GRC frameworks are structured sets of principles, controls and processes that organisations use to manage governance, risk and compliance in a consistent and auditable way. The five most widely adopted GRC frameworks are COSO, ISO 31000, ISO 27001, NIST CSF and SOC 2. This guide explains what each framework covers, who it applies to and how to choose the right combination for your organisation.
GRC frameworks are the structures organisations use to govern, manage and report on risk and compliance activity.
The five frameworks in this guide: COSO (internal control and ERM), ISO 31000 (risk management principles), ISO 27001 (information security), NIST CSF (cybersecurity), SOC 2 (service organisation controls).
Most UK boards need at least two GRC frameworks working together to meet current regulatory requirements.
Most organisations face overlapping regulatory and risk obligations. UK financial services firms must comply with FCA rules, UK GDPR and increasingly DORA and NIS2. Technology companies face client-driven requirements for ISO 27001 certification and SOC 2 reports. Healthcare organisations manage CQC requirements alongside cyber threats to patient data. GRC frameworks provide a common structure for governing all of this in a way that boards can understand, report on and defend to regulators.
Without a recognised GRC framework, risk management tends to be fragmented. Different departments run separate processes, produce inconsistent data and miss cross-functional risks. A board trying to report on its risk posture or respond to a regulatory inquiry ends up reconciling incompatible formats. A GRC framework solves this by giving the organisation a shared vocabulary, a defined ownership model and clear reporting lines.
Choosing the wrong framework, or applying it incorrectly, wastes time and creates false assurance. The sections below give an accurate description of each of the five main GRC frameworks: what they are, what they cover and when to use them.
The Committee of Sponsoring Organisations of the Treadway Commission (COSO) published its Internal Control Integrated Framework in 1992. It was updated in 2013 and remains the most widely referenced internal control framework for publicly listed companies. COSO also published its Enterprise Risk Management Integrated Framework in 2004, updated in 2017 to incorporate strategy and performance. Most references to COSO in a board or internal audit context refer to one or both of these documents.
The COSO Internal Control framework has five components:
The 2017 ERM update added five components at the strategic level, connecting risk management to the organisation's mission, strategy and business objectives. It introduced 20 guiding principles that guide how boards and management apply ERM across the organisation, with a clear emphasis on integrating risk thinking into strategic decision-making.
COSO is most common among UK subsidiaries of US-listed companies that must satisfy Sarbanes-Oxley Section 404 compliance requirements. FTSE-listed companies whose audit committees reference internal control frameworks in their annual reports also use COSO. Financial institutions whose internal audit teams apply COSO as a methodology baseline represent a large proportion of users in the UK. Any organisation that wants a board-level internal control vocabulary aligned with Big Four auditor expectations will find COSO the appropriate starting point.
Use COSO when your organisation needs to strengthen its internal control environment for a financial audit, build or review an internal audit function, satisfy a parent company's SOX compliance requirements or report on risk management quality to shareholders or regulators. COSO is the governance and internal control layer on which more specific frameworks, such as ISO 27001 or NIST CSF, sit.
ISO 31000 is an international standard published by the International Organisation for Standardisation (ISO) in 2009 and updated in 2018. Unlike ISO 27001, it is not a certifiable standard. Organisations cannot obtain an ISO 31000 certificate. It is a principles-based framework that provides guidance on how to design, implement, evaluate and improve a risk management process across any type of organisation, in any sector and at any scale.
ISO 31000 2018 is built around three core elements:
The standard is deliberately non-prescriptive. It sets out the what and why of risk management without specifying the how. This makes it adaptable to any industry, size or complexity of organisation. HM Treasury's Orange Book, the UK government's guide to risk management, draws explicitly on ISO 31000 and is required reading for public sector risk professionals.
ISO 31000 is used by boards and risk committees wanting a recognised framework for setting risk appetite and governance structures. Risk managers looking for a universal risk language that works across business units also use it. Organisations building an enterprise risk management function for the first time find it an accessible starting point. Public sector bodies, NHS trusts and central government departments use it to align with the Orange Book.
