EPC Group Standards Alignment: NIST AI RMF + COBIT + ITIL + DAMA + ISO + TOGAF
EPC Group delivers Microsoft consulting using disciplined, audit-ready industry frameworks — not ad-hoc methodology. Every engagement is mapped to NIST AI RMF, COBIT 2019, ITIL 4, DAMA-DMBOK 2, NIST CSF 2.0, ISO/IEC 27001:2022, NIST SP 800-53 Rev 5, and TOGAF 10 so procurement, internal audit, the CISO, the chief data officer, and the regulator share one operating vocabulary.
Which industry standards and frameworks does EPC Group's consulting align with? EPC Group, a Microsoft Solutions Partner with 29 years of delivery and 11,000+ engagements, aligns Microsoft 365, Power BI, Microsoft Fabric, Azure, Dynamics 365, Power Platform, and Microsoft security delivery to eight named frameworks: NIST AI RMF 1.0 + Generative AI Profile, COBIT 2019, ITIL 4, DAMA-DMBOK 2, NIST CSF 2.0, ISO/IEC 27001:2022, NIST SP 800-53 Revision 5, and TOGAF 10. Every engagement produces a framework mapping document, control implementation summary, and audit-ready evidence package as deliverables — not as after-the-fact reconstructions.
EPC Group anchors Microsoft consulting to eight industry frameworks — NIST AI RMF, COBIT 2019, ITIL 4, DAMA-DMBOK, NIST CSF 2.0, ISO 27001, NIST 800-53, and TOGAF 10 — so procurement, audit, CISO, CDO, and regulator review the same disciplined evidence on every engagement.
Key Facts
Eight named frameworks mapped on every engagement: NIST AI RMF + Generative AI Profile, COBIT 2019, ITIL 4, DAMA-DMBOK 2, NIST CSF 2.0, ISO/IEC 27001:2022, NIST SP 800-53 Rev 5, and TOGAF 10.
Five-stage EPC Group Lifecycle (Assess → Modernize → Govern → Operate → Enable) crosswalks 40 cells across the eight frameworks.
Sector framework stacks for healthcare (HIPAA + NIST 800-66), financial services (SR 11-7 + FFIEC), federal/DIB (FedRAMP + CMMC 2.0), and life sciences (21 CFR Part 11 + GAMP 5).
Microsoft Solutions Partner with 6 designations, 70+ Fortune 500 customers, 216+ M&A tenant migrations covering 1.83 million users, 6,500+ SharePoint and 1,500+ Power BI deployments.
Founder Errin O'Connor — 4-time Microsoft Press bestselling author, Microsoft MVP since 2002–03 — personally reviews framework-mapping deliverables on Practice engagements.
Engagement deliverable: framework mapping document, RACI matrix, control implementation summary, evidence artifact list, audit-ready logging plan, and risk register entries.
NIST CSF 2.0 (released Feb 2024) Govern function and NIST AI RMF Generative AI Profile (NIST AI 600-1, released July 2024) are the current baseline references for U.S. enterprise AI on Microsoft.
Why framework alignment matters in Microsoft consulting procurement
Unstructured boutique consulting has a methodology problem. The work may be technically sound, but it lands in the customer's organization without a vocabulary the audit committee, the CISO, the chief data officer, or the regulator already accepts. Framework alignment is how disciplined enterprise consulting closes that gap.
Procurement readiness
Fortune 500 procurement organizations and federal contracting officers score consultants against stated framework alignment — COBIT, ITIL, ISO 27001, TOGAF. A boutique answer of "we deliver our way" loses to a structured firm even where the boutique is technically stronger.
Audit-ready evidence
Internal audit, external audit, SOX IT general controls testing, HIPAA audits, FFIEC examinations, FedRAMP continuous monitoring, and cyber-insurance underwriting all speak the framework vocabulary. EPC Group deliverables can be filed directly into the customer's GRC repository without translation.
