IT Strategy
Keeping Compliant
Top 8 IT Governance Frameworks

April 17, 2024

Home
News
Top 8 IT Governance Frameworks
Share News Article
Twitter
LinkedIn
Facebook

Choosing the right IT governance framework isn’t just about compliance: it’s about control, accountability, and making sure your technology investments actually support your business goals.

Whether you're focused on regulatory requirements, cybersecurity risk, enterprise architecture, or return on investment, the right framework provides structure. It gives leadership clarity, IT teams direction, and stakeholders confidence.

In this guide, we’ll walk through eight of the most widely used IT governance frameworks today, including:

  • COBIT
  • NIST Cybersecurity Framework
  • TOGAF
  • VAL IT
  • PRINCE2
  • CMMI
  • FAIR
  • ISO/IEC 38500

We’ll also help you understand when each framework makes sense: and how to choose the right one for your organisation.

Let’s start with one of the most established names in IT governance...

COBIT Framework

If you're looking for a structured, comprehensive approach to IT governance, COBIT is usually where the conversation starts.

COBIT stands for Control Objectives for Information and Related Technology. Developed by ISACA, it’s one of the most recognised frameworks for aligning IT strategy with business objectives while maintaining strong oversight, risk management, and regulatory compliance.

The latest version, builds on decades of evolution (the framework was first introduced in 1996) and remains highly relevant for organisations operating in complex regulatory environments.

At its core, COBIT is designed to help businesses:

  • Align IT goals with wider business strategy
  • Manage risk in a structured way
  • Improve governance and accountability
  • Demonstrate compliance
  • Optimise IT investment and performance

COBIT 2019 is built around five key principles:

  1. Meeting stakeholder needs
  2. Covering the enterprise end-to-end
  3. Applying a single integrated framework
  4. Enabling a holistic approach
  5. Separating governance from management

That last point is particularly important. Governance is about direction and oversight. Management is about execution. COBIT clearly defines the difference: something many organisations struggle with in practice.

For mid-sized and larger organisations, especially those in regulated industries, COBIT provides depth and maturity. It’s not lightweight, but that’s often the point.

NIST Cybersecurity Framework

While COBIT takes a broad governance view, the NIST Cybersecurity Framework focuses specifically on cybersecurity risk.

Developed by the U.S. National Institute of Standards and Technology (NIST), this framework was first introduced in 2014 to create a common language around managing and reducing cyber risk. It has since become one of the most widely adopted cybersecurity governance models globally.

What makes NIST powerful is its simplicity.

It’s structured around five core functions:

  1. Identify: Understand your assets, risks, and vulnerabilities
  2. Protect: Implement safeguards to reduce risk
  3. Detect: Identify cybersecurity events quickly
  4. Respond: Take action when incidents occur
  5. Recover: Restore operations and strengthen resilience

The framework is scalable, meaning it works just as well for SMEs as it does for enterprise organisations. It doesn’t prescribe specific tools: instead, it provides structure for building a cybersecurity programme that fits your risk profile.

For businesses concerned about ransomware, supply chain exposure, or regulatory scrutiny, NIST provides a strong operational backbone.

It’s particularly effective when combined with wider governance or compliance frameworks: giving you both strategic oversight and tactical security execution.

TOGAF The Open Group Architecture Framework

If your challenge isn’t just governance, but architectural complexity, then TOGAF often enters the picture.

TOGAF (The Open Group Architecture Framework) is an enterprise architecture methodology. It helps organisations design, plan, implement, and govern IT architecture in a structured and repeatable way.

Where COBIT focuses on governance controls and NIST focuses on cybersecurity, TOGAF zooms out. It looks at how your entire technology landscape supports your business strategy.

At its core, TOGAF helps organisations:

  • Align IT architecture with business objectives
  • Reduce duplication and inefficiencies
  • Improve system integration
  • Manage transformation programmes more effectively
  • Control costs during large-scale change

TOGAF is built around four architectural domains:

  1. Business Architecture: How the organisation operates
  2. Application Architecture: The systems that support the business
  3. Data Architecture: How data is structured and managed
  4. Technology Architecture: The infrastructure supporting everything

It’s especially useful for larger organisations undergoing digital transformation, mergers, system modernisation, or cloud migration.

