Back The blueprint

Eight phases. Seven artifacts

Implementation runs as a programme. Each phase produces auditable deliverables and explicit decisions, and the deliverables are not optional: that is what makes the framework self-auditing.

F0 to F7

Scoping and design run first, human-led. The analytical engine then runs on its own cadence while translation and audit close the loop, back into the next cycle.

F0

Direction and scope

The governing body declares purpose, objectives with measurable targets, and the materiality scope. Nothing starts before it is signed.

F1

Business map

A Business Grid workshop maps the organization into bounded contexts around stakeholder impact, with interfaces and dependencies explicit.

F2

Event discovery

Event Storming with the people who do the work: the real events, commands and policies, not a reference model.

F3

Metric catalog

At least one lagging outcome and one leading signal per objective, causal link explicit, every metric gate-validated before it enters the registry.

F4

Causal analysis

The DCCA pipeline stands up in coverage mode and runs on its own published cadence from the first cycle, no outcome labels needed.

F5

Intervention design

Pipeline output becomes a control library with test procedures and owners. Staggered rollout preserves a holdout, so effects stay measurable.

F6

GRC translation

The work becomes the documents the organization operates on: policies, procedures, registers, and the executive dashboard.

F7

Audit and improve

The first internal audit runs against the new baseline. Findings feed the improvement plan, and the next cycle of F0 to F3.

The key invariant: no metric reaches executive visibility without traversing all eight phases at least once. A metric introduced outside the sequence is an unauthorized metric until it is anchored to an objective, a context, an event and a registry entry.

Minimum viable compliance

Seven artifacts, one repository

A0 to A6 constitute a defensible compliance baseline. The artifact layer is a view over a shared repository, so the same obligation, risk or control appears in several artifacts without duplication.

A1

Compliance obligations register

A living list of obligations, regulatory and contractual. GDPREuropean Union (2016) Regulation (EU) 2016/679 (General Data Protection Regulation). and the EU AI ActEuropean Union (2024) Regulation (EU) 2024/1689 (Artificial Intelligence Act). anchor here alongside their ISO counterparts.

Owner compliance function
Anchors ISO 37301, GDPR, EU AI Act
A2

Policy portfolio

Security, compliance, privacy and AI policies: intent, objectives and improvement commitments, approved by top management.

Owner compliance and system owners
Anchors ISO/IEC 27001, ISO 37301, ISO/IEC 27701, ISO/IEC 42001
A3

Risk methodology and criteria

Acceptance, evaluation and treatment criteria, so risk decisions are repeatable, comparable and documented with justification.

Owner risk function
Anchors ISO 31000International Organization for Standardization (2018) ISO 31000:2018. Geneva: ISO., ISO/IEC 27001, ISO 37301, ISO/IEC 42001
A4

Statements of applicability

Security and AI. Evidence that the necessary controls were considered, with every exclusion rationalized and traceable.

Owner security and AI leads
Anchors ISO/IEC 27001 Annex A, ISO/IEC 42001 Annex A
A5

AI system impact register

Identifies, evaluates and addresses the impacts of AI systems. EU AI Act classification anchors here.

Owner AI governance lead
Anchors ISO/IEC 42001, EU AI Act
A6

Internal audit and management review

Converts conformity into a cycle of verification and improvement. The one role independent of delivery, which is what makes its findings credible.

Owner internal audit
Anchors ISO/IEC 27001, ISO 37301, ISO/IEC 27701, ISO/IEC 42001

Every artifact is versioned, owned, classified and retained under one documentary-control template. The governing body stays accountable for all of it; delegation never transfers accountability.

Operating rhythm

Four cadences. One loop

Continuous

The pipeline

Criterion scores, composites, snapshots and attribution, on the published cadence.

Monthly

Operational review

Compliance, risk owners and security review the scorecard and in-flight remediation.

Quarterly

Executive review

The governing body reviews control effectiveness, objectives and scope changes.

Annual

Strategic review

Full re-evaluation of direction and scope against the year's evidence. The next cycle begins.

10–12

Weeks, minimum, in a small organization. Parallel workstreams in a larger one.

The recommended sequence

  1. Sign F0. Purpose, objectives, materiality scope. Produce the scope statement.
  2. Run F1 and F2 in parallel. Business Grid with the executive team, then Event Storming per context.
  3. Run F3. One lagging outcome and one leading signal per objective, registered with formula, cadence, owner and evidence.
  4. Stand up F4 in coverage mode. Useful scores from the first cycle; no waiting for outcome history.
  5. Draft the obligations register and policies in parallel.
  6. Produce the risk methodology and the statements of applicability.
  7. Run F5. Controls with tests and owners, rolled out staggered.
  8. Run F6. Publish the dashboard, the responsibility matrix and the runbooks.
  9. Run F7. First internal audit against the new baseline; findings feed the next cycle.