Regulator credibility
The OCC, FRB, FDIC, NYDFS, HHS OCR, and FDA expect AI risk management language that maps to NIST AI RMF. EPC Group AI engagements produce AI RMF Govern/Map/Measure/Manage documentation as deliverables, not as separate compliance program work.
Mature delivery versus ad-hoc
Framework-mapped delivery is reviewable, repeatable, and defensible. Ad-hoc methodology creates one-off deliverables that depend on the named consultant and degrade the moment that consultant rolls off.
Cross-firm continuity
When the customer's next consulting partner picks up the program two years later, framework-mapped artifacts let the successor read against a shared vocabulary instead of reverse-engineering an undocumented EPC-specific operating model. EPC Group treats the customer's long-term independence as a design constraint.
The eight frameworks EPC Group aligns Microsoft consulting to
These are not aspirational logos on a slide. Each framework is mapped to EPC Group lifecycle stages, named on engagement SOWs, and reflected in named deliverables.
NIST AI RMF
NIST AI Risk Management Framework 1.0 + Generative AI Profile (NIST AI 600-1)
The U.S. National Institute of Standards and Technology AI Risk Management Framework — published as AI RMF 1.0 in January 2023 and extended by the Generative AI Profile (NIST AI 600-1) in July 2024 — is the de facto reference for trustworthy AI in U.S. enterprises, federal contracts, healthcare AI deployments, and any organization fielding Microsoft 365 Copilot, Azure OpenAI, or Power Platform AI Builder at scale. The framework organizes AI risk management around four functions: Govern (a culture of risk management is cultivated), Map (context is recognized and risks identified), Measure (risks are assessed and tracked), and Manage (risks are prioritized and treated). EPC Group operationalizes AI RMF inside every Microsoft Copilot, Azure AI Foundry, and Power Platform AI Builder rollout — Purview AI Hub, Communication Compliance, Defender for Cloud Apps, and Entra Conditional Access become the technical implementation of Map/Measure/Manage; named human owners, RACI matrices, and AI council operating models become the implementation of Govern.
EPC Lifecycle mapping
Maps to Assess (Govern function) and Govern (all four functions in production).
COBIT 2019
COBIT 2019 — ISACA Framework for the Governance and Management of Enterprise IT
COBIT 2019 from ISACA is the global standard for enterprise governance of information and technology (EGIT). It separates governance (Evaluate, Direct, Monitor) from management (Plan, Build, Run, Monitor) across 40 governance and management objectives. CIOs facing internal audit, SOX IT general controls, or board-level IT oversight expect their Microsoft consulting partner to map deliverables to COBIT objectives — particularly EDM01 (governed governance framework), APO12 (managed risk), DSS05 (managed security services), BAI06 (managed IT changes), and MEA03 (monitor compliance with external requirements). EPC Group maps every Govern-stage deliverable — data governance charters, Purview catalog operating models, Power BI Center of Excellence policies, AI council charters, Sentinel and Defender XDR operating models — to the relevant COBIT 2019 management and governance objectives so audit teams can trace EPC Group artifacts directly to control assertions.
EPC Lifecycle mapping
Maps primarily to Govern, with secondary coverage in Assess (EDM01-04) and Operate (DSS01-06).
ITIL 4
ITIL 4 — IT Service Management Framework from AXELOS/PeopleCert
ITIL 4 is the global IT service management standard, structured around the service value system, the service value chain (Plan, Improve, Engage, Design & Transition, Obtain/Build, Deliver & Support), and 34 ITIL management practices including incident management, problem management, change enablement, service request management, service level management, monitoring and event management, and continual improvement. EPC Group Managed Microsoft Services — managed Power BI, managed Fabric, managed Microsoft 365 tenant operations, managed Defender XDR/Sentinel — run against ITIL 4 practices. Service catalog, service level targets, incident severity matrix, change advisory board cadence, and continual service improvement reporting are all ITIL-aligned. This matters in enterprise procurement: a buyer that lives inside ServiceNow ITSM expects its Microsoft consulting partner to operate to the same ITIL vocabulary it already enforces on internal IT.