That said, TOGAF can be heavyweight. It requires commitment, clear ownership, and leadership buy-in. For smaller organisations, it may be more structure than necessary. But when IT complexity grows, having a disciplined architectural framework can prevent long-term fragmentation and costly rework.

VAL IT Governance Framework

While frameworks like COBIT focus on governance controls, VAL IT shifts the conversation toward value.

Developed by ISACA, VAL IT was created to complement COBIT by focusing specifically on IT investment decisions and return on investment. In other words, it helps organisations answer a critical question:

Are we actually getting value from our technology spend?

VAL IT provides structure around:

  • Evaluating IT investment proposals
  • Managing IT-enabled business investments
  • Measuring realised benefits
  • Ensuring accountability for outcomes

It encourages organisations to treat IT investments the same way they would any major capital investment — with defined business cases, measurable benefits, and ongoing performance monitoring.

The framework is built around three core domains:

  1. Value Governance: Ensuring value management practices are embedded
  2. Portfolio Management: Managing the full range of IT investments
  3. Investment Management: Overseeing individual initiatives

VAL IT is particularly useful for organisations that:

  • Run large transformation programmes
  • Invest heavily in digital initiatives
  • Struggle to quantify IT ROI
  • Want clearer financial oversight of technology projects

On its own, VAL IT doesn’t replace a full governance framework. But when paired with something like COBIT, it strengthens the financial discipline behind IT decision-making.

PRINCE2 (PRojects IN Controlled Environments)

Strictly speaking, PRINCE2 isn’t an IT governance framework. It’s a project management methodology.

But if your organisation delivers IT change through structured projects, which most do, PRINCE2 has a direct impact on IT governance and strategy.

PRINCE2 provides a clear framework for managing projects in a controlled, stage-based way. It focuses on:

  • Defined roles and responsibilities
  • Structured planning and documentation
  • Risk management
  • Budget and timeline control
  • Clear decision points at every stage

The methodology is built around seven principles, including continued business justification, defined organisational structure, and learning from experience.

For businesses with heavy project workloads, such as software implementations, infrastructure upgrades, or digital transformation initiatives — PRINCE2 introduces governance discipline at the delivery level.

It ensures that:

  • Projects remain aligned with business objectives
  • Risks are identified early
  • Budgets are monitored closely
  • Leadership retains visibility and control

If COBIT governs the “what” and “why” of IT, PRINCE2 helps manage the “how” of execution.

Used together, they create stronger oversight from strategy through to delivery.

CMMI IT Governance Framework

If your focus is improving internal processes and building long-term capability, CMMI is worth serious consideration.

CMMI stands for Capability Maturity Model Integration. Unlike frameworks that concentrate purely on governance controls, CMMI is about process maturity and continuous improvement.

It’s commonly used in:

  • Software development
  • Systems engineering
  • Service delivery
  • Product development environments

The core idea is simple: organisations move through defined levels of maturity, from reactive and inconsistent processes to optimised, continuously improving operations.

CMMI measures capability on a scale from 1 to 5:

  1. Initial: Processes are unpredictable and reactive
  2. Managed: Processes are planned and tracked
  3. Defined: Processes are standardised across the organisation
  4. Quantitatively Managed: Processes are measured and controlled
  5. Optimising: Continuous improvement is embedded

For leadership teams, this provides clarity. You can assess where you are today and define what improvement looks like in practical terms.

CMMI is particularly valuable for organisations that:

  • Deliver complex technical services
  • Need consistency across teams
  • Operate in regulated or high-risk industries
  • Want measurable improvement over time

It doesn’t replace broader governance frameworks like COBIT, but it strengthens operational maturity underneath them.

