Auditability by Design — From FERMA to Formidable

2025-08-31 · 3 min read · formidable, ferma, auditability, security-by-design

Introduction

Most people are familiar with security by design and privacy by design. These principles are embedded in standards and regulation, and focus on prevention and protection. But there’s a third building block that’s gaining traction: auditability by design.

Without auditability, security can never be verifiable, traceable, or demonstrable. In this post we’ll look at where the concept comes from (FERMA’s Cyber Risk Governance Framework) and how Formidable puts it into practice.

What does FERMA say?

FERMA (Federation of European Risk Management Associations) published the Cyber Risk Governance Model in 2017. In it, they explicitly call out auditability by design as an essential component of risk governance.

You can read the full report here: FERMA Cyber Risk Governance Framework (PDF)

The reasoning is straightforward:

  • Security by design protects systems and data.
  • Auditability by design makes it possible to prove that protection exists — and to demonstrate it during an audit or incident investigation.

In short: without auditability, security remains invisible.

Why does it matter?

Too often, auditability is bolted on afterwards: scattered log files, screenshots for auditors, extra spreadsheets. It may work in the short term, but it leaves gaps.

A by design approach means you account for auditability from the start, by ensuring:

  • Logging and versioning that cannot be tampered with.
  • A clear link between policies, processes, and work instructions.
  • Transparency that both teams and auditors can rely on.

How does Formidable help?

This is where Formidable comes in. For one person it might be a simple Markdown tool for a personal cookbook. For another it’s an audit-ready documentation environment.

With Formidable you can:

  • Design YAML-driven templates for policies, processes, and reports.
  • Manage content in a virtual file system that mirrors your project structure.
  • Render to Markdown with a Handlebars-inspired engine (tables, summaries, loops, conditionals).
  • Switch profiles for different clients, teams, or projects.
  • Keep everything auditable with Git integration for full traceability.
  • Extend with plugins to add exports, logic, or integrations.

The result is an environment where auditability is built in, not patched on later.

From cookbooks to compliance

The beauty of Formidable is its simplicity. Because it’s based on open standards (Markdown and YAML), it’s just as useful for:

  • a personal recipe collection,
  • a team wiki,
  • or a regulated report required by auditors.

The same principles — structure, transparency, and traceability — apply in every case.

Conclusion

Auditability by design isn’t just a buzzword. It’s a prerequisite to make security by design real. FERMA’s framework underlines this point, and Formidable translates it into practice.

Whether you’re writing recipes or regulated documentation, Formidable helps you build with structure, clarity, and auditability by design.

👉 What’s your view: will auditability by design become the next “by design” principle alongside security and privacy?