Purpose: Identify where the framework must improve so effort and investment are directed to the highest-impact areas.
Status: Active planning document (June 2026)
Sources: A023 Gap Analysis, NIST CSF 2.0 Preliminary Review, codebase assessment, Implementation Summary
This is a prioritisation guide, not a certification or completion claim.
Use it to allocate teams, budget, and sprint focus — not as evidence of compliance.
⛔ Remediation gate — required before full NIST CSF 2.0 assessment
The items in this document must be remediated and should be resolved before:
- Full formal assessment of NIST CSF 2.0 requirements (Phase 3 validation and Phase 4 attestation)
- Client-facing or audit presentation of ICT Governance Framework solutions as production-ready
- MSP / Business Continuity service launches that depend on live compliance and recovery evidence
Conducting a full NIST CSF 2.0 assessment or marketing framework capabilities while P1 remediation items remain open would produce invalid results and create misrepresentation risk. See Remediation prerequisites.
Status: Active planning document — remediation in progress (18 June 2026)
ISO alignment: Per-standard library, crosswalks, and June 2026 reassessment are in docs/compliance/ISO/.
June 2026 sprint: JIT/Break Glass consoles, privileged-action ledger, RPAS asset register, governance incident ingest, Organisational Profile, and ADPA Production-Attested artifacts delivered. See NIST CSF 2.0 Compliance Review — Remediation progress. Gate A not met — sign-off pending.
The ICT Governance Framework has a strong documentation and policy foundation, working RBAC/authentication, RPAS governance scaffold, and deployable IaC patterns. The largest gaps are where documentation and UI overstate live capability — mock dashboards, unimplemented mapped features, and bootstrap governance artifacts.
Place emphasis on these six focus areas:
Implementation plan: Enterprise Security Seven-Pillar Implementation Plan — sprint checklists for SecOps (A–B), Software supply chain (C), and Resilience (D).
| Rank | Focus area | Why it matters | Horizon |
|---|---|---|---|
| 1 | Compliance integrity | Mock data and A034 overclaims create audit and client trust risk | 0–90 days |
| 2 | Live detect & respond | Monitoring exists but incidents, SIEM correlation, and remediation are incomplete | 0–90 days |
| 3 | GOVERN & ADPA production | CSF 2.0 elevates GOVERN; ADPA bridge and RPAS must move from bootstrap to attested baseline | 0–180 days |
| 4 | Asset & risk intelligence | No authoritative asset register or live risk engine — blocks IDENTIFY and GV.RM | 90–180 days |
| 5 | Supply chain & application governance | Shadow IT / CASB / procurement policy strong on paper; implementation is mock | 0–180 days |
| 6 | Validated business continuity | Git-to-cloud recovery designed but not end-to-end tested | 90–180 days |
The following must be complete before proceeding to full NIST CSF 2.0 assessment or presenting ICT Governance Framework solutions as assessed and production-ready.
| ID | Remediation | Focus area | Blocks assessment of | June 2026 status |
|---|---|---|---|---|
| G-A1 | A034 reconciled — every mapping tagged Implemented / Partial / Planned / Gap with code evidence | 1 | All CSF functions — integrity of evidence base | ☐ Open |
| G-A2 | Mock compliance and executive dashboards removed or explicitly demo-only; production paths use live data | 1 | GV.OV, DE.CM, DETECT evidence | 🟢 Substantial — compliance + CISO + Executive dashboards live via GET /api/governance/executive/metrics; Strategic Initiatives demo-only |
| G-A3 | Production CASB/vendor inventory (no in-memory mock catalog) | 5 | GV.SC | 🟡 Partial — ingest webhook live; catalog in-memory |
| G-A4 | Incident ticket creation wired (ServiceNow and/or Sentinel) — stub removed | 2 | DE.CM, RS.MA | 🟡 Partial — REST ingest API live; PowerShell stub |
| G-A5 | CSF 2.0 Organisational Profile (Current) published | 3 | GV.OC, entire GOVERN function | 🟡 Substantial — profile v1.1 published |
| G-A6 | Placeholder Zero Trust scores replaced with live assessment or removed from reporting | 4 | ID.RA, GV.RM | ☐ Open |
| G-A7 | ADPA/RPAS artifacts — SET_ME resolved; bootstrap status upgraded or formally scoped as pre-production |
3 | GV.PO, GV.OV | 🟡 Substantial — Production-Attested |
Gate A sign-off: Compliance Officer + CISO — required to open NIST CSF 2.0 Phase 3 validation.
Complete Gate A plus:
| ID | Remediation | Focus area | Blocks | June 2026 status |
|---|---|---|---|---|
| G-B1 | Asset register service implemented (FR-GOV-004) | 4 | ID.AM, client asset governance claims | 🟡 Substantial — API, schema, UI, tests |
| G-B2 | Live Sentinel adverse-event correlation operational | 2 | DE.AE, detect/respond service SLAs | 🟡 Partial — incident ingest |
| G-B3 | End-to-end DR test executed with documented RTO/RPO | 6 | Business Continuity / content continuation offers | 🟡 Partial — DR fields in register |
| G-B4 | IR analysis workflow API — not documentation-only | 2 | Incident response solution claims | ☐ Open |
| G-B5 | Client and MSP materials reviewed — no capability claims beyond Gate B evidence | 1 | All client-facing solution proposals | ☐ Open |
Gate B sign-off: Compliance Officer + Service Delivery Lead — required for MSP tier launches and formal solution proposals.