Use ISO 31000 when your organisation needs to establish a board-level risk management framework, align different business units to a single risk methodology, satisfy a regulator's expectation of good risk governance or use it as the foundational layer beneath more specific frameworks. ISO 31000 works well as the strategic risk management layer above which ISO 27001 (information security) and NIST CSF (cybersecurity) sit as specialist frameworks.
ISO/IEC 27001 is an international standard for information security management systems (ISMS). First published in 2005 and updated in 2013, it was significantly revised in 2022. The current version is ISO 27001:2022. It is a certifiable standard: accredited third-party certification bodies conduct audits and issue certificates confirming conformity. The 2022 revision contains 93 controls across four themes, replacing the 114 controls in Annex A of the 2013 edition.
ISO 27001 covers the full lifecycle of information security management. Clauses 4 to 10 set out the management system requirements, covering context, leadership, planning, support, operation, performance evaluation and improvement. Annex A contains 93 controls across four themes: Organisational, People, Physical and Technological.
The 2022 edition introduced 11 new controls that reflect the current threat landscape:
ISO 27001 certification is required or expected by UK financial services firms handling client data under FCA rules. Healthcare organisations processing patient data under UK GDPR rely on it. Technology and SaaS companies find enterprise clients increasingly require a valid ISO 27001 certificate as a procurement condition. Managed service providers and cloud companies competing for government or regulated-sector contracts need it. Any organisation that has experienced a data breach and needs to demonstrate improved security posture will also use it.
Use ISO 27001 when your organisation handles personal data at scale, operates in a regulated sector, sells to enterprise clients who conduct third-party risk assessments or wants a certifiable, internationally recognised information security standard. ISO 27001 is also the strongest single control framework for demonstrating compliance with the security of processing obligation in UK GDPR Article 32. Certification is valid for three years, subject to annual surveillance audits.
The NIST Cybersecurity Framework (CSF) was developed by the US National Institute of Standards and Technology in 2014, originally for critical infrastructure operators. Version 2.0 was released in February 2024. CSF 2.0 is free to use, widely adopted globally and is not sector-specific. It is not a certifiable standard, but it is used extensively as the basis for cybersecurity programmes, board-level risk reporting and regulatory assessments. The 2024 update significantly strengthened the governance and board-level components of the framework.
CSF 2.0 organises cybersecurity activities into six core functions:
Each function is broken down into categories and subcategories, giving organisations a detailed checklist of cybersecurity activities. The Govern function, new in CSF 2.0, requires documented risk strategy, defined accountability and regular board reporting. This makes it particularly relevant to boards and C-Suite teams who need a structured way to discuss and report on cyber risk.
NIST CSF is used by US multinationals and their UK subsidiaries who already operate NIST-aligned programmes. UK organisations in critical national infrastructure sectors, including energy, transport, water and digital infrastructure, use it. Organisations seeking to demonstrate NIS2 or UK NIS Regulations compliance through a recognised framework choose it. Any board that wants a structured, auditable way to report on cybersecurity risk using internationally recognised terminology will find CSF 2.0 a practical starting point.
Use NIST CSF when your organisation needs a board-level cybersecurity governance structure, wants to align with NIS2 or UK NIS requirements, operates in a critical infrastructure sector or wants a free, well-documented framework for building a cybersecurity programme from scratch. NIST CSF works alongside ISO 27001: NIST provides the strategic governance structure and board-facing language, ISO 27001 provides the certifiable management system and the underlying controls.
SOC 2 is a reporting framework developed by the American Institute of Certified Public Accountants (AICPA). It is not a standard in the ISO sense and it does not produce a certificate. Instead, it produces an audit-based report from an independent CPA firm confirming whether a service organisation's controls meet the Trust Services Criteria. There are two report types. Type I assesses whether controls are suitably designed at a point in time. Type II assesses whether controls operated effectively over a defined period, typically six to twelve months. Enterprise clients and US procurement teams almost always require a Type II report.
SOC 2 is built on five Trust Services Criteria (TSC):
Most SOC 2 reports cover Security only. Availability and Confidentiality are commonly added by cloud and SaaS providers. Privacy is added where the organisation processes significant volumes of personal data on behalf of clients. The scope of each report is agreed between the service organisation and the auditor based on the services provided.
