should You Use ISO 27001?

Use ISO 27001 when your organisation handles personal data at scale, operates in a regulated sector, sells to enterprise clients who conduct third-party risk assessments or wants a certifiable, internationally recognised information security standard. ISO 27001 is also the strongest single control framework for demonstrating compliance with the security of processing obligation in UK GDPR Article 32. Certification is valid for three years, subject to annual surveillance audits.

 

Framework 4: NIST CSF - Cybersecurity Framework

What Is NIST CSF?

The NIST Cybersecurity Framework (CSF) was developed by the US National Institute of Standards and Technology in 2014, originally for critical infrastructure operators. Version 2.0 was released in February 2024. CSF 2.0 is free to use, widely adopted globally and is not sector-specific. It is not a certifiable standard, but it is used extensively as the basis for cybersecurity programmes, board-level risk reporting and regulatory assessments. The 2024 update significantly strengthened the governance and board-level components of the framework.

What Does NIST CSF 2.0 Cover?

CSF 2.0 organises cybersecurity activities into six core functions:

  • Govern: the new function introduced in CSF 2.0, covering cybersecurity risk strategy, defined roles, documented policies and board-level oversight of the cybersecurity programme
  • Identify: understanding assets, data flows, suppliers and cybersecurity risks across the organisation
  • Protect: implementing controls to limit the impact of a cybersecurity event, including access management, awareness training and data security
  • Detect: developing the capabilities needed to identify cybersecurity events and anomalies when they occur
  • Respond: taking organised action when a cybersecurity incident is detected, including communications and analysis
  • Recover: restoring services and communicating appropriately with stakeholders after an incident

Each function is broken down into categories and subcategories, giving organisations a detailed checklist of cybersecurity activities. The Govern function, new in CSF 2.0, requires documented risk strategy, defined accountability and regular board reporting. This makes it particularly relevant to boards and C-Suite teams who need a structured way to discuss and report on cyber risk.

Who Uses NIST CSF?

NIST CSF is used by US multinationals and their UK subsidiaries who already operate NIST-aligned programmes. UK organisations in critical national infrastructure sectors, including energy, transport, water and digital infrastructure, use it. Organisations seeking to demonstrate NIS2 or UK NIS Regulations compliance through a recognised framework choose it. Any board that wants a structured, auditable way to report on cybersecurity risk using internationally recognised terminology will find CSF 2.0 a practical starting point.

When Should You Use NIST CSF?

Use NIST CSF when your organisation needs a board-level cybersecurity governance structure, wants to align with NIS2 or UK NIS requirements, operates in a critical infrastructure sector or wants a free, well-documented framework for building a cybersecurity programme from scratch. NIST CSF works alongside ISO 27001: NIST provides the strategic governance structure and board-facing language, ISO 27001 provides the certifiable management system and the underlying controls.

 

Framework 5: SOC 2 - Service Organisation Controls

What Is SOC 2?

SOC 2 is a reporting framework developed by the American Institute of Certified Public Accountants (AICPA). It is not a standard in the ISO sense and it does not produce a certificate. Instead, it produces an audit-based report from an independent CPA firm confirming whether a service organisation's controls meet the Trust Services Criteria. There are two report types. Type I assesses whether controls are suitably designed at a point in time. Type II assesses whether controls operated effectively over a defined period, typically six to twelve months. Enterprise clients and US procurement teams almost always require a Type II report.

What Does SOC 2 Cover?

SOC 2 is built on five Trust Services Criteria (TSC):

  • Security: required for all SOC 2 reports; covers logical and physical access controls, change management, risk assessment and incident response
  • Availability: whether systems are available for operation in line with service level commitments
  • Processing Integrity: whether system processing is complete, valid, accurate, timely and authorised
  • Confidentiality: whether information designated as confidential is protected as agreed with clients
  • Privacy: whether personal information is collected, used, retained, disclosed and disposed of in line with the organisation's privacy commitments

Most SOC 2 reports cover Security only. Availability and Confidentiality are commonly added by cloud and SaaS providers. Privacy is added where the organisation processes significant volumes of personal data on behalf of clients. The scope of each report is agreed between the service organisation and the auditor based on the services provided.

Who Uses SOC 2?

SOC 2 reports are produced by SaaS companies selling to US enterprises, where a SOC 2 Type II report is a standard procurement requirement. Cloud infrastructure and managed service providers use it to demonstrate controls to clients during due diligence. UK technology companies entering US markets or serving financial services firms find it expected rather than optional. Procurement and vendor management teams assessing third-party risk in their supply chains request SOC 2 reports as a standard part of the assessment process.