Complete Gate B plus P2 remediations (HR-06 through HR-12) and Phase 3 validation evidence pack. See NIST CSF 2.0 Compliance Review — Phase 4.
| Activity | Minimum gate |
|---|---|
| NIST CSF 2.0 Phase 3 validation (live control testing) | Gate A |
| NIST CSF 2.0 Phase 4 attestation / certification claim | Gate C |
| Client audit pack citing CSF 2.0 | Gate C |
| ICT Governance Framework solution proposal (production) | Gate B |
| Business Continuity / content continuation service (Premium tier) | Gate B (G-B3 mandatory) |
| Benchmarking report percentage updates for NIST CSF 2.0 | Gate C |
Impact vs implementation effort — prioritise upper-right (high impact, feasible effort) first.
Impact
▲
│ [1 Compliance integrity] [2 Detect & respond]
│ [5 Supply chain] [3 GOVERN & ADPA]
│
│ [6 BC validation] [4 Asset & risk]
│
│ [7 Multi-cloud depth] [8 AI/ML governance]
│ [9 Training/LMS] [10 DLP/Purview]
└──────────────────────────────────────────────────► Effort
Low High
| Priority: CRITICAL | Horizon: 0–90 days | NIST refs: HR-03, HR-04 | A023 alignment: Real-time monitoring credibility |
Auditors and clients cannot distinguish designed from delivered. This undermines every other governance investment.
| # | Action | Owner domain |
|---|---|---|
| 1.1 | Reconcile A034 — mark each mapping: Implemented / Partial / Planned / Gap with code links | Compliance + Architecture |
| 1.2 | Replace mock dashboard data with live API feeds or clearly label UI as Demo Mode | Development |
| 1.3 | Add IMPLEMENTATION-STATUS.md registry for major features (single source of truth) |
Project management |
| 1.4 | Review client/MSP materials — remove claims not backed by implemented controls | Compliance |
ict-governance-framework/app/compliance-dashboard/page.js — mock dataA034-Compliance-Requirements-System-Features-Mapping.md — overstated mappings| Priority: CRITICAL | Horizon: 0–90 days | NIST refs: HR-07, HR-08, HR-09 | A023 alignment: Real-time monitoring, automated remediation |
Continuous-Compliance-Monitoring.ps1 runs monitoring loops and playbooks.Create-IncidentTicket is a stub — no ServiceNow/Sentinel ticket creation.Detection without closed-loop response fails CSF 2.0 DETECT and RESPOND expectations and the framework’s own real-time monitoring narrative.
| # | Action | Owner domain | Sprint |
|---|---|---|---|
| 2.1 | Wire incident creation to governance API and/or ServiceNow | Azure automation | A |
| 2.2 | Complete Automated-Remediation-Framework.ps1 coverage for top 10 resource types |
Azure automation | B |
| 2.3 | Implement live Sentinel correlation for adverse events (DE.AE) | Security operations | B |
| 2.4 | Build incident analysis workflow API (RS.AN) — link AMD records to IR tickets | Development | B |
| 2.5 | Validate ransomware scenario end-to-end in test tenant (detect → contain → ticket) | Security + BC | B / D |
azure-automation/Continuous-Compliance-Monitoring.ps1 L599–617 — stubdocs/implementation/summaries/Real-Time-Monitoring-Implementation-Summary.md — design vs live gap| Priority: CRITICAL | Horizon: 0–180 days | NIST refs: HR-01, HR-05, HR-11 | Strategic: ADPA → Compliance as Code |
0.1.0-bootstrap, sourceOfTruth: "SET_ME".CSF 2.0 makes GOVERN foundational. The framework’s differentiator (RPAS + ADPA) is not yet production-attested — it cannot be sold or audited as operational governance.
| # | Action | Owner domain |
|---|---|---|
| 3.1 | Publish NIST CSF 2.0 Organisational Profile (Current + Target) | Compliance |
| 3.2 | Complete ADPA artifact binding — remove SET_ME; certify source of truth |
Governance / RPAS |
| 3.3 | Implement GOVERN oversight dashboard (metrics from live data, not mock) | Development |
| 3.4 | Wire ADPA document generation to TAR-COL metadata schema |
Governance automation |
| 3.5 | Promote RPAS from vendor-scaffold to canonical or fully attested in-repo baseline | Governance |
sourceOfTruthgovernance/rpas/artifacts/ADPA.control.json — Production-Attested v2.3.0docs/compliance/NIST-CSF-2.0-Organisational-Profile.md — Current State Profile v1.1app/jit-elevation/, app/break-glass/ — privileged access oversight consoles| Priority: HIGH | Horizon: 90–180 days | NIST refs: HR-05, HR-06 | A023 alignment: Predictive analytics, risk quantification |
Get-AzResource).npm run verify:assets).Without authoritative asset inventory and live risk assessment, IDENTIFY function fails and prioritisation of remediation is manual and inconsistent.
