Building projects using a framework

A framework is structured set of information that you can use to build multiple projects, which can inherit information from frameworks. For example, you can use frameworks to effectively manage a single set of objectives, risks, and controls that are used in multiple projects.

Frameworks are helpful for reducing manual efforts involved in setting up projects, and can be used to centrally manage information in evolving regulatory and business environments.

At the end of this tutorial, we also discuss more advanced cases that allow frameworks to absorb improvements made in individual projects by front-line control owners.


You own two projects:

  • Physical Security Review
  • Security Audit

As you think about defining risks and controls, you recognize that similar risks and controls can be applied to both projects.

However, creating similar risks and controls in each project is a time-consuming task. You want to be able to create one set of risks and controls that can be used across both projects, update those risks and controls from a central location, and sync changes to the appropriate projects, when necessary.

Before you start

This tutorial walks you through the key areas in the Frameworks and Projects apps that relate to the task of managing a single set of risks and controls.

Before you start this tutorial, ensure you have the appropriate permissions to create frameworks and projects.

1. Create your projects

The first step is to create the projects that will eventually inherit data from your framework.

  1. Open the Projects app and create the following projects:
    ProjectNameProject Type

    Physical Security Review

    Internal Audit (Operational)

    2Security AuditInternal Audit (Operational)

2. Create a framework

Now, create a framework, the master repository for your risks and controls. The framework will eventually contain risks and controls that you can use in multiple projects.

  1. Open the Frameworks app.
  2. Click Start a New Framework.
  3. Enter the following information:
    • Name Security Framework
    • Description A set of common risks and controls typically used in security-related projects.
    • Project Type Internal Audit (Operational)

      Notice that you selected the same project type for the framework as you did for the projects. This project type is categorized under Workplan Projects, which is a type of workflow that defines the components available in a project. It is important that your framework matches the workflow of your projects so that you can share information between frameworks and projects. For more information, see Workflows and project types.

  4. Click Save.

    Result The new framework is created.

3. Define objectives, risks, and controls in the framework

Objectives form the basis of a framework, and they are also the organizing containers for risks and controls. In this tutorial, you will set up four objectives in the framework you just created. Since we will be working with training content, each of the objectives will be automatically set up with risks and controls.

  1. Click the Sections tab.
  2. Click Import Objective , and under Content Library, select Training Content - Security Review.
  3. Select each objective and click Import.
  4. Refresh the page.

    Result You have defined four objectives in the framework. Each objective contains a list of risks and associated controls.

4. Import objectives, risks, and controls from the framework to each project

The next step is to import the objectives containing the risks and controls into the applicable projects.

Importing objectives from a framework to a project creates a link between the objectives, risks, and controls in the framework and those in the project. This link allows you to centrally manage changes to objectives, risks, and controls in the framework, and sync changes to those in the project.

  1. Open the Projects app.
  2. Select the Physical Security Review project.
  3. Click the Fieldwork tab.
  4. Click Import Objective, and under Framework , select Security Framework.
  5. Select each objective and click Import.
  6. Refresh the page.
  7. Repeat these steps for the Security Audit project.

Result The objectives containing the risks and control are imported to the project. The objectives, risks, and controls in the project are linked to the objectives, risks, and controls in the framework.

5. Update a framework

Now, you may want to update risks and controls, and make sure that the changes are reflected in the applicable projects. You can do this by managing all of your changes in the framework, and syncing the updates to projects. Let's try updating a risk together.

  1. Click the project drop-down list, click Planning and results, and click Frameworks.
  2. Open the Security Framework, and click Sections.
  3. Click Go To next to Ensure policies are designed appropriately, and select Project Plan.
  4. Select any risk, update a field associated with the risk, and click Save.

    For example, update the Risk Title or Description.

  5. Click the Dashboard tab. The dashboard displays the risk you recently updated.
  6. Click Update All to reflect the update in the projects.

Result The objectives, risks, and controls in the projects are updated to be the same as those in the framework.

How to get the most out of frameworks

Now that you have learned how to manage a single set of objectives, risks, and controls, there are a couple other strategies that you can use to effectively make use of frameworks.

Use frameworks as templates

Frameworks dictate the fields the projects must use, but the values in the fields can be specific to each project.

To use the framework as a template, define the fields you need within the framework, but keep the values blank. For example, you may need to define several control attributes. You can define these fields within the framework, and specify the values for these fields within the relevant projects.

For more information, see Customizing terms, fields, and notifications.

Use frameworks to build similar types of projects

If your organization performs different types of projects (such as SOX Audits, IT Audits, and Operational Audits), you can set up a framework that corresponds with each type of project.

Sync changes from projects to a framework

In more advanced cases, you can also sync changes from a project to the framework that it's linked to.

Since objectives, risks, and controls can be used by multiple projects, a framework administrator might want to absorb changes made to projects by front-line control owners or SOX teams. After bringing those changes into the framework, those changes can be synced to the same objectives, risks, and controls in other projects, distributing improvements more widely in your organization. To learn more, see Syncing projects with frameworks.