An information security framework, when done properly, will allow any security leader to more intelligently manage their organizations cyber risk.
The framework consists of a number of documents that clearly define the adopted policies, procedures, and processes by which your organisation abides. It effectively explains to all parties (internal, tangential and external) how information, systems and services are managed within your organisation.
The main point of having an information security framework in place is to reduce risk levels and the organizations exposure to vulnerabilities. The framework is your go-to document in an emergency (for example, someone breaks into your systems), but it outlines daily procedures designed to reduce your exposure to risk.
Implementing a solid information security frameworks provide a host of advantages if you are trying to instill confidence in an industry or establish a strong reputation with potential business partners and customers. The frameworks allow these agents to understand how you will protect their data or services from harm.
See it perhaps like this: if anyone asks you at any time what would you do if X-cyber-disaster happened, any authorized person in your organization would be able to look up the procedure in the framework and present the exact same response to a third party, be they a regulator, a customer, a business partner, a third party provider, etc.
Now, there are hundreds information security framework possibilities in existence today. Finding the right one for your organisation is not always an easy task for the uninitiated. They are not all compartmentalized across one matrix. There are geographical frameworks, industry-wide frameworks, and technology frameworks.