ICT-Governance-Framework-Application

ICT Governance Framework — Improvement Focus Areas

Purpose: Identify where the framework must improve so effort and investment are directed to the highest-impact areas.
Status: Active planning document (June 2026)
Sources: A023 Gap Analysis, NIST CSF 2.0 Preliminary Review, codebase assessment, Implementation Summary

This is a prioritisation guide, not a certification or completion claim.
Use it to allocate teams, budget, and sprint focus — not as evidence of compliance.

⛔ Remediation gate — required before full NIST CSF 2.0 assessment

The items in this document must be remediated and should be resolved before:

  1. Full formal assessment of NIST CSF 2.0 requirements (Phase 3 validation and Phase 4 attestation)
  2. Client-facing or audit presentation of ICT Governance Framework solutions as production-ready
  3. MSP / Business Continuity service launches that depend on live compliance and recovery evidence

Conducting a full NIST CSF 2.0 assessment or marketing framework capabilities while P1 remediation items remain open would produce invalid results and create misrepresentation risk. See Remediation prerequisites.

Status: Active planning document — remediation in progress (18 June 2026)

ISO alignment: Per-standard library, crosswalks, and June 2026 reassessment are in docs/compliance/ISO/.

June 2026 sprint: JIT/Break Glass consoles, privileged-action ledger, RPAS asset register, governance incident ingest, Organisational Profile, and ADPA Production-Attested artifacts delivered. See NIST CSF 2.0 Compliance Review — Remediation progress. Gate A not met — sign-off pending.

The ICT Governance Framework has a strong documentation and policy foundation, working RBAC/authentication, RPAS governance scaffold, and deployable IaC patterns. The largest gaps are where documentation and UI overstate live capability — mock dashboards, unimplemented mapped features, and bootstrap governance artifacts.

Place emphasis on these six focus areas:

Implementation plan: Enterprise Security Seven-Pillar Implementation Plan — sprint checklists for SecOps (A–B), Software supply chain (C), and Resilience (D).

Rank Focus area Why it matters Horizon
1 Compliance integrity Mock data and A034 overclaims create audit and client trust risk 0–90 days
2 Live detect & respond Monitoring exists but incidents, SIEM correlation, and remediation are incomplete 0–90 days
3 GOVERN & ADPA production CSF 2.0 elevates GOVERN; ADPA bridge and RPAS must move from bootstrap to attested baseline 0–180 days
4 Asset & risk intelligence No authoritative asset register or live risk engine — blocks IDENTIFY and GV.RM 90–180 days
5 Supply chain & application governance Shadow IT / CASB / procurement policy strong on paper; implementation is mock 0–180 days
6 Validated business continuity Git-to-cloud recovery designed but not end-to-end tested 90–180 days

Remediation prerequisites (gate checklist)

The following must be complete before proceeding to full NIST CSF 2.0 assessment or presenting ICT Governance Framework solutions as assessed and production-ready.

Gate A — Required before full NIST CSF 2.0 assessment (P1)

ID Remediation Focus area Blocks assessment of June 2026 status
G-A1 A034 reconciled — every mapping tagged Implemented / Partial / Planned / Gap with code evidence 1 All CSF functions — integrity of evidence base ☐ Open
G-A2 Mock compliance and executive dashboards removed or explicitly demo-only; production paths use live data 1 GV.OV, DE.CM, DETECT evidence 🟢 Substantial — compliance + CISO + Executive dashboards live via GET /api/governance/executive/metrics; Strategic Initiatives demo-only
G-A3 Production CASB/vendor inventory (no in-memory mock catalog) 5 GV.SC 🟡 Partial — ingest webhook live; catalog in-memory
G-A4 Incident ticket creation wired (ServiceNow and/or Sentinel) — stub removed 2 DE.CM, RS.MA 🟡 Partial — REST ingest API live; PowerShell stub
G-A5 CSF 2.0 Organisational Profile (Current) published 3 GV.OC, entire GOVERN function 🟡 Substantial — profile v1.1 published
G-A6 Placeholder Zero Trust scores replaced with live assessment or removed from reporting 4 ID.RA, GV.RM ☐ Open
G-A7 ADPA/RPAS artifacts — SET_ME resolved; bootstrap status upgraded or formally scoped as pre-production 3 GV.PO, GV.OV 🟡 Substantial — Production-Attested

Gate A sign-off: Compliance Officer + CISO — required to open NIST CSF 2.0 Phase 3 validation.