FAIR IT Governance Framework

If most governance frameworks feel broad or principle-based, FAIR takes a different approach. It focuses specifically on quantifying cyber risk in financial terms.

FAIR stands for Factor Analysis of Information Risk. Rather than simply identifying threats or assigning “high/medium/low” ratings, FAIR helps organisations measure risk in monetary value.

That changes the conversation.

Instead of saying: “This is a high cybersecurity risk.”

You can say: “This risk could cost the business £1.2 million annually if left untreated.”

For boards and executive teams, that level of clarity is powerful.

FAIR enables organisations to:

  • Quantify cyber and operational risk
  • Model potential financial impact
  • Prioritise mitigation strategies based on exposure
  • Support investment decisions with real data

It’s particularly useful for organisations that:

  • Report to boards or investors
  • Operate in high-risk sectors
  • Need defensible, data-backed risk reporting
  • Want to justify cybersecurity spend clearly

Unlike traditional governance frameworks, FAIR doesn’t set out how to run IT. It provides a structured way to analyse and communicate risk.

When paired with frameworks like NIST or COBIT, FAIR strengthens executive-level decision-making by translating technical risk into business language.

ISO/IEC 38500:2015 IT Governance Framework

If your focus is board-level responsibility and corporate oversight, ISO/IEC 38500:2015 is particularly relevant.

Unlike operational frameworks such as NIST or COBIT, ISO/IEC 38500 is designed for directors and senior executives. It provides guidance on how organisations should govern IT as part of overall corporate governance.

In simple terms, it answers this question:

Are we governing our use of IT responsibly, ethically, and legally?

The framework is built around six core principles:

  1. Responsibility
  2. Strategy
  3. Acquisition
  4. Performance
  5. Conformance
  6. Human Behaviour

It encourages leadership teams to evaluate IT decisions through the lens of accountability, compliance, and long-term value creation.

ISO/IEC 38500 is especially useful for organisations that:

  • Operate in regulated industries
  • Have formal board governance structures
  • Want stronger executive oversight of IT
  • Need to demonstrate responsible IT leadership to stakeholders

It doesn’t provide operational controls. Instead, it sets expectations at the highest level of governance — ensuring IT supports business strategy while remaining compliant and ethically managed.

For many organisations, ISO/IEC 38500 works best alongside more detailed operational frameworks, creating alignment between board oversight and day-to-day IT execution.

How Do You Choose the Right IT Governance Framework?

With so many options available, the “best” framework depends on what you’re trying to solve. Are you tightening regulatory oversight? Reducing cyber risk? Improving architectural clarity? Or trying to get better return on IT investment?

Here’s a simple way to think about it:

  • If regulatory compliance and structured oversight are your priority: COBIT
  • If cybersecurity risk management is central: NIST or FAIR
  • If enterprise complexity is growing: TOGAF
  • If project governance is your main challenge: PRINCE2
  • If operational maturity needs improvement: CMMI
  • If board-level accountability is key: ISO/IEC 38500

In practice, most organisations use a combination. The real objective isn’t adopting a framework for the sake of it: it’s creating alignment between IT, risk, and business strategy.

And that’s where many businesses struggle.

Frameworks provide structure. But successful implementation requires experience, interpretation, and integration with your wider technology environment.

Contact Lyon Tech

At Lyon Tech, we provide a comprehensive IT governance service as part of a fully managed and integrated solution. If you have any questions on IT governance or would like to know which methodology would be most suitable for your industry and operational needs, contact our expert advisors for an informal chat today.

Our industry experts can help you adopt and refine an IT governance framework that gives your business the best return on investment for any IT infrastructure or system.

Write to us,
we will get back to you soon

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
IT Strategy
Keeping Compliant

Top 8 IT Governance Frameworks

April 17, 2024

Home
News
Top 8 IT Governance Frameworks
Share News Article
X
LinkedIn
Selecting the right IT governance framework can be the difference between a business that uses technology effectively and one that struggles with compliance, inefficiency, and wasted investment. From COBIT to NIST and ISO standards, each framework offers a different approach to aligning IT with organisational goals. In this guide, we’ll break down the most widely used governance frameworks, their strengths, and which might be best for your business.

