ICT Governance Framework — ISO Alignment
Document ID: ISO-GF-ALIGN-001
Date: June 2026
Scope: Entire ICT Governance Framework mapped to applicable ISO standards
Parent: ISO Standards Library
This document maps framework sections and capabilities to ISO standards. It does not assert certification. See Reassessment 2026 for evidence-based posture.
1. Framework foundation
The ICT Governance Framework declares ISO/IEC 38500 as its foundational governance model, supplemented by ISO/IEC 27001 for information security, ISO 31000 for risk, ISO 22301 for continuity, and ISO/IEC 20000 for service management.
| Framework element |
Primary ISO standard |
Alignment mechanism |
| Purpose and scope |
ISO/IEC 38500 |
Six principles + EDM cycle |
| Unified Governance Platform |
ISO/IEC 38500, 27001 |
Centralized oversight, RBAC, audit logging |
| Three-tier / multi-tier governance structure |
ISO/IEC 38500 § Responsibility |
Council → Domain Owners → Stewards |
| Seven security pillars |
ISO/IEC 27001 Annex A |
Pillar contract tests + services |
| Compliance and regulatory alignment section |
27001, 38500, 27701 (via GDPR) |
Policy library + ADPA lineage |
| Monitoring and continuous improvement |
38500 Monitor, 9001, 20000 |
KPIs, executive metrics, SLA services |
| Multi-cloud multi-tenant scope |
27017, 27018 |
Shared responsibility, tenant isolation |
2. Governance structure ↔ ISO/IEC 38500
| Framework component |
38500 principle |
EDM phase |
Framework reference |
| ICT Governance Council |
Responsibility, Strategy |
Direct |
Strategic decisions, policy approval |
| Domain Owners (Identity, Data, Network, etc.) |
Responsibility, Performance |
Direct, Monitor |
Domain accountability |
| Technology Stewards |
Responsibility, Conformance |
Monitor |
Operational compliance |
| Policy library |
Conformance, Strategy |
Direct |
docs/policies/ |
| KPI catalog / governance metrics |
Performance |
Evaluate, Monitor |
ICT Governance Metrics |
| Procurement / vendor governance |
Acquisition |
Direct |
Vendor registry, marketplace services |
| Training and human behaviour |
Human behaviour |
Direct |
docs/training/ |
| ADPA governance artifacts |
All six principles |
Evaluate–Direct–Monitor |
ADPA module |
→ Detailed mapping: ISO 38500 Framework Crosswalk
3. Seven pillars ↔ ISO/IEC 27001
| Pillar |
Framework scope |
ISO 27001:2022 themes |
Implementation evidence |
| Identity |
MFA, JIT, break-glass, privileged access |
A.5.15–A.5.18, A.8.2, A.8.5 |
jit-ledger, identity.contract.test.js |
| Devices |
Managed devices, compliance checks |
A.8.1, A.8.3, A.7.9 |
device-compliance-check.js, devices.contract.test.js |
| Software |
CASB, shadow IT, supply chain |
A.8.1, A.8.19, A.5.19–A.5.23 |
software-casb-ingest.js, software.contract.test.js |
| Network |
Segmentation, Zero Trust |
A.8.20–A.8.22 |
Network policies, network.contract.test.js |
| Data |
Classification, protection, privacy |
A.5.12–A.5.14, A.8.10–A.8.12 |
Data pillar templates, data.contract.test.js |
| SecOps |
Incidents, monitoring, remediation |
A.5.24–A.5.28, A.6.8 |
Incident ingest, secops.contract.test.js |
| Resilience |
Backup, DR, recovery |
A.5.29–A.5.30, A.8.13–A.8.14 |
DR fields, resilience.contract.test.js |
→ Detailed mapping: ISO 27001 Seven-Pillar Crosswalk
4. Framework domains ↔ ISO standards
4.1 Infrastructure and multi-cloud
| Framework scope item |
ISO standards |
Framework assets |
| Networks, servers, cloud |
27001 A.8, 27017 |
Blueprint templates, Azure/AWS/GCP governance |
| Endpoint devices |
27001 A.8, A.7 |
Device registration, compliance check |
| Tenant isolation |
27001 A.5.23, 27017 |
Multi-tenant framework, Bicep blueprints |
4.2 Security
| Framework scope item |
ISO standards |
Framework assets |
| Identity and access |
27001 A.5, A.8 |
JIT, break-glass, RBAC |
| Threat protection |
27001 A.8, A.5.7 |