EPC Lifecycle mapping
Maps primarily to Operate (service value chain end-to-end) and Enable (continual improvement, service transition).
DAMA-DMBOK 2
DAMA-DMBOK 2 — Data Management Body of Knowledge, Second Edition
DAMA-DMBOK 2 is the data management profession’s body of knowledge, organized around eleven knowledge areas: data governance, data architecture, data modeling and design, data storage and operations, data security, data integration and interoperability, document and content management, reference and master data, data warehousing and business intelligence, metadata management, and data quality. Chief data officers and data governance councils expect Microsoft Fabric, Power BI, and Purview engagements to be scoped against DMBOK knowledge areas — not against tool capabilities alone. EPC Group maps every Modernize-stage and Govern-stage data deliverable to DMBOK: OneLake architecture against Data Architecture, semantic model engineering against Data Modeling and Design, Purview classification and lineage against Metadata Management and Data Quality, MDM hub design against Reference and Master Data, and Power BI certified datasets against Data Warehousing and Business Intelligence. The result is a data program leadership can defend to the audit committee with terminology the audit committee already accepts.
EPC Lifecycle mapping
Maps to Modernize (Data Architecture, Data Modeling, Integration) and Govern (Data Governance, Quality, Security, Metadata, MDM).
NIST CSF 2.0
NIST Cybersecurity Framework 2.0
NIST CSF 2.0, released February 2024, restructured the Cybersecurity Framework around six functions: Govern (new in 2.0), Identify, Protect, Detect, Respond, and Recover. The 2.0 release broadened applicability beyond critical infrastructure to all organizations and elevated cybersecurity governance to a first-class function. EPC Group security engagements — Microsoft Defender XDR rollouts, Microsoft Sentinel SIEM and SOAR design, Entra ID Conditional Access and Privileged Identity Management, Purview DLP and Insider Risk Management — map deliverables to specific CSF 2.0 subcategories. CIOs and CISOs preparing for FFIEC examinations, HIPAA Security Rule audits, or cyber insurance underwriting reviews receive a CSF 2.0 mapping document alongside the engagement deliverable that shows exactly which subcategories the Microsoft security investment covers and which remain open.
EPC Lifecycle mapping
Maps to Govern (the GV function) and Operate (Identify/Protect/Detect/Respond/Recover in production).
NIST 800-53 Rev 5
NIST SP 800-53 Revision 5 — Security and Privacy Controls for Information Systems and Organizations
NIST SP 800-53 Revision 5 is the U.S. federal control catalog underpinning FedRAMP authorizations, FISMA system security plans, CMMC 2.0 Level 2 and Level 3 controls (which inherit heavily from 800-53), and StateRAMP. The catalog contains roughly one thousand controls organized into twenty control families — Access Control (AC), Audit and Accountability (AU), Configuration Management (CM), Identification and Authentication (IA), Incident Response (IR), System and Communications Protection (SC), System and Information Integrity (SI), and others. Federal, Department of Defense, defense industrial base, and StateRAMP engagements at EPC Group are scoped against the applicable 800-53 baseline (Low, Moderate, or High) — Microsoft 365 GCC and GCC High, Azure Government, and Power BI for U.S. Government deployments come with FedRAMP authorization packages, and EPC Group adds the customer-responsibility implementation against the shared-responsibility matrix.
EPC Lifecycle mapping
Maps to all five stages on federal engagements; the control catalog touches Assess, Modernize, Govern, Operate, and Enable.
