Back to Blog
General

Five Frameworks Every IT Professional Should Understand — Even If You're Not in Security

The frameworks were never the barrier — the vocabulary was, and once you have the words for what you were already doing, the room changes completely.

June 16, 202610 min read
Share:

You're in a meeting. Someone mentions COBIT or ISO 27001. The room nods. You nod too. You have no idea what they're actually talking about.

Nobody in IT really talks about that moment. But almost everyone has been there.

I've been there. My first professional role was as a system administrator for a state ministry. I came into IT through engineering — electrical and computer engineering — so I knew how to solve problems. I could fix network issues, diagnose hardware faults, handle the technical challenges that landed on my desk every day. The team respected my skills and I was genuinely good at the work.

But whenever certain conversations came up — about processes, governance, how the systems we were running connected to the organisation's bigger picture — I felt completely out of place. People were referencing things I had no language for. I had frameworks from my engineering background. IEC standards. CIPP. Nothing that translated into the room I was suddenly sitting in.

What I didn't know then is that I was already applying the principles of these frameworks. I was doing the work. I just didn't have the vocabulary to describe it in a way the room could follow.

This post is for anyone in that same position. The developer, the sysadmin, the infrastructure engineer, the IT support analyst who is technically strong but sometimes struggles to own the room. And if you're reading this from outside the field entirely — curious, considering a move, trying to understand how this world actually works — you belong here too.

These five frameworks will not make you a compliance officer or a security architect overnight. What they will do is change how you think, how you operate, and how confidently you show up in rooms where decisions are being made.


What a framework actually is

Forget the textbook definition for a moment.

A framework is a structured way of thinking about a problem. It tells you what to consider, in what order, and why it matters. It gives you and everyone around you a shared language — and shared language, in any organisation, is power.

Most IT professionals avoid frameworks because they feel like bureaucracy. Like compliance. Like something the policy team deals with, not the people actually keeping the lights on. That instinct is understandable. It is also costing people more than they realise.

When you don't understand the frameworks that govern how technology is managed, secured, and aligned to business goals — you are always following. Always reacting. Always a step behind the conversation. Learning even the basics of these five changes that.


1. ITIL — The language of IT service delivery

ITIL stands for Information Technology Infrastructure Library. If you have ever worked a help desk, managed incidents, handled change requests, or been part of any IT team in a mid to large organisation — you have already been living inside ITIL without knowing it.

ITIL provides a structured way to think about how IT delivers services to a business. Incidents, problems, changes, service requests — it gives each of these a name, a process, and a purpose. The reason organisations refer to things the way they do in IT service environments is largely because of ITIL.

_Why it matters even if you are not in security:_ Every IT role touches service delivery at some level. Understanding ITIL means you stop seeing a support ticket as just a task and start seeing it as part of a broader system. That shift alone changes how you approach your work and how you speak about it.

_The skill it builds:_ Process thinking. The ability to see your individual role within the larger picture of how your team delivers value to the organisation.

_The human payoff:_ When you understand the process around you, you stop feeling reactive and start feeling intentional. That is a meaningful shift in confidence — especially in the earlier stages of your career.

I remember working in an application security support role where our platform ran instances for a significant number of customers. The volume of incidents was high — bugs, automation failures, the usual noise that comes with a complex environment. What I noticed early on was that customers weren't just frustrated by the incidents themselves. They were frustrated by the silence. They'd be dealing with disruptions to their own operations, their own stakeholders asking questions upward, and they had nothing to tell them.

So I built a microscript. Nothing sophisticated — a structured broadcast template I'd send to the customers on my list whenever an incident hit that affected their instance. What was happening. What we were doing about it. What to expect next. No jargon. Just clear, direct communication.

It wasn't part of any formal process. The platform's maturity model hadn't reached that point. I just knew that if I were on the other side of that incident, I'd want someone to tell me something.

What happened next was unexpected. Customer feedback started travelling upward — through satisfaction reviews, through scores, into conversations at senior management level. Eventually leadership reached out to me directly to understand what I was doing. That microscript became the foundation for a formal customer communication template that was embedded directly into the platform's SLA agreement.

It was only when I came to study ITIL that I understood what I had actually been doing — incident communication management, one of the core disciplines of the framework. I had been operating on ITIL principles without ever having heard the name. The framework just gave me the language for what good practice already looked like in action.


2. NIST Cybersecurity Framework — Security literacy without the specialisation

The NIST Cybersecurity Framework was developed by the National Institute of Standards and Technology, originally designed for critical infrastructure in the United States. What it became is something considerably more useful — a common language for how any organisation thinks about cybersecurity risk.

The whole framework breaks down into five functions: Identify, Protect, Detect, Respond, Recover. Five words. That is the entire skeleton.

_Why it matters even if you are not in security:_ You do not need a security title to make decisions that affect security. Developers make those decisions every day. Infrastructure engineers build the environments that need protecting. Support staff are often the first to know when something goes wrong. NIST CSF gives all of these roles a mental model for thinking about risk that does not require a specialisation.

