A control framework is a set of fundamental controls that must be in place to prevent financial or information loss in an organization.
The concept of “control” migrated to technology from the financial world and the financial controls that auditors looked for when they were reviewing an organization’s accounting practices. It’s tied tightly to the concepts of risk analysis because controls are designed to prevent common attacks or mitigate vulnerabilities.
For example, “separation of duties” is a control that’s required in accounting system—someone who handles cash should not be allowed access to the records for cash in the accounting system.
Presenting the controls in a framework allows an organization to review their controls against the framework and against other similar organizations. Auditors can use these frameworks to define an audit project. In certain industries, use of a particular control framework may be required by law or a regulatory organization.