Jump straight to...

Heading 2
Heading 3
Heading 4
Heading 5
Heading 6

Choosing the right IT governance framework isn’t just about compliance: it’s about control, accountability, and making sure your technology investments actually support your business goals.

Whether you're focused on regulatory requirements, cybersecurity risk, enterprise architecture, or return on investment, the right framework provides structure. It gives leadership clarity, IT teams direction, and stakeholders confidence.

In this guide, we’ll walk through eight of the most widely used IT governance frameworks today, including:

  • COBIT
  • NIST Cybersecurity Framework
  • TOGAF
  • VAL IT
  • PRINCE2
  • CMMI
  • FAIR
  • ISO/IEC 38500

We’ll also help you understand when each framework makes sense: and how to choose the right one for your organisation.

Let’s start with one of the most established names in IT governance...

COBIT Framework

If you're looking for a structured, comprehensive approach to IT governance, COBIT is usually where the conversation starts.

COBIT stands for Control Objectives for Information and Related Technology. Developed by ISACA, it’s one of the most recognised frameworks for aligning IT strategy with business objectives while maintaining strong oversight, risk management, and regulatory compliance.

The latest version, builds on decades of evolution (the framework was first introduced in 1996) and remains highly relevant for organisations operating in complex regulatory environments.

At its core, COBIT is designed to help businesses:

  • Align IT goals with wider business strategy
  • Manage risk in a structured way
  • Improve governance and accountability
  • Demonstrate compliance
  • Optimise IT investment and performance

COBIT 2019 is built around five key principles:

  1. Meeting stakeholder needs
  2. Covering the enterprise end-to-end
  3. Applying a single integrated framework
  4. Enabling a holistic approach
  5. Separating governance from management

That last point is particularly important. Governance is about direction and oversight. Management is about execution. COBIT clearly defines the difference: something many organisations struggle with in practice.

For mid-sized and larger organisations, especially those in regulated industries, COBIT provides depth and maturity. It’s not lightweight, but that’s often the point.

NIST Cybersecurity Framework

While COBIT takes a broad governance view, the NIST Cybersecurity Framework focuses specifically on cybersecurity risk.

Developed by the U.S. National Institute of Standards and Technology (NIST), this framework was first introduced in 2014 to create a common language around managing and reducing cyber risk. It has since become one of the most widely adopted cybersecurity governance models globally.

What makes NIST powerful is its simplicity.

It’s structured around five core functions:

  1. Identify: Understand your assets, risks, and vulnerabilities
  2. Protect: Implement safeguards to reduce risk
  3. Detect: Identify cybersecurity events quickly
  4. Respond: Take action when incidents occur
  5. Recover: Restore operations and strengthen resilience

The framework is scalable, meaning it works just as well for SMEs as it does for enterprise organisations. It doesn’t prescribe specific tools: instead, it provides structure for building a cybersecurity programme that fits your risk profile.

For businesses concerned about ransomware, supply chain exposure, or regulatory scrutiny, NIST provides a strong operational backbone.

It’s particularly effective when combined with wider governance or compliance frameworks: giving you both strategic oversight and tactical security execution.

TOGAF The Open Group Architecture Framework

If your challenge isn’t just governance, but architectural complexity, then TOGAF often enters the picture.

TOGAF (The Open Group Architecture Framework) is an enterprise architecture methodology. It helps organisations design, plan, implement, and govern IT architecture in a structured and repeatable way.

Where COBIT focuses on governance controls and NIST focuses on cybersecurity, TOGAF zooms out. It looks at how your entire technology landscape supports your business strategy.

At its core, TOGAF helps organisations:

  • Align IT architecture with business objectives
  • Reduce duplication and inefficiencies
  • Improve system integration
  • Manage transformation programmes more effectively
  • Control costs during large-scale change

TOGAF is built around four architectural domains:

  1. Business Architecture: How the organisation operates
  2. Application Architecture: The systems that support the business
  3. Data Architecture: How data is structured and managed
  4. Technology Architecture: The infrastructure supporting everything

It’s especially useful for larger organisations undergoing digital transformation, mergers, system modernisation, or cloud migration.