_The skill it builds:_ Risk awareness. The ability to look at a system, a process, or a decision and ask — what could go wrong here, and what is already in place to handle it?

_The human payoff:_ When security conversations come up in cross-functional meetings, you are no longer a passenger. You have a map.

A few years ago I was brought onto the end-to-end delivery of a large-scale medical vaccine manufacturing plant in Ireland. I came in as an IT manager. What I became over the following weeks was something closer to a risk advisor in the room.

During the early planning sessions, the team was working through a lift and shift policy — the plan to migrate and deploy IT systems across the facility. The environment was complex. These were computer systems directly connected to sophisticated medical manufacturing machines. The margin for error was not abstract. We were not talking about a software bug someone would patch next sprint.

What I flagged — and what was not in anyone's plan — was the absence of a feedback loop from the onsite IT technicians who would physically be building and configuring these systems. The people executing the deployment had no structured channel to surface what they were encountering on the ground back to the planning team.

Nobody pushed back hard at the time. It felt like an observation, not a critical intervention.

Then the deployment began. In the first week, three significant issues were flagged — machines that had not been properly hardened during the build process. The kind of failure that, without that feedback mechanism, could have sat undetected for weeks or months before anyone at the planning level connected the dots. In an environment like that, correcting thousands of improperly built machines is not a technical inconvenience. It is a multi-million euro problem and a regulatory one at that.

The feedback loop was built in. The issues were caught early and contained. And somewhere in that experience I understood viscerally what NIST CSF means when it talks about the Identify function — genuinely seeing the gaps in your protection posture before they become disasters, not after.


3. ISO 27001 — The risk and control mindset

ISO 27001 is an international standard for information security management. In practice it is a framework for building and maintaining a system of controls around how information is protected across an organisation.

It sounds like compliance territory. And it is. But the way it teaches you to think about risk and controls has value far beyond any audit cycle or certification process.

_Why it matters even if you are not in security:_ Understanding ISO 27001 means you start asking why controls exist rather than just following them. You begin to see the logic behind access management, data handling policies, incident response procedures. That understanding makes you significantly more effective in any technical role because you can engage with the reasoning, not just the instruction.

_The skill it builds:_ Control thinking. The ability to evaluate whether a safeguard is proportionate to the risk it is trying to address — and to explain that clearly to people who are not technical.

_The human payoff:_ You stop treating security policies as obstacles and start treating them as design decisions. That shift changes how you engage with security teams and how seriously they engage with you in return.

For a long time, my relationship with security controls was purely functional. Find the risk. Document it. Drop it into the register. Move on. The question of why a particular control existed — what business consequence it was protecting against, what scenario it was specifically designed to prevent — rarely came into it.

The bottleneck that created was subtle at first. But it showed up consistently in the same place: stakeholder conversations. We'd arrive with a list of technical risks that had been identified and documented, and the room would sit there politely before asking the question that always came next — so what does this mean for us, practically?

We didn't always have a clean answer. Not because we didn't understand the risks technically. Because we hadn't connected them to the language and concerns of the business. The findings were accurate. The framing wasn't landing.

ISO 27001 changed that for me. Not by adding more complexity, but by giving me the framework to understand what each control is actually protecting at an organisational level — what the real consequence is when it fails, and who in the business needs to understand that consequence and why it belongs to them. Once I had that, the risk register stopped being a list of technical observations and started being the foundation for a prioritised business conversation. Stakeholders stopped nodding politely and started making actual decisions about what to mitigate and when.

That shift — from logging risks to driving mitigation — came directly from understanding the reasoning behind the controls, not just the controls themselves.


4. COBIT — Where IT meets business

COBIT stands for Control Objectives for Information and Related Technologies. It is a governance framework that connects IT processes to business goals and organisational accountability structures.

If ITIL is about how IT delivers services, COBIT is about why IT exists in an organisation at all — and how leadership should oversee and direct it to create real value.

_Why it matters even if you are not in security:_ The moment you work on anything that crosses team boundaries — projects involving leadership, procurement, external auditors, or board-level reporting — COBIT's logic starts appearing. Understanding it means you understand how IT decisions are made at an organisational level, not just a technical one.

_The skill it builds:_ Business alignment. The ability to frame your technical work in terms that matter to people who do not think in technical terms.

_The human payoff:_ This is the framework that earns you a seat at the table. Not because of a qualification on your CV, but because you can speak the language of IT governance in a way that makes sense to senior stakeholders. That is a different kind of credibility.

This one I'll be honest about, because it reflects a gap I carried for longer than I should have.

For a significant part of my career, I understood IT risk at a technical level. What I didn't fully understand was how to position that risk within the governance structures of the organisations I was working in. Who actually owned it. Who held the authority to accept, reject, or escalate it. How a technical finding needed to be framed to reach the people with the power to act on it — and in a form they could actually use.

