Eight phases. Seven artifacts
Implementation runs as a programme. Each phase produces auditable deliverables and explicit decisions, and the deliverables are not optional: that is what makes the framework self-auditing.
F0 to F7
Scoping and design run first, human-led. The analytical engine then runs on its own cadence while translation and audit close the loop, back into the next cycle.
Direction and scope
The governing body declares purpose, objectives with measurable targets, and the materiality scope. Nothing starts before it is signed.
Business map
A Business Grid workshop maps the organization into bounded contexts around stakeholder impact, with interfaces and dependencies explicit.
Event discovery
Event Storming with the people who do the work: the real events, commands and policies, not a reference model.
Metric catalog
At least one lagging outcome and one leading signal per objective, causal link explicit, every metric gate-validated before it enters the registry.
Causal analysis
The DCCA pipeline stands up in coverage mode and runs on its own published cadence from the first cycle, no outcome labels needed.
Intervention design
Pipeline output becomes a control library with test procedures and owners. Staggered rollout preserves a holdout, so effects stay measurable.
GRC translation
The work becomes the documents the organization operates on: policies, procedures, registers, and the executive dashboard.
Audit and improve
The first internal audit runs against the new baseline. Findings feed the improvement plan, and the next cycle of F0 to F3.
The key invariant: no metric reaches executive visibility without traversing all eight phases at least once. A metric introduced outside the sequence is an unauthorized metric until it is anchored to an objective, a context, an event and a registry entry.
Seven artifacts, one repository
A0 to A6 constitute a defensible compliance baseline. The artifact layer is a view over a shared repository, so the same obligation, risk or control appears in several artifacts without duplication.
Scope statement and stakeholder map
Delimits the boundaries of governance across the security, privacy and AI management scopes. Prevents perimeter creep.
Anchors ISO/IEC 27001International Organization for Standardization (2022) ISO/IEC 27001:2022. Geneva: ISO., ISO 37301International Organization for Standardization (2021) ISO 37301:2021. Geneva: ISO., ISO/IEC 42001International Organization for Standardization (2023) ISO/IEC 42001:2023. Geneva: ISO., ISO/IEC 27701International Organization for Standardization (2025) ISO/IEC 27701:2025. Geneva: ISO.
Compliance obligations register
A living list of obligations, regulatory and contractual. GDPREuropean Union (2016) Regulation (EU) 2016/679 (General Data Protection Regulation). and the EU AI ActEuropean Union (2024) Regulation (EU) 2024/1689 (Artificial Intelligence Act). anchor here alongside their ISO counterparts.
Anchors ISO 37301, GDPR, EU AI Act
Policy portfolio
Security, compliance, privacy and AI policies: intent, objectives and improvement commitments, approved by top management.
Anchors ISO/IEC 27001, ISO 37301, ISO/IEC 27701, ISO/IEC 42001
Risk methodology and criteria
Acceptance, evaluation and treatment criteria, so risk decisions are repeatable, comparable and documented with justification.
Anchors ISO 31000International Organization for Standardization (2018) ISO 31000:2018. Geneva: ISO., ISO/IEC 27001, ISO 37301, ISO/IEC 42001
Statements of applicability
Security and AI. Evidence that the necessary controls were considered, with every exclusion rationalized and traceable.
Anchors ISO/IEC 27001 Annex A, ISO/IEC 42001 Annex A
AI system impact register
Identifies, evaluates and addresses the impacts of AI systems. EU AI Act classification anchors here.
Anchors ISO/IEC 42001, EU AI Act
Internal audit and management review
Converts conformity into a cycle of verification and improvement. The one role independent of delivery, which is what makes its findings credible.
Anchors ISO/IEC 27001, ISO 37301, ISO/IEC 27701, ISO/IEC 42001
Every artifact is versioned, owned, classified and retained under one documentary-control template. The governing body stays accountable for all of it; delegation never transfers accountability.
Four cadences. One loop
The pipeline
Criterion scores, composites, snapshots and attribution, on the published cadence.
Operational review
Compliance, risk owners and security review the scorecard and in-flight remediation.
Executive review
The governing body reviews control effectiveness, objectives and scope changes.
Strategic review
Full re-evaluation of direction and scope against the year's evidence. The next cycle begins.
Weeks, minimum, in a small organization. Parallel workstreams in a larger one.
The recommended sequence
- Sign F0. Purpose, objectives, materiality scope. Produce the scope statement.
- Run F1 and F2 in parallel. Business Grid with the executive team, then Event Storming per context.
- Run F3. One lagging outcome and one leading signal per objective, registered with formula, cadence, owner and evidence.
- Stand up F4 in coverage mode. Useful scores from the first cycle; no waiting for outcome history.
- Draft the obligations register and policies in parallel.
- Produce the risk methodology and the statements of applicability.
- Run F5. Controls with tests and owners, rolled out staggered.
- Run F6. Publish the dashboard, the responsibility matrix and the runbooks.
- Run F7. First internal audit against the new baseline; findings feed the next cycle.