Gate B — Required before solution / service claims (P1 + selected P2)

Complete Gate A plus:

ID Remediation Focus area Blocks June 2026 status
G-B1 Asset register service implemented (FR-GOV-004) 4 ID.AM, client asset governance claims 🟡 Substantial — API, schema, UI, tests
G-B2 Live Sentinel adverse-event correlation operational 2 DE.AE, detect/respond service SLAs 🟡 Partial — incident ingest
G-B3 End-to-end DR test executed with documented RTO/RPO 6 Business Continuity / content continuation offers 🟡 Partial — DR fields in register
G-B4 IR analysis workflow API — not documentation-only 2 Incident response solution claims ☐ Open
G-B5 Client and MSP materials reviewed — no capability claims beyond Gate B evidence 1 All client-facing solution proposals ☐ Open

Gate B sign-off: Compliance Officer + Service Delivery Lead — required for MSP tier launches and formal solution proposals.

Gate C — Required before NIST CSF 2.0 attestation (P2 completion)

Complete Gate B plus P2 remediations (HR-06 through HR-12) and Phase 3 validation evidence pack. See NIST CSF 2.0 Compliance Review — Phase 4.

What must not proceed until gates are met

Activity Minimum gate
NIST CSF 2.0 Phase 3 validation (live control testing) Gate A
NIST CSF 2.0 Phase 4 attestation / certification claim Gate C
Client audit pack citing CSF 2.0 Gate C
ICT Governance Framework solution proposal (production) Gate B
Business Continuity / content continuation service (Premium tier) Gate B (G-B3 mandatory)
Benchmarking report percentage updates for NIST CSF 2.0 Gate C

Executive summary — where to focus first

Impact vs implementation effort — prioritise upper-right (high impact, feasible effort) first.

Impact
  ▲
  │  [1 Compliance integrity]     [2 Detect & respond]
  │  [5 Supply chain]               [3 GOVERN & ADPA]
  │
  │  [6 BC validation]              [4 Asset & risk]
  │
  │  [7 Multi-cloud depth]          [8 AI/ML governance]
  │  [9 Training/LMS]               [10 DLP/Purview]
  └──────────────────────────────────────────────────► Effort
         Low                              High

Focus Area 1 — Compliance integrity (documentation = code)

Priority: CRITICAL Horizon: 0–90 days NIST refs: HR-03, HR-04 A023 alignment: Real-time monitoring credibility

Current state

Gap

Auditors and clients cannot distinguish designed from delivered. This undermines every other governance investment.

Actions

# Action Owner domain
1.1 Reconcile A034 — mark each mapping: Implemented / Partial / Planned / Gap with code links Compliance + Architecture
1.2 Replace mock dashboard data with live API feeds or clearly label UI as Demo Mode Development
1.3 Add IMPLEMENTATION-STATUS.md registry for major features (single source of truth) Project management
1.4 Review client/MSP materials — remove claims not backed by implemented controls Compliance

Success criteria

Evidence today


Focus Area 2 — Live detect, respond, and remediate

Priority: CRITICAL Horizon: 0–90 days NIST refs: HR-07, HR-08, HR-09 A023 alignment: Real-time monitoring, automated remediation

Current state

Gap

Detection without closed-loop response fails CSF 2.0 DETECT and RESPOND expectations and the framework’s own real-time monitoring narrative.

Actions

# Action Owner domain Sprint
2.1 Wire incident creation to governance API and/or ServiceNow Azure automation A
2.2 Complete Automated-Remediation-Framework.ps1 coverage for top 10 resource types Azure automation B
2.3 Implement live Sentinel correlation for adverse events (DE.AE) Security operations B
2.4 Build incident analysis workflow API (RS.AN) — link AMD records to IR tickets Development B
2.5 Validate ransomware scenario end-to-end in test tenant (detect → contain → ticket) Security + BC B / D

See Sprint A & B checklists.

Success criteria

Evidence today


Focus Area 3 — GOVERN function & ADPA production bridge

Priority: CRITICAL Horizon: 0–180 days NIST refs: HR-01, HR-05, HR-11 Strategic: ADPA → Compliance as Code

Current state

Gap

CSF 2.0 makes GOVERN foundational. The framework’s differentiator (RPAS + ADPA) is not yet production-attested — it cannot be sold or audited as operational governance.

Actions

# Action Owner domain
3.1 Publish NIST CSF 2.0 Organisational Profile (Current + Target) Compliance
3.2 Complete ADPA artifact binding — remove SET_ME; certify source of truth Governance / RPAS
3.3 Implement GOVERN oversight dashboard (metrics from live data, not mock) Development
3.4 Wire ADPA document generation to TAR-COL metadata schema Governance automation
3.5 Promote RPAS from vendor-scaffold to canonical or fully attested in-repo baseline Governance

Success criteria

Evidence today


Focus Area 4 — Asset & risk intelligence

Priority: HIGH Horizon: 90–180 days NIST refs: HR-05, HR-06 A023 alignment: Predictive analytics, risk quantification

Current state

Gap

Without authoritative asset inventory and live risk assessment, IDENTIFY function fails and prioritisation of remediation is manual and inconsistent.