ISO/IEC 27001:2022
ISO/IEC 27001:2022 — Information Security Management Systems
ISO/IEC 27001:2022 is the international standard for an information security management system (ISMS) and its Annex A control set (ISO/IEC 27002:2022) organizes 93 controls into four themes: organizational, people, physical, and technological. Global enterprises with operations in the EU, UK, APAC, and LATAM expect their Microsoft consulting partner to align deliverables to 27001 controls — not because EPC Group is certifying the customer’s ISMS, but because the customer’s information security manager needs to file engagement evidence into the ISMS document set. EPC Group engagement deliverables for global customers — particularly those bound by GDPR, the UK Data Protection Act, and APAC privacy regimes — carry an ISO 27001 Annex A control mapping document so the customer’s 27001 lead auditor can accept the artifacts without re-mapping.
EPC Lifecycle mapping
Maps to Govern (ISMS, policy, risk treatment) and Operate (technical and operational controls).
TOGAF 10 / ADM
TOGAF Standard, 10th Edition — The Open Group Architecture Framework and its Architecture Development Method
TOGAF 10 is the enterprise architecture standard from The Open Group, and the Architecture Development Method (ADM) is its iterative process: Preliminary, Architecture Vision (Phase A), Business Architecture (B), Information Systems Architectures — Data and Application (C), Technology Architecture (D), Opportunities and Solutions (E), Migration Planning (F), Implementation Governance (G), and Architecture Change Management (H). EPC Group Assess-stage and Modernize-stage architecture work — target-state architectures for Microsoft Fabric, the Power BI platform, M365 tenant rationalization, M&A consolidation strategy, and Azure landing zones — is structured around TOGAF ADM phases. Enterprise architecture offices that have standardized on TOGAF (most large enterprises and many federal agencies) receive Microsoft architecture deliverables formatted to fit the EA repository — Archimate diagrams, ADM phase artifacts, and architecture decision records — without translation effort.
EPC Lifecycle mapping
Maps to Assess (Phases A–D) and Modernize (Phases E–H).
The Lifecycle × Frameworks crosswalk
A 40-cell crosswalk showing which framework activities run in which The EPC Group Lifecycle stage. Each cell is the engagement activity the customer can expect EPC Group to deliver at that stage for that framework.
Stage
NIST AI RMF
COBIT 2019
ITIL 4
DAMA-DMBOK 2
NIST CSF 2.0
NIST 800-53 Rev 5
ISO/IEC 27001:2022
TOGAF 10 / ADM
Assess
AI use-case inventory, Govern function readiness
EDM01-04 governance readiness assessment
Service value system gap analysis
Data maturity baseline against 11 knowledge areas
Govern function current vs target profile
Federal baseline applicability scoping
ISMS scoping and Annex A coverage map
ADM Phases A–D target architecture
Modernize
Map function — AI system context, data, deployment
BAI01-08 build and change management
Design & Transition, Obtain/Build practices
Data architecture, modeling, integration delivery
Protect function technical implementation
Control family CM, SC, SI implementation
Annex A technological control deployment
ADM Phases E–G implementation governance
Govern
Govern + Measure functions, AI council, policy
EDM, APO12, MEA03 ongoing governance
Service level management, supplier management
Data governance, quality, security, metadata, MDM
Govern (GV) function operating model
AC, AU, IA, PT control families
ISMS operation, internal audit, management review
Architecture governance, ADRs, change management
Operate
Manage function — incident response, continuous monitoring
DSS01-06 deliver, service, support
Service value chain Deliver & Support, 34 practices
Data operations, storage, ongoing quality
Detect, Respond, Recover functions in production
IR, SI, AU continuous monitoring
Operational technological controls, monitoring
ADM Phase H architecture change management
Enable
AI literacy, responsible AI training
APO07 managed human resources, training
Workforce and talent management, continual improvement
Data literacy, steward enablement
PR.AT awareness and training subcategory
AT control family awareness and training
A.6 people controls — awareness, training, discipline
Architecture skills framework adoption
The crosswalk is delivered as a customer-specific document in every Practice engagement — with cell-level evidence pointers, control mappings, and named owners.