The result was that solid risk work sometimes disappeared into the system. Findings were documented. Reports were submitted. Registers were updated. And then nothing moved. Not because the risk wasn't real or wasn't understood technically, but because the people with decision-making authority weren't receiving it in the terms that made it actionable for them.

COBIT gave me the map I was missing. It made visible how IT governance actually functions inside an organisation — who is accountable for what at each level, how risk appetite is set and by whom, and how technical findings need to be translated and routed to drive decisions rather than simply inform them. Understanding the governance structure meant I finally knew which room to take a finding to, in which language, framed around which business concern.

The work didn't change. The framing and the routing did. And that change is what finally started moving things. Risks that had sat in registers for months began to be addressed, because the right people were finally hearing them the right way.


5. TOGAF — Thinking like an enterprise architect

TOGAF — The Open Group Architecture Framework — helps you understand how all the pieces of an organisation's technology environment fit together. It is used by enterprise architects to design, plan, and govern large-scale technology systems and transformations.

Most IT professionals never formally encounter TOGAF. Which is exactly why the ones who do carry a visible edge.

_Why it matters even if you are not in security:_ When decisions are being made about infrastructure, systems integration, digital transformation, or technology strategy — those conversations follow a logic. TOGAF gives you that logic. Even a working familiarity with its language means you can follow and eventually contribute to those conversations, rather than simply waiting to be handed the outcome.

_The skill it builds:_ Systems thinking. The ability to see how a change in one part of a technology environment ripples through everything connected to it.

_The human payoff:_ You stop thinking about your role in isolation and start seeing the whole board. That perspective is what separates people who execute tasks from people who shape solutions — and it is noticed.

I've always thought in systems. It's probably the engineering background — the instinct to look at a problem and immediately start tracing how the components connect, where the dependencies sit, what breaks if you pull on a particular thread.

The challenge with instinct is that it lives in your head. You can see the connections clearly. Translating them into something a room full of stakeholders can follow — especially when they're making decisions about large, complex technology environments — is an entirely different skill.

TOGAF gave me the language for what I was already seeing. I used to describe it as having the invisible lines suddenly become visible — the connections I had been tracing intuitively in my mind became something I could articulate, structure, and present in a way that moved people to decisions rather than more questions and more rounds of clarification.

The practical effect was real. Projects moved faster through delivery. Designs that had previously required multiple iterations — because stakeholders couldn't visualise clearly enough what I was describing to commit with confidence — started landing with fewer revisions. The second-guessing I used to carry into design phases quietly reduced, because we were working from the same documented map rather than me hoping my mental model matched what the room was imagining.

TOGAF didn't make me a better systems thinker. It made my systems thinking legible to everyone else in the room. And that difference — between seeing clearly and being able to bring others along with you — is where a lot of the real leverage sits.


What changes when you understand more than one of these

Here is something nobody tells you early enough in an IT career — frameworks talk to each other.

ITIL tells you how IT delivers services. COBIT tells you how those services connect to business goals. NIST and ISO 27001 tell you how to protect them. TOGAF tells you how to design the environment they live in. Once you understand more than one, you stop being a specialist who does one thing well and start becoming someone who can see across the whole conversation. That is a genuinely different kind of value.

Now about imposter syndrome — because it is worth addressing directly.

When I look back at that first role at the state ministry, I was functional. I was solving real problems. I was respected for my skills. But I felt out of place because I did not have the language to describe what I was doing in terms the room understood. I was doing the work of someone who understood these frameworks intuitively — the problem-solving, the structured thinking, the processes — but I could not name any of it. And without the names, I could not own it.

When I eventually started learning these frameworks, something unexpected happened. I did not discover new skills. I discovered the names and structures for things I had been doing all along. That recognition — realising I had already been applying these principles without knowing it — shifted something significant in how I carried myself and how I spoke about my work. The conversations I used to observe, I started contributing to. The rooms I used to feel like a visitor in, I started belonging in.

Imposter syndrome in IT is rarely about competence. It is usually about vocabulary. These frameworks give you the vocabulary. And vocabulary, used well, is confidence.


Where to go from here

You do not need to certify in all five of these tomorrow. Start with the one that matches where you are right now.

In a service delivery or support role — start with ITIL. Working in an environment where security conversations are becoming more frequent — start with NIST CSF. Looking to move into roles that touch governance or leadership — COBIT is your next read.

What matters is that you start deliberately rather than waiting for someone to tell you it is relevant to your role. Because the professionals who understand how IT governance and security frameworks actually operate — regardless of their specific title — are consistently the ones who punch above their weight in any room they walk into.

If this kind of thinking resonates with you — practical, grounded, no fluff — follow along. This is what I write about: GRC, AI security, and building a real career in cybersecurity without the noise.

And if you want to go deeper on GRC specifically, I am building something for exactly that. More coming soon.

Stay Updated

Get the latest security insights delivered to your inbox.

No spam. Unsubscribe anytime.

Comments (0)

Leave a Comment

Comments are moderated before appearing.