SOC 2 reports are produced by SaaS companies selling to US enterprises, where a SOC 2 Type II report is a standard procurement requirement. Cloud infrastructure and managed service providers use it to demonstrate controls to clients during due diligence. UK technology companies entering US markets or serving financial services firms find it expected rather than optional. Procurement and vendor management teams assessing third-party risk in their supply chains request SOC 2 reports as a standard part of the assessment process.
Use SOC 2 when your organisation processes, stores or transmits client data and your clients or prospects ask for evidence of controls. A SOC 2 Type II report is particularly important if you are pursuing US sales, tendering for financial services contracts or operating as a critical supplier in a regulated supply chain. SOC 2 and ISO 27001 have significant control overlap: many organisations hold both, with ISO 27001 as the certifiable internal standard and SOC 2 as the client-facing assurance report.
These five GRC frameworks cover different layers of organisational governance and risk. They work best in combination rather than in isolation.
COSO and ISO 31000 operate at the governance and enterprise risk management level. COSO focuses on internal control and financial reporting integrity. ISO 31000 provides overarching principles and a process for managing any type of risk. Together, they form the strategic governance layer: the board-level structures, risk appetite statements and accountability frameworks that everything else sits beneath.
ISO 27001 and NIST CSF operate at the information security and cybersecurity management level. ISO 27001 provides a certifiable management system with a specific set of information security controls. NIST CSF provides a function-based cybersecurity governance structure that is particularly strong for board reporting and regulatory alignment. The two frameworks are complementary. Many UK organisations use NIST CSF to structure board-level cyber reporting and ISO 27001 to provide the underlying certified controls.
SOC 2 operates at the client assurance level. It is not a governance or risk management framework in the same sense as the others. It is an independent audit report that gives clients documented evidence of specific controls at a point in time or over a defined period. SOC 2 draws heavily on the same control activities as ISO 27001, which is why organisations with ISO 27001 certification typically find the SOC 2 audit process far less demanding.
The key point for boards is that these frameworks do not compete with each other. None of them covers the full GRC landscape on its own. An organisation that only implements ISO 27001, for example, has strong information security management but no formal enterprise risk framework and no board-level internal control methodology. A complete GRC programme draws on at least two or three of these frameworks working together.
Your framework selection should be driven by four factors: your regulatory environment, your sector, your client expectations and your current maturity level. The guidance below covers the most common profiles.
COSO: for internal control reporting to the FCA, audit committee and board
ISO 31000: for enterprise risk management and risk appetite governance
ISO 27001: for information security under UK GDPR and FCA operational resilience requirements
ISO 27001: as the certifiable baseline for information security
SOC 2 Type II: for US clients and enterprise procurement requirements
NIST CSF: for board-level cybersecurity governance and NIS2 alignment
NIST CSF: for cybersecurity governance aligned to UK NIS Regulations
ISO 27001: for certifiable information security management
ISO 31000: for enterprise risk management across operational, financial and cyber risks
COSO: for Sarbanes-Oxley Section 404 internal control compliance
SOC 2 Type II: for US client assurance and third-party risk management
ISO 27001: for international information security credibility
If you are unsure where to start, a GRC framework gap assessment is the most effective first step. It maps your current controls against each framework, identifies the gaps and produces a prioritised action plan based on your specific regulatory exposure and risk profile.
Most organisations that need more than one framework are concerned about duplicated effort. In practice, the overlap between GRC frameworks means that implementing two frameworks together is significantly less work than implementing each one separately. The key is a structured approach to control mapping and shared evidence.
Identify controls that appear across multiple frameworks. ISO 27001 Annex A controls map directly to NIST CSF subcategories and to SOC 2 Trust Services Criteria. A single well-documented control can satisfy requirements from all three frameworks if it has a clear owner, documented evidence and a defined review cycle.
Create a master list of controls that satisfies all applicable frameworks. Each control has one owner, one evidence record and one review cycle. Tag each control to the frameworks it satisfies so compliance reporting can be generated for each one without running separate processes.
Use a GRC platform or structured shared repository to track control effectiveness across all frameworks. All evidence, test results and exception logs are stored in one place and mapped to the relevant framework requirements. This prevents the same control being tested multiple times by different teams.