Industry framework stacks
Sector overlays extend the eight core frameworks. EPC Group recommends and delivers the following stacks by sector.
42 CFR Part 2 — substance use disorder confidentiality
HHS OCR audit protocol
NIST AI RMF + Generative AI Profile for clinical and operational AI
HITRUST CSF v11 where the customer has standardized on HITRUST
Microsoft 365 Copilot, Azure OpenAI, Fabric, and Power BI engagements in healthcare are scoped under HIPAA-aligned BAA terms and delivered with NIST 800-66 Rev 2 control mapping. EPC Group has executed Microsoft consulting in HIPAA-bound integrated delivery networks for nearly three decades.
Banks, credit unions, insurers, capital markets
SR 11-7 — Federal Reserve model risk management (extends to AI/ML)
FFIEC IT Examination Handbook (Information Security, Architecture, Audit, Management)
GLBA Safeguards Rule (16 CFR Part 314)
SOC 2 Type II Trust Services Criteria
NIST AI RMF — adopted by OCC, FRB, FDIC as supervisory reference
NYDFS Part 500 cybersecurity regulation where applicable
Microsoft Fabric, Power BI, and Copilot rollouts in financial services are scoped against SR 11-7 model risk management (AI use cases are models for supervisory purposes), FFIEC examination expectations, and SOC 2 control evidence requirements.
Federal, defense industrial base, state and local government
FedRAMP Moderate or High (Microsoft 365 GCC/GCC High, Azure Government)
NIST SP 800-53 Rev 5 baseline (Low/Moderate/High as scoped)
CMMC 2.0 Level 2 or Level 3 for defense industrial base
StateRAMP for state and local government cloud authorizations
NIST AI RMF + OMB M-24-10 federal AI use-case management
NIST SP 800-171 Rev 3 for CUI environments
EPC Group delivers Microsoft consulting in GCC, GCC High, Azure Government, and Power BI for U.S. Government environments — with the customer-responsibility implementation against the published Microsoft FedRAMP shared-responsibility matrix.
Pharma, biotech, medical device, contract manufacturing
21 CFR Part 11 — electronic records and signatures
GAMP 5 Second Edition — computerized system risk-based validation
ISO 13485:2016 — medical device quality management
FDA AI/ML SaMD Action Plan and Predetermined Change Control Plans
EU MDR 2017/745 and IVDR 2017/746
ICH E6(R3) GCP for clinical research data systems
GxP-bound Power BI, Fabric, and Copilot engagements are scoped under GAMP 5 second-edition risk-based validation with 21 CFR Part 11 electronic-records evidence built into the engagement deliverables.
Framework depth alone doesn't deliver Microsoft outcomes
CIOs evaluating Microsoft consulting partners sometimes default to a Big Four audit firm because the audit firm leads with framework depth. The instinct is reasonable — framework literacy is a real signal. But framework literacy without Microsoft architecture depth turns into governance overhead: voluminous policy documents, RACI matrices, and risk registers that describe a target state nobody knows how to actually configure inside Microsoft 365 Copilot, Microsoft Fabric, Purview AI Hub, or Azure AI Foundry.
EPC Group delivers both. The framework mapping is rigorous — every deliverable is traceable to NIST AI RMF functions, COBIT objectives, ITIL practices, DAMA knowledge areas, CSF 2.0 subcategories, 800-53 controls, ISO 27001 Annex A controls, and TOGAF ADM phases. And the Microsoft architecture is rigorous — founded by a four-time Microsoft Press bestselling author, original SharePoint Beta Team member (Project Tahoe), and original Power BI Beta Team member (Project Crescent), with 6,500+ SharePoint deployments, 1,500+ Power BI deployments, and 216+ M&A Microsoft 365 tenant migrations covering 1.83 million users in the recent record.
