What is meant by Governance Framework? Why is ISO 27000 certification more attractive to companies than COSO or COBIT certification?

An organization’s Governance Framework is a blueprint that is created or adopted to ensure that their policies, practices, and infrastructure “supports and enables the achievement of its strategies and objectives” (Xanthos, 2003).

COSO is a framework heavily targeted towards providing reasonable assurance that an organization’s financial controls are in place and function accurately.

COBIT is a governance framework that aligns business and control requirements with technical issues and aids in assessing and managing I.T. security and risks. It is highly popular with IT auditors. The COSO and COBIT are typically favored by public companies that need to comply with Sarbanes-Oxley Act (SOX).

The ISO 27000 series focuses on providing an internationally recognized governance framework for Information Security Management and the Code of Practice for Information Security Management. It is universally adopted and can be adapted to meet the needs of any kind of organization that looking for an Information Security framework. Additionally, ISO 27001 and ISO 270001 comply with applicable laws and regulations (for instance Tennessee State Laws) and are considered the minimum requirements to provide a secure operation (Johnson, 2015).

This makes the ISO 27000 certifications more attractive to companies than the more COSO and COBIT ones.


Johnson, R. (2015). Security Policies and Implementation Issues (2nd. Ed.). Burlington, MA: Jones and Bartlett Learning. ISBN: 987-1-284-05593-3.

Xanthos. (2003). IT Governance. Retrieved from https://www.itgovernance.co.uk/it_governance