SecOps services, MITRE enrichment |
| Zero Trust |
27001, NIST (paired) |
Zero Trust Maturity Model |
| Shadow IT detection |
27001 A.8.1, A.5.19 |
CASB ingest, asset register |
4.3 Applications and software
| Framework scope item |
ISO standards |
Framework assets |
| Enterprise / SaaS apps |
27001 A.8.19 |
Software pillar, governed app store |
| Supply chain |
27001 A.5.19–A.5.23 |
Vendor registry, procurement SLA |
| Power Platform / low-code |
27001 A.8.32 |
ADPA power-platform template |
4.4 Data and privacy
| Framework scope item |
ISO standards |
Framework assets |
| Data classification |
27001 A.5.12, 27002 |
Data pillar, Purview integration (planned) |
| Privacy / PII |
27701, 27018 |
Data privacy policy templates, GDPR mappings |
| Records of processing |
27701, GDPR |
A034 GDPR mappings |
4.5 Risk management
| Framework scope item |
ISO standards |
Framework assets |
| Enterprise risk |
31000 |
FAIR risk engine, calibration |
| Risk assessment |
31000, 27001 Clause 6 |
fair-risk-engine.js, governance incidents |
| FAIR quantification |
31000 (quantitative intent) |
fair_model_calibration.sql, scheduler |
4.6 Business continuity and resilience
| Framework scope item |
ISO standards |
Framework assets |
| Backup and recovery |
22301, 27001 A.8.13 |
RPAS, Git-to-cloud recovery design |
| DR posture |
22301 |
Asset register DR fields |
| Incident-driven recovery |
22301, 27001 A.5.29 |
Governance incident lifecycle |
4.7 Service management
| Framework scope item |
ISO standards |
Framework assets |
| SLAs and obligations |
20000 |
Obligation-SLA binding, compliance escalation SLA |
| Change management |
20000, 27001 A.8.32 |
Policy templates, RPAS change controls |
| Continual improvement |
20000, 9001 |
Improvement focus areas, benchmarking framework |
4.8 Emerging technology
| Framework scope item |
ISO standards |
Framework assets |
| IoT |
30141 |
IoT Governance Framework |
| AI / ML |
42001, 23053 |
AI control plane service, EU AI Act alignment |
| Blockchain |
ISO/TC 307 |
Blockchain governance policies |
| Sustainability |
14001 |
Sustainability scope in framework |
ISO/IEC 27001 ISMS clauses (high level)
| 27001 clause |
Framework capability |
Status |
| 4 Context |
Organisational profile (NIST), tenant manifests |
Partial |
| 5 Leadership |
Governance council, roles doc |
Documented |
| 6 Planning |
Risk engine, requirements |
Partial–live |
| 7 Support |
Training, ADPA templates |
Documented |
| 8 Operation |
Seven pillars, automation |
Partial–live |
| 9 Performance evaluation |
Contract tests, executive metrics |
Partial |
| 10 Improvement |
Improvement focus areas, remediation orchestrator |
Partial |
ISO/IEC 38500 Evaluate–Direct–Monitor
| Phase |
Framework capability |
Status |
| Evaluate |
Gap analysis, maturity assessment, FAIR, benchmarking |
Partial–live |
| Direct |
Policies, ADPA charter, procurement governance |
Strong (documented) |
| Monitor |
Compliance dashboards, lineage, escalations, KPIs |
Substantial |
7. Tenant and MSP delivery
Tenants consuming the framework receive ISO-aligned artefacts through ADPA:
- Governance charter — 38500 Strategy, Responsibility
- RACI / operating model — 38500 Responsibility, Human behaviour
- KPI catalog — 38500 Performance
- Compliance-as-code map — 38500 Conformance, 27001
- ISO 38500 crosswalk — per-tenant EDM evidence
- Control-level escalations — 27001 Annex A with certification impact detail
Example: adpa/tenants/tenant-contoso-health/documents/
| Gap |
ISO impact |
Remediation |
| A034 not reconciled |
All ISO mappings |
G-A1 — Roadmap |
| 38500 not in lineage bridge |
38500 attestation |
P1 roadmap item |
| No living SoA template |
27001 |
P2 roadmap item |
| BC not exercised |
22301 |
G-B3 |
| 27001 blueprint 2013 refs |
27001 |
Update Bicep template |
| ISO 42001 not inventoried |
AI governance |
P3 roadmap item |