Framework Builder
Create and customize compliance frameworks tailored to your clients’ specific regulatory, contractual, or organizational requirements. The visual Framework Builder provides a drag-and-drop interface for defining controls, mapping them to Microsoft 365 settings, and organizing requirements into logical groups.
Note: While OpsPilot365 includes pre-built frameworks for SOC 2, HIPAA, CMMC, NIST 800-171, CIS Microsoft 365 Benchmarks, ISO 27001, and GDPR, the Framework Builder allows MSPs to create custom frameworks for industry-specific requirements, client contractual obligations, or internal security standards.
Framework Builder Overview
| Metric | Value |
|---|---|
| Built-in Frameworks | 7 |
| Custom Frameworks | 4 |
| Control Library Items | 320 |
| Framework Versions | 12 |
Building a Custom Framework
- Define Framework Metadata — Set the framework name, description, version number, and applicable industry or use case. Tag the framework for easy discovery and assignment.
- Create Requirement Groups — Organize your framework into logical sections (Access Control, Data Protection, Monitoring, Incident Response). Groups can be nested up to three levels deep.
- Add Controls — Pull from the shared control library, clone controls from existing frameworks, or create new controls from scratch. Each control includes an ID, title, description, and assessment criteria.
- Map to Microsoft 365 Settings — Link each control to specific Microsoft 365 configuration settings. Mapped controls can be automatically assessed during compliance scans.
- Configure Assessment Rules — Define pass/fail criteria. Supported rule types: boolean, threshold, regex, and custom evaluation rules.
- Publish and Assign — Publish the framework and assign to specific tenants or tenant groups.
Control Library
| Category | Controls | Auto-Assessable | M365 Settings Mapped |
|---|---|---|---|
| Access Control | 48 | 42 (88%) | Conditional Access, MFA, PIM, RBAC |
| Data Protection | 38 | 30 (79%) | DLP, Sensitivity Labels, Encryption, Sharing |
| Audit and Logging | 28 | 26 (93%) | Unified Audit Log, Mailbox Audit, Retention |
| Device Management | 35 | 32 (91%) | Intune Compliance, BitLocker, Autopilot |
| Email Security | 32 | 28 (88%) | Anti-spam, Anti-phishing, Safe Links, DMARC |
| Threat Protection | 42 | 36 (86%) | Defender, ASR Rules, Alert Policies, Secure Score |
| Governance | 25 | 8 (32%) | Policy documents, training records, procedures |
Requirement Definition
- Control Properties — Unique identifier, title, description, assessment type (automated/manual), severity weight, evidence requirements, remediation guidance, and cross-references.
- Assessment Rules — Boolean checks, value comparisons, pattern matching (regex), list inclusion, and multi-condition logic (AND/OR).
- Evidence Requirements — Required evidence types, collection frequency, and auto-collection capability.
- Cross-Framework Mapping — Map custom controls to equivalent controls in built-in frameworks for cross-framework reporting.
Import from Spreadsheet
Note: Import framework definitions from CSV or Excel spreadsheets to quickly create custom frameworks from existing documentation.
| Column | Required | Description | Example |
|---|---|---|---|
| control_id | Yes | Unique identifier | AC-1.1 |
| title | Yes | Control title | Enforce MFA for All Users |
| description | Yes | Detailed description | All user accounts must have MFA enabled… |
| group | Yes | Requirement group | Access Control |
| severity | No | Severity weight (1-5) | 5 |
| assessment_type | No | Automated or manual | automated |
| m365_setting | No | Microsoft 365 setting to evaluate | conditionalAccess.mfaRequired |
| cross_reference | No | Related controls in other frameworks | NIST:IA-2, CIS:5.2.1 |
Framework Versioning
- Version History — Every change is tracked with version number, description, author, and timestamp.
- Draft and Published States — Edit in draft mode without affecting active assessments. Publish when ready.
- Version Rollback — Revert to a previous framework version if changes cause unintended assessment results.
Best Practices
- Start by cloning the closest built-in framework and customizing rather than building from scratch
- Map as many controls as possible to automated Microsoft 365 setting checks
- Include cross-framework references so remediation actions address gaps in multiple frameworks
- Use the spreadsheet import for large frameworks with hundreds of controls
- Test custom frameworks against a development tenant before assigning to production
- Publish updates as new versions rather than editing the published version directly
API Reference
GET /api/addons/trust-center/frameworks— List all frameworksPOST /api/addons/trust-center/frameworks— Create a new custom frameworkGET /api/addons/trust-center/frameworks/:frameworkId/controls— List controls within a frameworkPOST /api/addons/trust-center/frameworks/:frameworkId/controls— Add a control to a frameworkPOST /api/addons/trust-center/frameworks/:frameworkId/publish— Publish a draft framework versionPOST /api/addons/trust-center/frameworks/import— Import from CSV or ExcelGET /api/addons/trust-center/frameworks/:frameworkId/versions— List version historyGET /api/addons/trust-center/control-library— Browse the shared control library
Last updated on