The result is governance the customer can actually operate on Microsoft — not a binder that describes what governance would look like if the customer hired a second firm to implement it. The senior-architect delivery model is what makes the framework alignment land in production.
The procurement-readiness deliverable package
Every EPC Group Practice engagement produces a procurement-readiness, audit-ready deliverable package — formatted for the customer's GRC repository, the customer's enterprise architecture repository, and the customer's service management platform.
1
Framework mapping document — every deliverable mapped to the relevant NIST AI RMF function, COBIT objective, ITIL practice, DAMA knowledge area, NIST CSF subcategory, NIST 800-53 control, ISO 27001 Annex A control, and TOGAF ADM phase.
2
RACI matrix — responsible, accountable, consulted, informed roles named at the human level (not the team level) for every Govern-stage and Operate-stage deliverable.
3
Control implementation summary — for each in-scope control: how the Microsoft technology (Purview, Entra, Defender, Sentinel, Fabric, Power BI) implements it, and what residual customer-responsibility implementation EPC Group is delivering.
4
Evidence artifact list — the names, owners, and locations of every artifact (policies, runbooks, ADRs, screenshots, exports, attestation letters) the engagement produces, formatted for the customer’s GRC repository.
5
Audit-ready logging plan — Microsoft 365 Audit Log, Defender XDR, Sentinel, Purview activity, and Entra audit log retention, export, and SIEM forwarding scoped against the customer’s evidence-retention obligations.
6
Risk register entries — material residual risks documented with treatment plan, named owner, and review cadence, formatted to merge into the customer’s enterprise risk register.
EPC Group's contributing role in Microsoft community practice
EPC Group did not arrive at standards-aligned delivery as a marketing exercise. The firm's founder and the senior architects have helped shape the Microsoft community practice that informs how these frameworks land on Microsoft technology.
Microsoft Press authorship
Founder Errin O'Connor is a four-time Microsoft Press bestselling author with titles spanning Power BI, SharePoint, Azure, and large-scale enterprise migrations — the source material practitioners across the Microsoft consulting field reference.
Beta team membership
Original SharePoint Beta Team member (Project Tahoe) and original Power BI Beta Team member (Project Crescent). The architectural patterns EPC Group operationalizes against COBIT, DAMA, and TOGAF come from beta-era depth, not from secondhand documentation.
Microsoft TAP and FastTrack feedback
Active participation in Microsoft Technology Adoption Programs and FastTrack feedback loops on Microsoft Fabric, Microsoft 365 Copilot, Purview AI Hub, and Azure AI Foundry — the EPC Group view on how to map these technologies to NIST AI RMF is informed by direct preview-and-production exposure.
Microsoft MVP recognition
Microsoft Most Valuable Professional since 2002–03 — sustained, peer-reviewed community contribution recognized by Microsoft. The MVP status is renewed annually on contribution, not purchased.
The EPC Group credential stack behind framework alignment
11,000+
Microsoft engagements
70+
Fortune 500 customers
216+
M&A tenant migrations
1.83 million
Users migrated (M&A)
Microsoft Solutions Partner (6 designations)
Modern Work, Business Applications, Data & AI (Azure), Digital & App Innovation (Azure), Infrastructure (Azure), and Security designations — the current Microsoft Cloud Partner Program tier, renewed annually on performance and customer success metrics.
Errin O'Connor — 4× Microsoft Press author
Microsoft Press titles on Power BI, SharePoint, Azure, and large-scale migrations. Microsoft MVP since 2002–03. Original SharePoint Beta Team and Power BI Beta Team member. Personally reviews framework-mapping deliverables on Practice engagements.
29 years of Microsoft delivery
Founded 1997. 11,000+ Microsoft engagements, 6,500+ SharePoint deployments, 1,500+ Power BI deployments, 500+ Microsoft Fabric implementations across regulated and Fortune 500 enterprises.
