A reference view of the major data governance frameworks, the architectures most often paired with each, and where they best fit in an evaluation.
Information on this page is compiled from publicly available sources (DAMA International, EDM Council, ISO/IEC, NIST, ISACA, BCBS, GO FAIR, and vendor whitepapers). It is provided for informational and evaluation purposes only and should not be interpreted as legal, regulatory, or vendor-endorsed guidance.
The Data Management Body of Knowledge defines 11 knowledge areas (governance, architecture, modeling, storage, security, integration, documents, reference & master, DW/BI, metadata, quality). It is the lingua franca for governance programs.
The Data Capability Assessment Model is a structured benchmark of 8 components and 37 capabilities. Used by regulators and G-SIBs to evidence BCBS 239 and CCAR data lineage controls.
CDMC defines what good cloud data management looks like — ownership, classification, sovereignty, ethical use, and cross-border controls. It is becoming the de facto standard for cloud sensitive-data programs.
Provides directors with principles for the effective, efficient, and acceptable use of data. Pairs naturally with DAMA or DCAM as the operational layer.
Defines the characteristics of high-quality data and the syntax for master-data interchange. The MDM and DQ vendor community uses it as the conformance baseline.
A voluntary framework to help organizations identify, assess, and manage privacy risk. Strongest where governance and privacy must share a single control catalog.
APO14 — Managed Data — gives IT and audit a familiar control structure for data governance, useful when the program reports through CIO/CISO rather than CDO.
Sets 14 principles (governance, data architecture, accuracy, completeness, timeliness, adaptability) for risk data. The single biggest driver of automated lineage adoption in banking.
Originated to make scientific data machine-actionable. Increasingly adopted by enterprises that share data externally (regulators, consortia, partners).
| Framework | Origin | Primary focus | Maturity model | Industry fit | Certifiable? | Strengths | Trade-offs |
|---|---|---|---|---|---|---|---|
| DAMA | DAMA International (2017) | Body of knowledge across 11 data management knowledge areas | DMM (CMMI-aligned) often paired | Cross-industry, vendor-neutral | CDMP individual certification | Comprehensive vocabulary; widely adopted; vendor-neutral | Descriptive, not prescriptive; needs an operating model layer |
| DCAM | EDM Council (financial services, 2014+) | Capability + maturity model for enterprise data management | 6-level capability model with weighted scoring | Banking, capital markets, insurance | DCAM authorized partner / assessor | Audit-grade evidence; board-ready scoring | Heaviest in financial services; assessment cost |
| CDMC | EDM Council (2021) | Cloud Data Management Capabilities — sensitive data in cloud | 14 capabilities · 37 sub-capabilities · 6 key controls | Cross-industry; cloud-first programs | CDMC certified solution / assessor | Cloud-native; aligned to AWS/Azure/GCP/Snowflake/Databricks | Newer; thinner non-cloud coverage |
| ISO 38505 | ISO/IEC (2017+) | Board-level data governance principles (extends ISO 38500) | Principles, not levels | Cross-industry; board / corporate governance | Organizational alignment, no individual cert | Aligns data governance to corporate governance | High-level; needs a working framework underneath |
| ISO 8000 | ISO (multi-part, ongoing) | Data quality and master data exchange | Part-by-part conformance | Manufacturing, supply chain, MDM-heavy estates | Product conformance (e.g. ISO 8000-110) | Concrete DQ and master-data interchange rules | Narrower than enterprise governance frameworks |
| NIST | U.S. National Institute of Standards & Technology | Privacy risk management, aligned to the NIST CSF | Implementation Tiers 1–4 | U.S. federal, public sector, privacy-critical | Self-attestation against profiles | Risk-based; integrates with NIST CSF and 800-53 | Privacy lens; less coverage of stewardship workflow |
| COBIT | ISACA | IT governance with a managed-data process (APO14) | Process Capability Levels 0–5 | IT-led governance; audit shops | COBIT Foundation / Implementation | Maps directly to audit and IT control evidence | IT-centric framing; less business stewardship language |
| BCBS 239 | Basel Committee on Banking Supervision (2013) | Risk-data aggregation and reporting principles for G-SIBs | 14 principles, regulator-graded | Globally systemic banks (and increasingly D-SIBs) | Supervisory assessment, not certification | Forces end-to-end lineage and accuracy controls | Tightly scoped to risk reporting; banks only |
| FAIR | GO FAIR / Force11 (2016) | Findable, Accessible, Interoperable, Reusable data | Self-assessment maturity indicators | Research, life sciences, scientific data sharing | Maturity indicators, no formal cert | Strong metadata and reuse incentives | Less coverage of stewardship workflow and DQ |
Traditional enterprise governance (DAMA, DCAM, COBIT) is built for compliance and risk. Marketing frameworks are built to solve attribution friction, media waste, and identity signal loss. In 2026 the center of gravity has shifted to Agentic Governance: AI models do not just find errors, they fix them in-flight so that data is born clean.
| Dimension | General enterprise (Finance / IT) | Marketing & agency governance |
|---|---|---|
| Primary goal | Regulatory compliance and risk reduction | ROI recovery and attribution accuracy |
| Data velocity | Low to medium (batch) | High (real-time and streaming) |
| Key metric | Data accuracy score | Time-to-Trust (TTT) and audience freshness |
| Success factor | No audit findings | Reduction in media waste and lift in verified incremental ROI |
| Operating mode | Periodic stewardship and certification | Agentic governance: AI agents fix issues in-flight, data is born clean |
For a marketing agency, a framework is only useful if it accelerates a campaign launch. If governance feels like a brake, media teams will bypass it. The most successful agency models today are Agentic: governance is embedded in the tools so the data is born clean, not cleaned after the fact.