| # | Action | Owner domain | |
|---|---|---|---|
| 4.1 | Implement asset register API and schema (FR-GOV-004) — multi-cloud asset IDs | Development | Delivered June 2026 — deepen multi-cloud sync |
| 4.2 | Integrate asset register with Azure Resource Graph, M365, CASB catalog | Integration | |
| 4.3 | Replace placeholder ZT scores with live telemetry-driven assessment | Azure automation | |
| 4.4 | Introduce risk register (FAIR-lite minimum) linked to assets and tenants | Governance | |
| 4.5 | Feed risk scores into CISO dashboard and compliance heatmap | Development |
| Priority: HIGH | Horizon: 0–180 days | NIST refs: HR-02 | A023 alignment: Multi-cloud + Shadow IT |
Shadow IT, SaaS sprawl, and vendor risk are core client concerns — especially for Business Continuity and content continuation services. Policy without inventory is not governable.
| # | Action | Owner domain | Sprint |
|---|---|---|---|
| 5.1 | Persist CASB catalog to PostgreSQL; integrate Defender for Cloud Apps API | Development | C |
| 5.2 | Replace mock compliance validation with live API calls | Development | C |
| 5.3 | Build vendor/SaaS inventory aligned to GV.SC — link to procurement workflow | Compliance | C |
| 5.4 | Unify Shadow IT detection with drift taxonomy (application drift category) | Security operations | C |
| 5.5 | Report supply chain posture on compliance dashboard (live) | Development | C |
See Sprint C checklist.
ict-governance-framework/api/casb-app-catalog.jsict-governance-framework/services/compliance-validation-service.jsdocs/compliance/monitoring/Shadow-IT-as-Infrastructure-Drift.md| Priority: HIGH | Horizon: 90–180 days | NIST refs: HR-12 | Service: Content continuation, Git-to-cloud recovery |
Clients buying continuity services need proven RTO/RPO, not documented intent. Recovery guides are scenario documentation until tested.
| # | Action | Owner domain | Sprint |
|---|---|---|---|
| 6.1 | Execute ransomware recovery scenario in isolated test tenant; record RTO/RPO | BC / Security | D |
| 6.2 | Add DR validation to CI or quarterly scheduled workflow | DevOps | D |
| 6.3 | Complete backup remediation logic in automation framework | Azure automation | D (stretch) |
| 6.4 | Package recovery attestation template for client delivery post-test | Compliance | D |
| 6.5 | Extend Git-to-cloud recovery script chain (validate → deploy → restore → verify) | DevOps | D |
See Sprint D checklist.
Restore-RpasBaseline.ps1 + IaC deploy tested as single pipelinedocs/implementation/guides/RPAS-Rollback-Recovery-Ransomware-Example.mdgovernance/rpas/scripts/Restore-RpasBaseline.ps1| Priority: MEDIUM | Horizon: 180–365 days | A023: Critical gap (maturity 2.1 → 4.0) |
Multi-cloud governance is a stated differentiator but operational tooling is Azure-weighted.
| Priority: MEDIUM | Horizon: 180–365 days | NIST refs: HR-10, HR-13 |
docs/training/ — documentation only.Suggested team effort split for the next two quarters:
| Focus area | Q1 emphasis | Q2 emphasis |
|---|---|---|
| 1 Compliance integrity | 40% | 10% |
| 2 Detect & respond | 30% | 20% |
| 3 GOVERN & ADPA | 15% | 25% |
| 4 Asset & risk | 5% | 20% |
| 5 Supply chain | 10% | 15% |
| 6 BC validation | — | 10% |
| 7–8 Multi-cloud, training, DLP | — | — (backlog) |
| Topic | Document |
|---|---|
| NIST CSF 2.0 high-risk register (HR-01–HR-15) | NIST-CSF-2.0-Compliance-Review.md |
| Historical gap analysis (A023) | A023-Governance-Gaps-and-Improvement-Opportunities.md |
| CSF 1.1 feature mappings | A034-Compliance-Requirements-System-Features-Mapping.md |
| ADPA bridge & Compliance as Code | README.md |
| Business Continuity Services | README.md |
| Ransomware recovery scenario | RPAS-Rollback-Recovery-Ransomware-Example.md |
| RPAS integration | RPAS-Governance-Integration-Guide.md |
| Review | Frequency | Owner |
|---|---|---|
| Remediation gate progress (G-A1–G-A7) | Bi-weekly | Project Manager |
| Gate A sign-off readiness | Monthly | Compliance Officer |
| Gate B sign-off readiness | Monthly | Service Delivery Lead |
| Focus area progress | Monthly | Project Manager |
| Priority re-ranking | Quarterly | Compliance Officer + CISO |
| NIST CSF 2.0 Phase 3 validation | Only after Gate A | Compliance Officer |
| NIST CSF 2.0 Phase 4 attestation | Only after Gate C | Compliance Officer |
| Client/MSP readiness | Only after Gate B | Service delivery lead |
Document version: 1.0
Next review: September 2026
Maintained by: ICT Governance Framework Team