Custom Frameworks
Build and manage custom compliance frameworks tailored to your organization’s or clients’ specific requirements. OpsPilot365 Trust Center lets MSPs define custom controls, map them to Microsoft 365 configurations, and track compliance alongside built-in frameworks.
Note: Custom Frameworks is part of the Trust Center add-on. It allows MSPs to create bespoke compliance frameworks for client-specific requirements, industry-specific regulations not covered by built-in frameworks, or internal security standards applied across managed tenants.
Framework Builder Overview
The Custom Framework Builder provides a structured workflow: (1) Define Framework — name, description, scope, and metadata, (2) Create Controls — define requirements and acceptance criteria, (3) Map Controls — link to M365 settings and existing controls, (4) Deploy and Monitor — assign to tenants and enable scanning.
Creating a Custom Framework
| Field | Description | Required |
|---|---|---|
| Framework Name | Display name (e.g., “Internal Security Baseline”) | Yes |
| Framework ID | Unique identifier used in APIs and reports | Yes |
| Description | Detailed description of the framework’s purpose and scope | Yes |
| Version | Version number for tracking revisions (e.g., “1.0”, “2.1”) | Yes |
| Category | Framework category (Security, Privacy, Operational, Custom) | Optional |
| Control Domains | Organizational groupings (e.g., “Access Control”, “Data Protection”) | Optional |
| Applicable Tenants | Which tenants this framework applies to (all, specific list, or tag-based) | Yes |
| Scan Schedule | How often to assess controls (daily, weekly, monthly, manual) | Optional |
Defining Custom Controls
| Control Property | Description | Example |
|---|---|---|
| Control ID | Unique reference identifier | ISB-AC-001 |
| Title | Short descriptive name | Enforce MFA for All Users |
| Description | Detailed requirement statement | All user accounts must have MFA enabled and enforced via Conditional Access |
| Domain | Organizational grouping | Access Control |
| Severity | Impact level (Critical, High, Medium, Low) | Critical |
| Assessment Type | Automated, Manual, or Hybrid | Automated |
| Acceptance Criteria | Conditions for passing the control | 100% of enabled accounts have MFA registered and CA policy is enabled |
| Evidence Required | What proof is needed | MFA registration report, CA policy export |
| Remediation Guide | Steps to bring control into compliance | Create CA policy requiring MFA for all cloud apps |
Mapping to Existing Controls
- M365 Configuration Mapping — Map to specific Microsoft Graph API endpoints for auto-assessment. Reference Entra ID, Exchange, SharePoint, or Teams settings. Define expected values and comparison operators. Support for complex boolean logic across multiple settings.
- Cross-Framework Mapping — Link custom controls to SOC 2, ISO 27001, NIST, CIS, etc. Inherit assessment results from mapped built-in controls. Unified view across custom and standard frameworks. Cross-reference reporting for multi-framework compliance.
- Manual Assessment Support — Upload manual evidence (documents, screenshots, attestations). Manual pass/fail override with justification notes. Reviewer assignment and approval workflows. Periodic review reminders for manual controls.
- Hybrid Assessment — Combine automated M365 checks with manual verification steps. Automated check sets baseline, manual step confirms context. Both automated and manual components must pass. Status reflects the least compliant component.
Import and Export Framework Definitions
- Export Formats — JSON: Complete framework definition for programmatic use. CSV: Control list with properties for spreadsheet editing. PDF: Formatted framework document for stakeholder review. Excel: Workbook with controls, mappings, and assessment results.
- Import Options — JSON Import: Full framework definition with all mappings. CSV Import: Bulk control creation from spreadsheet. Clone Built-in: Create a copy of a built-in framework as a starting point. Merge: Add controls from import to an existing custom framework.
Note: Create a master “MSP Security Baseline” custom framework that represents your standard security posture requirements and apply it to all managed tenants. Export it as JSON and version-control it alongside your documentation. When you onboard new clients, import the baseline framework and customize it for their specific needs.
Use Cases
- MSP Internal Security Standard — Define your MSP’s minimum security baseline for all managed tenants. Include controls for MFA enforcement, admin account security, audit logging, and email protection that must be met before a tenant is considered fully onboarded.
- Cyber Insurance Requirements — Map your clients’ cyber insurance policy requirements into a custom framework. Track controls like MFA, backup verification, endpoint protection, and incident response readiness to ensure ongoing insurability.
- Client SLA Compliance — Translate service level agreement security commitments into trackable controls. Demonstrate to clients that their SLA requirements for security configuration, monitoring, and incident response are continuously being met.
- Industry-Specific Regulations — Create frameworks for regulations not covered by built-in templates, such as state-specific privacy laws (CCPA, NYDFS), industry standards (PCI DSS for M365-related controls), or sector-specific requirements.
- Vendor Security Assessment Response — Convert common vendor security questionnaires (SIG, CAIQ, VSAQ) into custom frameworks. Map questionnaire items to M365 controls for automated response generation and continuous readiness tracking.
Framework Lifecycle Management
| Status | Description | Actions Available |
|---|---|---|
| Draft | Framework is being defined and configured | Edit, add/remove controls, configure mappings |
| Published | Framework is active and assigned to tenants | Scan, assess, report, minor edits |
| Revision | New version being prepared based on published version | Edit new version while current version remains active |
| Deprecated | Framework is superseded but historical data is preserved | View historical data, export, no new scans |
| Archived | Framework is no longer in use, data retained for reference | View only, export |
API Reference
GET /api/addons/trust-center/frameworks/custom— List all custom frameworks with status and metadataPOST /api/addons/trust-center/frameworks/custom— Create a new custom framework definitionGET /api/addons/trust-center/frameworks/custom/:frameworkId— Get a specific custom framework with all controlsPUT /api/addons/trust-center/frameworks/custom/:frameworkId— Update a custom framework definitionPOST /api/addons/trust-center/frameworks/custom/:frameworkId/controls— Add a control to a custom frameworkPOST /api/addons/trust-center/frameworks/custom/:frameworkId/scan— Trigger a compliance scan for a custom frameworkPOST /api/addons/trust-center/frameworks/custom/import— Import a framework definition from JSON or CSVGET /api/addons/trust-center/frameworks/custom/:frameworkId/export— Export a framework definition in the specified formatPOST /api/addons/trust-center/frameworks/custom/:frameworkId/publish— Publish a draft framework, making it active for tenant assignment
Last updated on