Compliance-native delivery
Engagements scoped against HIPAA, SOC 2, FedRAMP, FINRA, CMMC, GxP. Healthcare BAA, financial services SOC 2, federal FedRAMP/CMMC, and life-sciences GxP compliance treated as engagement constraints, not afterthoughts.
Why does framework alignment matter for Microsoft consulting?
Three reasons. First, procurement — large-enterprise procurement organizations score consultants on stated methodology alignment to industry standards (COBIT, ITIL, ISO 27001, TOGAF), and an unstructured boutique answer of "we deliver our way" loses to a structured firm even when the boutique is technically stronger. Second, audit — internal audit, external audit, regulator examinations, and cyber-insurance underwriters speak the framework vocabulary, and a consulting deliverable mapped to NIST CSF 2.0 or COBIT 2019 can be filed directly into the customer’s GRC repository without re-translation. Third, continuity — when the customer’s next consulting partner picks up the work two years later, a framework-mapped deliverable lets the successor consult against a shared vocabulary instead of reverse-engineering an undocumented EPC-specific operating model. EPC Group treats framework alignment as a delivery discipline, not a marketing surface.
Which industry standards apply to a Microsoft AI / Copilot engagement?
The current baseline for U.S. enterprises rolling out Microsoft 365 Copilot, Azure OpenAI Service, Azure AI Foundry, and Power Platform AI Builder is NIST AI RMF 1.0 plus the NIST AI 600-1 Generative AI Profile, plus the AI-specific subset of NIST CSF 2.0 (the Govern function and AI risk subcategories), plus ISO/IEC 42001:2023 where the customer has chosen to certify an AI management system. Sector overlays add SR 11-7 model risk management for banks, NIST 800-66 Rev 2 for healthcare AI under HIPAA, FDA AI/ML SaMD frameworks for medical device, and OMB M-24-10 for federal AI use-case management. EPC Group maps every AI engagement deliverable to the applicable subset before kickoff so the AI council, the CISO, the chief data officer, and the chief compliance officer share one operating vocabulary.
How does NIST AI RMF apply to a Power BI or Microsoft 365 Copilot rollout?
NIST AI RMF organizes AI risk management around four functions, and each maps directly into a Microsoft 365 Copilot or Power BI Copilot rollout. Govern becomes the AI council, the responsible AI policy, the named accountable owner, and the use-case intake process. Map becomes the AI use-case inventory, the context-and-impact assessment, the Purview AI Hub data classification scope, and the prompt/response taxonomy. Measure becomes the Purview AI Hub interaction telemetry, the Communication Compliance policy tuning, the Defender for Cloud Apps usage analytics, and the adoption-vs-business-outcome scorecard. Manage becomes the incident response runbook, the prompt-injection mitigation pattern, the sensitive-content treatment plan, and the change-management process for Copilot capability releases. EPC Group operationalizes these inside Microsoft technology rather than producing a separate paper governance program nobody reads.
Is COBIT or ITIL the right framework for a Microsoft engagement — or both?
Both — and they serve different audiences. COBIT 2019 is for the audit committee, the chief audit executive, the chief risk officer, and the IT general controls scope of the SOX program. ITIL 4 is for the IT operations leadership, the service desk, the change advisory board, the major incident team, and the ServiceNow ITSM platform. EPC Group Govern-stage deliverables (Purview catalog operating model, AI council charter, data governance policy) are COBIT-mapped because that audience cares about governance objectives and control assertions. EPC Group Operate-stage deliverables (managed Power BI runbook, managed Fabric capacity operations, managed Defender XDR incident response) are ITIL-mapped because that audience cares about the service value chain and the 34 management practices. Two frameworks, two audiences, one engagement.
How does the EPC Group Lifecycle map to NIST CSF 2.0?