That said, TOGAF can be heavyweight. It requires commitment, clear ownership, and leadership buy-in. For smaller organisations, it may be more structure than necessary. But when IT complexity grows, having a disciplined architectural framework can prevent long-term fragmentation and costly rework.

VAL IT Governance Framework

While frameworks like COBIT focus on governance controls, VAL IT shifts the conversation toward value.

Developed by ISACA, VAL IT was created to complement COBIT by focusing specifically on IT investment decisions and return on investment. In other words, it helps organisations answer a critical question:

Are we actually getting value from our technology spend?

VAL IT provides structure around:

  • Evaluating IT investment proposals
  • Managing IT-enabled business investments
  • Measuring realised benefits
  • Ensuring accountability for outcomes

It encourages organisations to treat IT investments the same way they would any major capital investment — with defined business cases, measurable benefits, and ongoing performance monitoring.

The framework is built around three core domains:

  1. Value Governance: Ensuring value management practices are embedded
  2. Portfolio Management: Managing the full range of IT investments
  3. Investment Management: Overseeing individual initiatives

VAL IT is particularly useful for organisations that:

  • Run large transformation programmes
  • Invest heavily in digital initiatives
  • Struggle to quantify IT ROI
  • Want clearer financial oversight of technology projects

On its own, VAL IT doesn’t replace a full governance framework. But when paired with something like COBIT, it strengthens the financial discipline behind IT decision-making.

PRINCE2 (PRojects IN Controlled Environments)

Strictly speaking, PRINCE2 isn’t an IT governance framework. It’s a project management methodology.

But if your organisation delivers IT change through structured projects, which most do, PRINCE2 has a direct impact on IT governance and strategy.

PRINCE2 provides a clear framework for managing projects in a controlled, stage-based way. It focuses on:

  • Defined roles and responsibilities
  • Structured planning and documentation
  • Risk management
  • Budget and timeline control
  • Clear decision points at every stage

The methodology is built around seven principles, including continued business justification, defined organisational structure, and learning from experience.

For businesses with heavy project workloads, such as software implementations, infrastructure upgrades, or digital transformation initiatives — PRINCE2 introduces governance discipline at the delivery level.

It ensures that:

  • Projects remain aligned with business objectives
  • Risks are identified early
  • Budgets are monitored closely
  • Leadership retains visibility and control

If COBIT governs the “what” and “why” of IT, PRINCE2 helps manage the “how” of execution.

Used together, they create stronger oversight from strategy through to delivery.

CMMI IT Governance Framework

If your focus is improving internal processes and building long-term capability, CMMI is worth serious consideration.

CMMI stands for Capability Maturity Model Integration. Unlike frameworks that concentrate purely on governance controls, CMMI is about process maturity and continuous improvement.

It’s commonly used in:

  • Software development
  • Systems engineering
  • Service delivery
  • Product development environments

The core idea is simple: organisations move through defined levels of maturity, from reactive and inconsistent processes to optimised, continuously improving operations.

CMMI measures capability on a scale from 1 to 5:

  1. Initial: Processes are unpredictable and reactive
  2. Managed: Processes are planned and tracked
  3. Defined: Processes are standardised across the organisation
  4. Quantitatively Managed: Processes are measured and controlled
  5. Optimising: Continuous improvement is embedded

For leadership teams, this provides clarity. You can assess where you are today and define what improvement looks like in practical terms.

CMMI is particularly valuable for organisations that:

  • Deliver complex technical services
  • Need consistency across teams
  • Operate in regulated or high-risk industries
  • Want measurable improvement over time

It doesn’t replace broader governance frameworks like COBIT, but it strengthens operational maturity underneath them.