Adjacent models that data governance programs frequently inherit from, report into, or are audited against. Most data programs end up touching several of these.
COSO's Internal Control – Integrated Framework defines five components (control environment, risk assessment, control activities, information & communication, monitoring) used by virtually every U.S. public-company auditor. The companion ERM framework extends it to enterprise risk strategy.
COBIT 2019 organizes 40 governance and management objectives across five domains (EDM, APO, BAI, DSS, MEA) with capability-level scoring. APO14 — Managed Data — is the data-governance hook used by audit-led data programs.
ITIL 4 reframes ITSM around the Service Value System and 34 management practices. Strongest where IT is delivered as a portfolio of services with SLAs — and the de facto operating language for service desks.
CMMI provides appraised maturity ratings (1 Initial → 5 Optimizing) across practice areas. The DMM (Data Management Maturity) model — derived from CMMI — is widely used to score data governance programs.
The 7th edition shifted from process-groups to twelve principles and eight performance domains, embracing both waterfall and agile delivery. The reference standard for PMI-certified project managers globally.
PRINCE2 organizes projects around 7 principles, 7 practices (formerly themes), and 7 processes with explicit business-case and stage-boundary controls. Strongest where governance, audit trail, and role clarity are non-negotiable.
TOGAF's Architecture Development Method (ADM) provides a repeatable cycle (Preliminary → Phases A–H) for building and governing enterprise architecture. Pairs naturally with the ArchiMate modeling language.
TickITplus is the IT-sector scheme that interprets ISO 9001 quality management for software development and IT services, adding a capability-assessment overlay (BPL levels). Used primarily by UK and European IT suppliers.
| Model | Origin | Primary focus | Best for |
|---|---|---|---|
| COSO | Committee of Sponsoring Organizations of the Treadway Commission (1992, updated 2013/2017) | Internal control and enterprise risk management (ERM) | SOX compliance, financial reporting controls, board-level risk oversight |
| COBIT | ISACA (COBIT 2019, evolution of 5) | Enterprise governance and management of information & technology (EGIT) | Aligning IT to business goals, audit-ready IT control evidence, CIO/CISO operating model |
| ITIL | AXELOS / PeopleCert (ITIL 4, 2019) | IT service management (ITSM) and value-stream practices | Service desk, change/incident/problem management, service-value chain operations |
| CMMI | CMMI Institute / ISACA (CMMI 3.0, 2023) | Process maturity and capability improvement | Benchmarking process maturity (levels 1–5) for development, services, supplier mgmt, and data |
| PMBOK | Project Management Institute (PMBOK Guide 7th ed., 2021) | Project management principles, performance domains, and tailoring | Predictive, hybrid, and adaptive project delivery; PMP-certified practitioners |
| PRINCE2 | AXELOS / PeopleCert (PRINCE2 7, 2023) | Structured, stage-gated project management method | UK public sector, EU programs, and regulated environments needing formal governance |
| TOGAF | The Open Group (TOGAF 10, 2022) | Enterprise architecture framework and method (ADM) | Establishing an EA capability; aligning business, data, application, and technology architectures |
| TICKIT | BSI / DISC, UK (TickITplus, 2011) | Software and IT-services quality certification scheme based on ISO 9001 | Software vendors and IT-services suppliers needing accredited ISO 9001 certification |
Each architecture below is a delivery pattern, not a framework — but every program ultimately runs on one or more of them. The framework tags show where each pattern is most defensible.
Centralized, schema-on-write analytical store. Strong governance via conformed dimensions and slowly changing dimensions.
Schema-on-read object storage for raw, semi-structured, and unstructured data. Requires layered governance to avoid swamps.
Open table formats over object storage with ACID, time travel, and unified BI/ML. The default cloud target.
Domain-oriented, decentralized ownership with data products, federated governance, and self-serve platform.
Active-metadata-driven architecture that automates discovery, integration, and policy enforcement across estates.
Central master record hub with synchronized spokes for customer, product, supplier, and reference data.
Append-only event backbone enabling real-time integration, audit-grade lineage, and timely risk reporting.
Logical access layer that queries data in place across systems — minimizes movement, eases sovereignty.
| Architecture | Best-fit frameworks | Best-fit IT governance |
|---|---|---|
| Data Warehouse (Inmon / Kimball) | DAMA-DMBOK2 · ISO 8000 · COBIT 2019 | COBIT · COSO · CMMI |
| Data Lake | DAMA-DMBOK2 · CDMC | COBIT · CMMI |
| Data Lakehouse (Delta / Iceberg / Hudi) | CDMC · DCAM · DAMA-DMBOK2 | COBIT · TOGAF · CMMI |
| Data Mesh | DAMA-DMBOK2 · DCAM · ISO/IEC 38505 | TOGAF · COBIT · ITIL |
| Data Fabric | DCAM · CDMC · DAMA-DMBOK2 | TOGAF · COBIT |
| Hub-and-spoke MDM | ISO 8000 · DAMA-DMBOK2 | COBIT · CMMI · PRINCE2 |
| Event-driven / Streaming (Kafka, CDC) | BCBS 239 · DAMA-DMBOK2 | COBIT · ITIL · TOGAF |
| Federated / Virtualized Query | FAIR · CDMC · ISO/IEC 38505 | TOGAF · COBIT |
The framework summaries, comparison table, and architecture mappings on this page were assembled from publicly available sources and are intended for informational and evaluation purposes only. They are not legal, regulatory, certification, or vendor-endorsed guidance. Always validate framework selection against your own counsel and regulators.