When Should You Use SOC 2?

Use SOC 2 when your organisation processes, stores or transmits client data and your clients or prospects ask for evidence of controls. A SOC 2 Type II report is particularly important if you are pursuing US sales, tendering for financial services contracts or operating as a critical supplier in a regulated supply chain. SOC 2 and ISO 27001 have significant control overlap: many organisations hold both, with ISO 27001 as the certifiable internal standard and SOC 2 as the client-facing assurance report.

How the Five GRC Frameworks Relate to Each Other

These five GRC frameworks cover different layers of organisational governance and risk. They work best in combination rather than in isolation.

COSO and ISO 31000 operate at the governance and enterprise risk management level. COSO focuses on internal control and financial reporting integrity. ISO 31000 provides overarching principles and a process for managing any type of risk. Together, they form the strategic governance layer: the board-level structures, risk appetite statements and accountability frameworks that everything else sits beneath.

ISO 27001 and NIST CSF operate at the information security and cybersecurity management level. ISO 27001 provides a certifiable management system with a specific set of information security controls. NIST CSF provides a function-based cybersecurity governance structure that is particularly strong for board reporting and regulatory alignment. The two frameworks are complementary. Many UK organisations use NIST CSF to structure board-level cyber reporting and ISO 27001 to provide the underlying certified controls.

SOC 2 operates at the client assurance level. It is not a governance or risk management framework in the same sense as the others. It is an independent audit report that gives clients documented evidence of specific controls at a point in time or over a defined period. SOC 2 draws heavily on the same control activities as ISO 27001, which is why organisations with ISO 27001 certification typically find the SOC 2 audit process far less demanding.

The key point for boards is that these frameworks do not compete with each other. None of them covers the full GRC landscape on its own. An organisation that only implements ISO 27001, for example, has strong information security management but no formal enterprise risk framework and no board-level internal control methodology. A complete GRC programme draws on at least two or three of these frameworks working together.

 

Which GRC Frameworks Does Your Organisation Need?

Your framework selection should be driven by four factors: your regulatory environment, your sector, your client expectations and your current maturity level. The guidance below covers the most common profiles.

 

Financial Services Firms (FCA-Regulated)

COSO: for internal control reporting to the FCA, audit committee and board

ISO 31000: for enterprise risk management and risk appetite governance

ISO 27001: for information security under UK GDPR and FCA operational resilience requirements

 

Technology and SaaS Companies

ISO 27001: as the certifiable baseline for information security

SOC 2 Type II: for US clients and enterprise procurement requirements

NIST CSF: for board-level cybersecurity governance and NIS2 alignment

 

Critical National Infrastructure Operators

NIST CSF: for cybersecurity governance aligned to UK NIS Regulations

ISO 27001: for certifiable information security management

ISO 31000: for enterprise risk management across operational, financial and cyber risks

 

Listed Companies with US Operations

COSO: for Sarbanes-Oxley Section 404 internal control compliance

SOC 2 Type II: for US client assurance and third-party risk management

ISO 27001: for international information security credibility

If you are unsure where to start, a GRC framework gap assessment is the most effective first step. It maps your current controls against each framework, identifies the gaps and produces a prioritised action plan based on your specific regulatory exposure and risk profile.

How to Implement Multiple GRC Frameworks Without Duplication

Most organisations that need more than one framework are concerned about duplicated effort. In practice, the overlap between GRC frameworks means that implementing two frameworks together is significantly less work than implementing each one separately. The key is a structured approach to control mapping and shared evidence.

Step 1: Conduct a cross-framework control mapping

Identify controls that appear across multiple frameworks. ISO 27001 Annex A controls map directly to NIST CSF subcategories and to SOC 2 Trust Services Criteria. A single well-documented control can satisfy requirements from all three frameworks if it has a clear owner, documented evidence and a defined review cycle.

Step 2: Define a unified control framework

Create a master list of controls that satisfies all applicable frameworks. Each control has one owner, one evidence record and one review cycle. Tag each control to the frameworks it satisfies so compliance reporting can be generated for each one without running separate processes.

Step 3: Implement centralised monitoring and evidence collection

Use a GRC platform or structured shared repository to track control effectiveness across all frameworks. All evidence, test results and exception logs are stored in one place and mapped to the relevant framework requirements. This prevents the same control being tested multiple times by different teams.

