Cyber Security and Governance, Risk and Compliance

Todays blog post is going to be all about Cyber Security and Governance, Risk and Compliance, otherwise known as GRC.

Now before you all start moaning and complaining and leave the post, this post will hopefully explain a few things about keeping your business secure and reducing risk within the business, whilst helping to mature your information security programme.

Now this GRC topic is massive and today we’re only going to touch the edges of it. So if you want to know more, please drop a comment below the video and let mw know that you want to know more about this.

Now getting into GRC and cyber security within the business, if you didn’t already know, both topics go hand in hand with each other and help to form a mature information security programme. Or, if you don’t currently have an information security programme, will help to formulate and lay the foundations of an information security framework.

But what exactly is cyber security and GRC?

What is GRC or Governance, Risk and Compliance

Moving on GRC, or Governance, Risk and Compliance, this refers to a strategy which is used within businesses for managing the businesses overall risk management and compliance with the various regulators which are needed to perform business.

GRC is a sort of standardized approach for helping businesses design and align their IT and business objectives, thereby effectively managing their risk and helping them to meet the necessary compliance requirements.

GRC forms a framework within the business, like standards, such as ISO 27001, GRC ensures that processes are in place and that key people are in place to ensure that controls are met and that the necessary documentation, reporting and audits are carried out.

Although not a formal certification or process, it is now thought of as a best practice or recommended process within the business.

By implementing GRC within the business it helps your business to identify and reduce risk within the business. It helps to control the effectiveness of your security and compliance and helps to remove siloed departments by bringing in a team of people who can reach all areas of the business and talk to people without being isolated in one team or department.

Through implementing internal audits within the business, which are basically reviews of key areas of the business, you can check to see what issues there are within the business. For example, looking at your supply chain, do you review your suppliers? Do you check to see where data is stored and processed? Do you know what security controls they have in place for the protection of data?

Is data protected properly within the business? Is Bring Your Own Device (or BYOD) used within the business? What controls are around this for ensuring that information is not taken outside of the business.

These are just a small number of questions you can ask, but you should look at the whole business and all areas and as yourself questions.  If you find anything that is wrong or could be better, log it and improve on it.

Now that we have a brief understanding of GRC, it’s time to start breaking break down the GRC components, in the following sections we’re going to talk about what Governance, Risk and Compliance are and how they work for your business.

What is Governance

This first component of GRC, is Governance. Governance defines the way that a business is managed and controlled, within GRC terms it’s the way that allows the business to set its direction which is usually based upon implementing strategies and polices within the business.

The governance is defined and signed off by someone senior within the business, without the ok and say-so of senior management, when issues occur within the business the people managing the compliance and risk of the business will have no backing. Without any backing issues will not be dealt with and eventually everything will come crashing down or fail.

Additionally, without having the governance part of the framework in place there is no centrally controlled way to measure your risk and compliance within the business and therefore like I’ve just mentioned, everything kind of falls apart and there will be no bonding between the business teams and the actual business.

What is Risk

Moving on to Risk, risk can be defined as anything that could cause harm or loss to the business. A good example of risk is the risk of a pandemic, such as what we’re going through now.

You identify risk by having and keeping a risk register up to date. We have discussed risk before, which can be found here:

By identifying your risks, no matter how small, your business can adapt and put measures in place to reduce the overall risk to the business.

In GRC terms, risk management ensures that your business identifies, analyses and controls any risks found that can cause harm and possibly derail the achievement of your overall objectives within the business.

What is Compliance

Lastly, compliance, compliance in GRC terms (and for the most part in business), is ensuring that your business follows and adheres to the set of guidelines that you have implemented using policies and procedures.

Compliance ensures that you are achieving and implementing the measures and controls which ensures that you are meeting the requirements.

Compliance is a living thing within the business, like ISO 27001, you need to mark your own homework internally, you should be performing internal audits regularly, to ensure that risks are being checked, identified and updated as needed. That policies are in place and being adhered to and that any non-conformities are being logged and resolved as soon as possible.

This may sound like a lot of work, and in theory it is at the start, but once you start the process you will find that the business runs smoother and there are less incidents and accidents as more and more risks are identified and resolved and that continuous checks are carried out throughout the year.

What you shouldn’t be doing is leaving all the checks to the end of the year and ensuring that you are following your compliance. Put regular checks in place throughout the year checking all aspects of the business.

Why is Governance, Risk and Compliance important in business

So now that we’ve covered the boring stuff, why is Governance, Risk and Compliance important in business? Well, basically it comes down to streamlining and organising the business. Implementing GRC (and other frameworks like ISO 27001 and ISO 9001) ensure that you are meeting the necessary regulations that you may need to adhere to.

A lot of the larger industries, such as banking, legal, healthcare all need to meet various regulations, implementing GRC within the business helps with this.

Not only this, but you will also realise that 9 times out of 10, you will identify risks, assets and more which you didn’t realise you had. This is especially true with regards to more people working from home at the moment.

The biggest mistake most companies try and make when looking at GRC is that they try and do everything in one big bang approach. They then get overwhelmed and stop the project.

What you should do, it piece it out.  Be proactive, plan and design your framework, piece out the work and build upon it. Look at the areas of the business, identify the risks within the business, what can be resolved, what can be changed to reduce the risks.  Who are going to be responsible for this project?

Ask yourself all the questions before you start and then build a plan to iterate though all the steps and eventually you will have a GRC framework which will help you and the business success and reduce your overall risk.


And that’s it, I realise I’ve ranted a bit about this and there’s a lot in this to digest, but, the basic starting points are to work on your risks and assets. Identify what you have, is there anything that could stop the company dead? If so, how can you remediate these and continue?