How the UCF Works

Nobody thinks about compliance frameworks in terms of modularity – except the Unified Compliance team.

This is an “artist view” of the Unified Compliance Framework. It is built out as a suite of compliance elements, each of which perform a specific function to aid you in organizing your compliance content, interpreting your compliance content, or auditing your compliance content. Because the UCF is element-based, it can be rearranged or extended as needed.

Hover and click the elements to learn more:


The harmonized title the UCF team has given all those who either publish or promulgate authority documents.

Learn More

Authority Documents

Statutes, regulations, directives, principles, standards, guidelines, best practices, policies, and procedures.

Learn More


A passage or expression in a document that is quoted or cited.

Learn More

Common Controls

The specific steps or actions within a compliance mandate that must be met to fulfill a compliance requirement. Common Controls harmonize wording across Authority Documents so you can compare Authority Documents or track your compliance status.


A service or thing owned by an organization or person that falls under the purview of an Authority Document's controls either because of its value or its configuration properties.

Configuration Items

A part of an asset specifically called out during the audit process.

Configuration Methods

An object that can be used to modify software functionality.


An abbreviation formed from the initial letters of words in a phrase.


A modifiable element within a Configurable Item that can affect performance and system function.


A compliance document comprised of controls within an organization, such as a checklist, framework, plan, policy, standard, procedure, template.


The organization that creates an Asset.


Compliance Dictionary gives the people writing compliance guidelines and those tasked with understanding and implementing them, a way to efficiently check their language choices and standardize terminology.


A word or phrase that represents the function an individual, process, organization, etc. is supposed to achieve.


The activities and actions an organization must track to comply with various controls.

Triggering Events

A unique activity within a given process or state that causes an event or situation to happen.


A systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.


A named organized body of people with a particular purpose, especially a business, society, association, etc. For generic, unnamed, organizations see Group designator.


A division within an organization or a formation of individuals outside an organization. A generic, unnamed organization.

Organization Functions

The high level administrative departments of an organization.

Organization Tasks

An individual process or task and organization performs.

Record Category

A class, grouping, or set of records.

Record Examples

An individual record within a Record Category.

Data Contents

A field within a record.

Why have a framework at all?

A framework is an extensible structure for describing a set of concepts, methods, and technologies as an integrated set of policies and procedures designed to assist organizations to achieve their goals and objectives. Frameworks have become a necessary means to distill and harmonize the various controls forced upon us because of the increasing number of regulatory guidelines burdening today’s organizations. It is not uncommon for a single mid-sized organization to fall under Gramm-Leach-Bliley, HIPAA, PCI-DSS, and multiple state and international privacy regulations. We covered the three steps you need to comply above. What a framework allows you to do to is to add one more step; de-duplication of effort. Any organization that falls under multiple regulatory guidelines will fall prey to overlapping Mandates (how many ways can you say “protect the information”?). Your compliance framework should not only cover how to organize your Authority Documents and interpret their Mandates, it should also provide a methodology for de-duplication of those Mandates as well as provide a methodology to add or clarify audit questions when they are unclear or missing. Therefore, a compliance framework is the structure you build around your compliance program so that you

  1. know which Authority Documents to follow,
  2. interpret them so that you can communicate which Mandates must be followed,
  3. de-duplicate your efforts to whatever extent allowable, and
  4. provide an auditing methodology to prove their implementation.
The Unified Compliance Framework provides you with the tools and methodologies to accomplish these four objectives.