The five-stage EPC Group Lifecycle (Assess, Modernize, Govern, Operate, Enable) was designed to subsume the six NIST CSF 2.0 functions cleanly. Govern (CSF 2.0 GV function, new in the 2.0 release) maps to the EPC Group Govern stage where Purview, Entra Conditional Access policy, AI council, and security operating model are codified. Identify (ID) and Protect (PR) map to the Assess and Modernize stages where the Microsoft estate is inventoried and the technical protections (Defender XDR, Sentinel, Entra PIM, Purview DLP) are implemented. Detect (DE), Respond (RS), and Recover (RC) map to the Operate stage where 24/7 managed Microsoft security services run. The CSF 2.0 PR.AT awareness and training subcategory maps to the Enable stage adoption and data-literacy program. Every Govern-stage engagement produces a CSF 2.0 profile delta document — current profile, target profile, gap, and roadmap.
What audit-ready evidence does framework alignment produce?
Six categories of evidence are produced as engagement deliverables, not as after-the-fact reconstructions. Policy artifacts — written policies, standards, and procedures mapped to the applicable control statements. Architecture artifacts — target architecture documents, architecture decision records, network diagrams, and data-flow diagrams formatted for the customer’s enterprise architecture repository. Configuration artifacts — exported Entra Conditional Access policies, Purview DLP policy exports, Defender XDR policy exports, Sentinel analytics rule exports, Microsoft 365 secure score evidence, and Power BI tenant settings export. Operational artifacts — runbooks, incident response playbooks, change advisory board minutes, and service review reports. Audit log artifacts — Microsoft 365 audit log, Sentinel, Defender, Purview activity log retention configuration aligned to the customer’s evidence-retention obligations. Attestation artifacts — Microsoft service trust portal documents (SOC 2 Type II, ISO 27001, FedRAMP) downloaded, indexed, and filed into the customer’s GRC system. The result is an audit binder produced as the engagement happens, not assembled in panic when the auditor schedules an opening meeting.
How does framework alignment work inside a 90-day fixed-fee accelerator?
Framework alignment does not slow a 90-day accelerator down — it accelerates it. The Assess stage produces a framework mapping document in the first two weeks that names every in-scope NIST AI RMF function, COBIT objective, ITIL practice, DAMA knowledge area, CSF 2.0 subcategory, 800-53 control, ISO 27001 Annex A control, and TOGAF ADM phase. The Modernize sprints then deliver against the mapped controls — Purview classification covers Annex A data classification and DAMA Metadata Management simultaneously, Entra Conditional Access covers CSF 2.0 PR.AA-05 and 800-53 AC-17 simultaneously, and Sentinel analytic rules cover CSF 2.0 DE.CM-01 and ITIL monitoring and event management simultaneously. One implementation, multiple framework attestations. The accelerator finishes with a delivered framework-mapped audit binder, not a deferred governance backlog.
What does the federal / CMMC framework stack look like at EPC Group?
For federal civilian, defense industrial base, and state government engagements, the framework stack is FedRAMP Moderate or High (the Microsoft 365 GCC, GCC High, Azure Government, and Power BI for U.S. Government cloud authorization), NIST SP 800-53 Rev 5 at the corresponding baseline (Low, Moderate, or High), CMMC 2.0 Level 2 or Level 3 for the defense industrial base (which inherits heavily from NIST SP 800-171 Rev 3), StateRAMP for state and local government, OMB M-24-10 for federal AI use-case management, and NIST AI RMF as the AI risk reference. EPC Group delivers the customer-responsibility implementation against Microsoft’s published shared-responsibility matrices, packages evidence into the customer’s authorization boundary, and supports the FedRAMP 3PAO or DIBCAC C3PAO assessment with control implementation summaries and evidence artifacts. The Microsoft FedRAMP package covers the inherited controls; EPC Group covers the customer-responsibility delta.
Talk to an EPC Architect
Scope a fixed-fee Microsoft engagement with framework-mapped deliverables. EPC Group senior architects — led by founder Errin O'Connor — review every Practice engagement before kickoff.