Step 4: Align your audit and review cycles

Where frameworks require internal audit or management review, align the cycles so that a single review period produces evidence for multiple frameworks. This reduces the burden on control owners and produces more consistent reporting data across the board.

Step 5: Report at the right level for each stakeholder

Boards need a consolidated risk and compliance view, not separate reports for each framework. Map the outputs of all frameworks to a single board risk report that shows status, exceptions and remediation plans across all frameworks in one document. Auditors and regulators receive the detailed evidence packs they need; the board receives the executive summary.

 

How GRC Index Supports Your Framework Assessment

GRC Index is an independent assessment and advisory service for UK organisations. The GRC Index assessment covers all five frameworks described in this guide: COSO, ISO 31000, ISO 27001, NIST CSF and SOC 2. It maps your current governance, risk and compliance activities to each framework's requirements, identifies the gaps and produces a prioritised action plan.

The assessment is designed for boards and senior leadership teams who need an objective, evidence-based view of their GRC maturity across multiple frameworks. It takes the complexity of five overlapping frameworks and presents the findings in a format that supports board-level decisions and regulatory conversations.

The GRC Index assessment takes approximately 20 minutes to complete and produces an immediate indicative report, followed by a detailed written assessment from the GRC Index team. There is no requirement to have any existing framework documentation in place before beginning.

 

Start Your GRC Framework Assessment

Visit grci.net/questionnaire to begin the GRC Index assessment.

Coverage: COSO, ISO 31000, ISO 27001, NIST CSF and SOC 2.

Output: prioritised action plan and board-ready compliance report.

Designed for C-Suite and Board members at UK regulated organisations.

 

Frequently Asked Questions: GRC Frameworks

What is a GRC framework?

A GRC framework is a structured set of principles, controls and processes that an organisation uses to manage governance, risk and compliance in a consistent and auditable way. GRC frameworks provide a common vocabulary and methodology that boards, management and auditors can use to assess and report on the organisation's risk and compliance position.

Which GRC framework is most widely used?

ISO 27001 is the most widely adopted certifiable GRC framework globally, with over 70,000 certificates issued in 2023. COSO is the most widely referenced internal control framework among listed companies and forms the basis of most internal audit methodologies. NIST CSF is the most commonly used cybersecurity framework in the United States and is growing in adoption among UK organisations, particularly following the release of CSF 2.0 in February 2024.

Is ISO 27001 the same as SOC 2?

No. ISO 27001 is a certifiable management system standard that an organisation implements and maintains internally, with a formal audit by an accredited certification body every three years. SOC 2 is an independent audit report produced by a CPA firm at a point in time or over a defined period. Many organisations hold both: ISO 27001 as the internal certified standard and SOC 2 as the client-facing assurance report. The control overlap between them makes it practical to pursue both without doubling the implementation effort.

Does NIST CSF apply to UK organisations?

Yes. NIST CSF was developed in the United States but is not restricted to US organisations. UK organisations in critical infrastructure sectors, those with US parent companies, and those subject to NIS2 or the UK NIS Regulations increasingly use NIST CSF as a cybersecurity governance framework. CSF 2.0, released in February 2024, strengthened its board governance components and increased its relevance for organisations outside the US.

What is the difference between COSO and ISO 31000?

COSO focuses primarily on internal control and enterprise risk management in relation to an organisation's financial reporting objectives. It is most relevant to listed companies, audit committees and internal auditors. ISO 31000 is broader in scope: it provides principles and guidance for managing any type of risk across any type of organisation. COSO is prescriptive about the components of an internal control system; ISO 31000 is principles-based and adapts to any industry, sector or context.

Do I need SOC 2 if I already have ISO 27001?

It depends on your client base and sales market. If you sell to US enterprises or to financial services firms that require third-party assurance reports, you will likely need SOC 2 in addition to ISO 27001. ISO 27001 certification is respected internationally but does not produce the type of point-in-time assurance report that US procurement teams typically request. Organisations with ISO 27001 in place typically find the SOC 2 audit process considerably less demanding because of the significant control overlap between the two frameworks.

How do I know which GRC frameworks my organisation needs?

Start with your regulatory environment. FCA-regulated firms and organisations handling client data under UK GDPR need at least ISO 27001 and a board-level risk framework such as COSO or ISO 31000. Add SOC 2 if you have US clients or are entering US markets. Add NIST CSF if you operate in critical infrastructure or need a structured cybersecurity governance programme. A GRC framework gap assessment at grci.net/questionnaire gives you an objective view of your current position against all five frameworks and a prioritised plan for closing the gaps.