GRC: Governance, risk management and compliance for companies

GRC—Governance, Risk Management, and Compliance—is a systematic approach to ensuring that an organization pursues its strategic goals (Governance), identifies and manages risks (Risk Management), and meets regulatory requirements (Compliance). The key is integration: rather than operating three separate silos, modern GRC takes a unified approach.

What GRC Means—and What It Doesn’t

The three pillars of GRC:

G - Governance:
  → Strategic alignment of IT and security
  → Who has what responsibilities?
  → Define policies, standards, and processes
  → Involve leadership: Security is a top priority!
  → Tools: Security policies, RACI matrix, KPIs

R - Risk Management:
  → Identify, assess, and manage risks
  → What threats does the company face?
  → Acceptable risk vs. risk requiring action
  → Residual risk after implementing measures
  → Tools: Risk register, ISMS risk analysis (ISO 27005)

C - Compliance:
  → Adherence to external requirements (laws, standards)
  → GDPR, NIS2, KRITIS, ISO 27001, PCI DSS, HIPAA...
  → Proof of compliance (audits, certifications)
  → Difference: Compliance ≠ Security! (only minimum standard)

What GRC is NOT:
  → GRC is not a substitute for technical security measures
  → &quot;We are ISO 27001 certified&quot; ≠ &quot;We are secure&quot;
  → GRC without technical implementation is worthless (paper compliance)

The GRC Problem Without an Integrated Approach

Typical situation without GRC integration:

ISO 27001 project (IT department):
  → Develops policies, risk analysis, awareness training

GDPR project (Data Protection Officer):
  → Record of processing activities, privacy policy, TOMs

NIS2 project (Compliance Manager):
  → Reporting processes, supplier assessment

Result:
  → Three separate risk analyses (for ISO, GDPR, NIS2)!
  → Three separate policy documents
  → Triple the effort during audits
  → Contradictory statements in different documents
  → No one has an overall view of the risk landscape

Integrated GRC:
  → One risk analysis → covers ISO 27001, GDPR, NIS2
  → Control mapping: &quot;This measure fulfills ISO A.8.5 + GDPR Art. 32&quot;
  → Single source of truth for all compliance requirements
  → Efficiency: one audit for multiple standards possible (ISMS + DSMS)

Building a GRC Framework

Step 1: Requirements Inventory

Which regulatory requirements apply?

  Legally mandatory:
    □ GDPR (all companies in the EU)
    □ NIS2 (if a critical/important entity)
    □ KRITIS Regulation (KRITIS operators)
    □ Industry-specific: BAIT (banks), KAIT (insurance)

  Contractually required:
    □ ISO 27001 (required by customers or in tenders)
    □ PCI DSS (credit card acceptance)
    □ SOC 2 (U.S. market, cloud services)
    □ TISAX (Automotive)

  Voluntary/Best Practice:
    □ BSI IT-Grundschutz
    □ CIS Controls
    □ NIST Cybersecurity Framework

---

Step 2: Select Control Framework

ISO 27001:2022 (recommended):
  → 93 controls across 4 domains + Annex A
  → Globally recognized, certifiable
  → Covers the foundation for GDPR/NIS2

CIS Controls v8 (alternative, especially for SMEs):
  → 18 control groups, prioritized
  → Implementation Groups 1–3 (based on size and maturity)
  → More technology-focused than ISO 27001

NIST CSF 2.0 (2024):
  → 6 functions: Govern, Identify, Protect, Detect, Respond, Recover
  → Flexible, not certifiable but widely referenced
  → Free, publicly available

---

Step 3: Build a risk register

Risk Register Structure:

Risk ID | Risk Description | Threat | Vulnerability | Probability | Impact | Risk Score | Mitigations | Residual Risk | Owner

Assessment Matrix (simplified 3x3):

         Impact:
         Low  Medium  High
Prob. High:    M       H      KR
         Medium:  N       M      H
         Low: N       N      M

KR = Critical (immediate action required)
H  = High (prompt action required)
M  = Medium (scheduled action required)
N  = Low (acceptable or monitoring)

