control framework

This definition is part of our Essential Guide: IT services management and best practices: An enterprise CIO guide

A control framework is a data structure that organizes and categorizes an organization’s internal controls, which are practices and procedures established to create business value and minimize risk.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a commonly used framework for internal controls. The COSO framework is designed to provide a model that corporations can use to run an efficient and well-controlled financial environment.

COSO's main components:

  • Internal control environment
  • Objective setting
  • Event identification
  • Risk assessment
  • Risk response
  • Control activities
  • Information and communication
  • Monitoring.

According to COSO, those components constitute a viable framework for describing and analyzing an organization's internal control system in a way that conforms to financial compliance regulations. COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting.

IT controls are a subset of internal controls related to information technology (IT). IT control frameworks include COBIT (Control Objectives for Information and Related Technology),  ISO/IEC 17799: Code of Practice for Information Security Management and ITIL (Information Technology Infrastructure Library).


See also: PCI-DSS, enterprise risk management (ERM), compliance, governance, risk and compliance (GRC), GRC software

This was last updated in March 2011

Continue Reading About control framework



Find more PRO+ content and other member only offers, here.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:


File Extensions and File Formats

Powered by:







  • Dissecting the Hack

    In this excerpt from chapter three of Dissecting the Hack: The V3RB0TEN Network, authors Jayson E. Street, Kristin Sims and Brian...

  • Digital Identity Management

    In this excerpt of Digital Identity Management, authors Maryline Laurent and Samia Bousefrane discuss principles of biometrics ...

  • Becoming a Global Chief Security Executive Officer

    In this excerpt of Becoming a Global Chief Security Executive Officer: A How to Guide for Next Generation Security Leaders, ...