FAIR IT Governance Framework

If most governance frameworks feel broad or principle-based, FAIR takes a different approach. It focuses specifically on quantifying cyber risk in financial terms.

FAIR stands for Factor Analysis of Information Risk. Rather than simply identifying threats or assigning “high/medium/low” ratings, FAIR helps organisations measure risk in monetary value.

That changes the conversation.

Instead of saying: “This is a high cybersecurity risk.”

You can say: “This risk could cost the business £1.2 million annually if left untreated.”

For boards and executive teams, that level of clarity is powerful.

FAIR enables organisations to:

  • Quantify cyber and operational risk
  • Model potential financial impact
  • Prioritise mitigation strategies based on exposure
  • Support investment decisions with real data

It’s particularly useful for organisations that:

  • Report to boards or investors
  • Operate in high-risk sectors
  • Need defensible, data-backed risk reporting
  • Want to justify cybersecurity spend clearly

Unlike traditional governance frameworks, FAIR doesn’t set out how to run IT. It provides a structured way to analyse and communicate risk.

When paired with frameworks like NIST or COBIT, FAIR strengthens executive-level decision-making by translating technical risk into business language.

ISO/IEC 38500:2015 IT Governance Framework

If your focus is board-level responsibility and corporate oversight, ISO/IEC 38500:2015 is particularly relevant.

Unlike operational frameworks such as NIST or COBIT, ISO/IEC 38500 is designed for directors and senior executives. It provides guidance on how organisations should govern IT as part of overall corporate governance.

In simple terms, it answers this question:

Are we governing our use of IT responsibly, ethically, and legally?

The framework is built around six core principles:

  1. Responsibility
  2. Strategy
  3. Acquisition
  4. Performance
  5. Conformance
  6. Human Behaviour

It encourages leadership teams to evaluate IT decisions through the lens of accountability, compliance, and long-term value creation.

ISO/IEC 38500 is especially useful for organisations that:

  • Operate in regulated industries
  • Have formal board governance structures
  • Want stronger executive oversight of IT
  • Need to demonstrate responsible IT leadership to stakeholders

It doesn’t provide operational controls. Instead, it sets expectations at the highest level of governance — ensuring IT supports business strategy while remaining compliant and ethically managed.

For many organisations, ISO/IEC 38500 works best alongside more detailed operational frameworks, creating alignment between board oversight and day-to-day IT execution.

How Do You Choose the Right IT Governance Framework?

With so many options available, the “best” framework depends on what you’re trying to solve. Are you tightening regulatory oversight? Reducing cyber risk? Improving architectural clarity? Or trying to get better return on IT investment?

Here’s a simple way to think about it:

  • If regulatory compliance and structured oversight are your priority: COBIT
  • If cybersecurity risk management is central: NIST or FAIR
  • If enterprise complexity is growing: TOGAF
  • If project governance is your main challenge: PRINCE2
  • If operational maturity needs improvement: CMMI
  • If board-level accountability is key: ISO/IEC 38500

In practice, most organisations use a combination. The real objective isn’t adopting a framework for the sake of it: it’s creating alignment between IT, risk, and business strategy.

And that’s where many businesses struggle.

Frameworks provide structure. But successful implementation requires experience, interpretation, and integration with your wider technology environment.

Contact Lyon Tech

At Lyon Tech, we provide a comprehensive IT governance service as part of a fully managed and integrated solution. If you have any questions on IT governance or would like to know which methodology would be most suitable for your industry and operational needs, contact our expert advisors for an informal chat today.

Our industry experts can help you adopt and refine an IT governance framework that gives your business the best return on investment for any IT infrastructure or system.

About Lyon Tech
At Lyon Tech, our IT Consulting & Professional Services help you choose and implement the right IT governance framework for your business. We work with you to align IT strategy with business goals, ensure compliance, and maximise ROI on your technology investments.
Explore more

Sign up for monthly updates

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Thin white curved line forming loops and waves on a black background.

Related Articles

No items found.
IT Strategy
Keeping Compliant
Senior Leadership
IT Professionals