Typical Top 10 Risks (SMEs):
  1. Ransomware attack (High, High = Critical)
  2. Phishing → Credential compromise (High, High = Critical)
  3. Insider threat (Medium, High = High)
  4. Unpatched vulnerabilities (High, Medium = High)
  5. Data loss due to backup failure (Medium, High = High)
  6. Supply chain compromise (Low, High = Medium)
  7. DDoS against online presence (Medium, Medium = Medium)
  8. Loss of mobile devices (High, Medium = High)
  9. BEC/CEO fraud (Medium, High = High)
  10. Compliance violation/GDPR fine (Low, Critical = High)

---

Step 4: Define policies and standards

Policy hierarchy:
  Level 1: Information Security Policy (Top-level, signed by the CEO)
  Level 2: Standards (Password policy, encryption standard)
  Level 3: Procedures/Processes (Incident Response Process, Patch Procedure)
  Level 4: Work Instructions (Step-by-Step for IT)

Key Policies:
  □ Information Security Policy
  □ Acceptable Use Policy
  □ Password Policy
  □ Access Control Policy
  □ Incident Response Policy
  □ Business Continuity / Disaster Recovery Policy
  □ Data Classification Policy
  □ Vendor Management Policy (Vendor Security)
  □ Remote Work Policy
  □ BYOD Policy

GRC Tools for Different Sizes

Small Businesses (&lt; 50 Employees):

  Risk management without a tool:
  → Excel/Google Sheets: Risk register, control matrix
  → Word: Policies, procedural instructions
  → SharePoint/Confluence: Document management
  → Cost: 0 (apart from time spent)

  Advantage: Flexible, no licensing costs
  Disadvantage: Manual versioning, no dashboards

---

Mid-sized companies (50–500 employees):

  verinice (open-source ISMS tool):
  → Free basic version
  → BSI IT-Grundschutz and ISO 27001 templates
  → Risk management, action tracking
  → GDPR module available

  Enginsight (DACH provider):
  → Vulnerability management + GRC combined
  → NIS2 compliance module
  → German hosting infrastructure (GDPR)

  DocuWare / ELO (document management):
  → Versioning, workflow-based approvals
  → Audit-proof archiving

---

Enterprise (500+ employees):

  ServiceNow GRC:
  → Leading enterprise platform
  → Integrated risk, policy, and audit management
  → CMDB integration
  → Very expensive, but comprehensive

  SAP GRC:
  → For SAP environments
  → Access control, process control, risk management
  → Integration into the SAP landscape

  Archer (RSA):
  → Market leader for complex GRC requirements
  → Highly configurable

---

ISMS-specific tools:

  DataGuard (DACH provider):
  → ISO 27001 + GDPR platform
  → Guided implementation
  → Automated compliance checks

  Vanta (for SaaS companies):
  → SOC 2, ISO 27001, GDPR automation
  → Continuous monitoring of technical controls
  → Well-suited for cloud-native companies

GRC and regulatory mapping

Control mapping: One measure – many standards

Example: Encryption at rest

  ISO 27001:2022: A.8.24 Use of cryptography
  GDPR Art. 32: (1)(a) Pseudonymization and encryption
  BSI IT-Grundschutz: CON.1 Cryptographic concept
  NIS2: Art. 21 (2)(d) Supply chain security

  → One measure (hard drive encryption) = 4 requirements met!
  → In the GRC tool: Link the measure to all 4 controls

Compliance calendar:
  January:    ISO 27001 management review
  March:      Prepare GDPR data protection report
  April:     ISO 27001 internal audit (preparation for recertification)
  June:      Risk analysis update
  September: NIS2 reporting (if applicable)
  October:   ISO 27001 surveillance audit (annual)
  December:  Annual security awareness training

KPIs for GRC reporting:
  → Open security vulnerabilities: Trend (increasing or decreasing?)
  → Patch compliance: % of systems up to date
  → Action implementation rate: open items from risk analysis
  → Policy read rate: have all employees confirmed policies?
  → Awareness training completion rate
  → Incident response time: MTTD, MTTR
  → Audit findings: number of open findings