Where frameworks require internal audit or management review, align the cycles so that a single review period produces evidence for multiple frameworks. This reduces the burden on control owners and produces more consistent reporting data across the board.
Boards need a consolidated risk and compliance view, not separate reports for each framework. Map the outputs of all frameworks to a single board risk report that shows status, exceptions and remediation plans across all frameworks in one document. Auditors and regulators receive the detailed evidence packs they need; the board receives the executive summary.
GRC Index is an independent assessment and advisory service for UK organisations. The GRC Index assessment covers all five frameworks described in this guide: COSO, ISO 31000, ISO 27001, NIST CSF and SOC 2. It maps your current governance, risk and compliance activities to each framework's requirements, identifies the gaps and produces a prioritised action plan.
The assessment is designed for boards and senior leadership teams who need an objective, evidence-based view of their GRC maturity across multiple frameworks. It takes the complexity of five overlapping frameworks and presents the findings in a format that supports board-level decisions and regulatory conversations.
The GRC Index assessment takes approximately 20 minutes to complete and produces an immediate indicative report, followed by a detailed written assessment from the GRC Index team. There is no requirement to have any existing framework documentation in place before beginning.
Visit grci.net/questionnaire to begin the GRC Index assessment.
Coverage: COSO, ISO 31000, ISO 27001, NIST CSF and SOC 2.
Output: prioritised action plan and board-ready compliance report.
Designed for C-Suite and Board members at UK regulated organisations.
A GRC framework is a structured set of principles, controls and processes that an organisation uses to manage governance, risk and compliance in a consistent and auditable way. GRC frameworks provide a common vocabulary and methodology that boards, management and auditors can use to assess and report on the organisation's risk and compliance position.
ISO 27001 is the most widely adopted certifiable GRC framework globally, with over 70,000 certificates issued in 2023. COSO is the most widely referenced internal control framework among listed companies and forms the basis of most internal audit methodologies. NIST CSF is the most commonly used cybersecurity framework in the United States and is growing in adoption among UK organisations, particularly following the release of CSF 2.0 in February 2024.
No. ISO 27001 is a certifiable management system standard that an organisation implements and maintains internally, with a formal audit by an accredited certification body every three years. SOC 2 is an independent audit report produced by a CPA firm at a point in time or over a defined period. Many organisations hold both: ISO 27001 as the internal certified standard and SOC 2 as the client-facing assurance report. The control overlap between them makes it practical to pursue both without doubling the implementation effort.
Yes. NIST CSF was developed in the United States but is not restricted to US organisations. UK organisations in critical infrastructure sectors, those with US parent companies, and those subject to NIS2 or the UK NIS Regulations increasingly use NIST CSF as a cybersecurity governance framework. CSF 2.0, released in February 2024, strengthened its board governance components and increased its relevance for organisations outside the US.
COSO focuses primarily on internal control and enterprise risk management in relation to an organisation's financial reporting objectives. It is most relevant to listed companies, audit committees and internal auditors. ISO 31000 is broader in scope: it provides principles and guidance for managing any type of risk across any type of organisation. COSO is prescriptive about the components of an internal control system; ISO 31000 is principles-based and adapts to any industry, sector or context.
It depends on your client base and sales market. If you sell to US enterprises or to financial services firms that require third-party assurance reports, you will likely need SOC 2 in addition to ISO 27001. ISO 27001 certification is respected internationally but does not produce the type of point-in-time assurance report that US procurement teams typically request. Organisations with ISO 27001 in place typically find the SOC 2 audit process considerably less demanding because of the significant control overlap between the two frameworks.
Start with your regulatory environment. FCA-regulated firms and organisations handling client data under UK GDPR need at least ISO 27001 and a board-level risk framework such as COSO or ISO 31000. Add SOC 2 if you have US clients or are entering US markets. Add NIST CSF if you operate in critical infrastructure or need a structured cybersecurity governance programme. A GRC framework gap assessment at grci.net/questionnaire gives you an objective view of your current position against all five frameworks and a prioritised plan for closing the gaps.
© 2025 GRC Index. All rights reserved.