Actions

# Action Owner domain  
4.1 Implement asset register API and schema (FR-GOV-004) — multi-cloud asset IDs Development Delivered June 2026 — deepen multi-cloud sync
4.2 Integrate asset register with Azure Resource Graph, M365, CASB catalog Integration  
4.3 Replace placeholder ZT scores with live telemetry-driven assessment Azure automation  
4.4 Introduce risk register (FAIR-lite minimum) linked to assets and tenants Governance  
4.5 Feed risk scores into CISO dashboard and compliance heatmap Development  

Success criteria


Focus Area 5 — Supply chain & application governance

Priority: HIGH Horizon: 0–180 days NIST refs: HR-02 A023 alignment: Multi-cloud + Shadow IT

Current state

Gap

Shadow IT, SaaS sprawl, and vendor risk are core client concerns — especially for Business Continuity and content continuation services. Policy without inventory is not governable.

Actions

# Action Owner domain Sprint
5.1 Persist CASB catalog to PostgreSQL; integrate Defender for Cloud Apps API Development C
5.2 Replace mock compliance validation with live API calls Development C
5.3 Build vendor/SaaS inventory aligned to GV.SC — link to procurement workflow Compliance C
5.4 Unify Shadow IT detection with drift taxonomy (application drift category) Security operations C
5.5 Report supply chain posture on compliance dashboard (live) Development C

See Sprint C checklist.

Success criteria

Evidence today


Focus Area 6 — Validated business continuity

Priority: HIGH Horizon: 90–180 days NIST refs: HR-12 Service: Content continuation, Git-to-cloud recovery

Current state

Gap

Clients buying continuity services need proven RTO/RPO, not documented intent. Recovery guides are scenario documentation until tested.

Actions

# Action Owner domain Sprint
6.1 Execute ransomware recovery scenario in isolated test tenant; record RTO/RPO BC / Security D
6.2 Add DR validation to CI or quarterly scheduled workflow DevOps D
6.3 Complete backup remediation logic in automation framework Azure automation D (stretch)
6.4 Package recovery attestation template for client delivery post-test Compliance D
6.5 Extend Git-to-cloud recovery script chain (validate → deploy → restore → verify) DevOps D

See Sprint D checklist.

Success criteria

Evidence today


Focus Area 7 — Multi-cloud operational depth

Priority: MEDIUM Horizon: 180–365 days A023: Critical gap (maturity 2.1 → 4.0)

Current state

Gap

Multi-cloud governance is a stated differentiator but operational tooling is Azure-weighted.

Actions


Focus Area 8 — Security awareness & data protection depth

Priority: MEDIUM Horizon: 180–365 days NIST refs: HR-10, HR-13

Current state

Actions


Effort allocation recommendation

Suggested team effort split for the next two quarters:

Focus area Q1 emphasis Q2 emphasis
1 Compliance integrity 40% 10%
2 Detect & respond 30% 20%
3 GOVERN & ADPA 15% 25%
4 Asset & risk 5% 20%
5 Supply chain 10% 15%
6 BC validation 10%
7–8 Multi-cloud, training, DLP — (backlog)

Cross-reference index

Topic Document
NIST CSF 2.0 high-risk register (HR-01–HR-15) NIST-CSF-2.0-Compliance-Review.md
Historical gap analysis (A023) A023-Governance-Gaps-and-Improvement-Opportunities.md
CSF 1.1 feature mappings A034-Compliance-Requirements-System-Features-Mapping.md
ADPA bridge & Compliance as Code README.md
Business Continuity Services README.md
Ransomware recovery scenario RPAS-Rollback-Recovery-Ransomware-Example.md
RPAS integration RPAS-Governance-Integration-Guide.md

Review cadence

Review Frequency Owner
Remediation gate progress (G-A1–G-A7) Bi-weekly Project Manager
Gate A sign-off readiness Monthly Compliance Officer
Gate B sign-off readiness Monthly Service Delivery Lead
Focus area progress Monthly Project Manager
Priority re-ranking Quarterly Compliance Officer + CISO
NIST CSF 2.0 Phase 3 validation Only after Gate A Compliance Officer
NIST CSF 2.0 Phase 4 attestation Only after Gate C Compliance Officer
Client/MSP readiness Only after Gate B Service delivery lead

Document version: 1.0
Next review: September 2026
Maintained by: ICT Governance Framework Team