Governance, Risk

and Compliance:
Your Guide for Selecting
the Right Framework
North American Edition

Certified in Governance
Risk and Compliance
CGRC TM
 CONTENTS
What is CGRC?������������������������������������������������������������������������������������������������������������������������������������������������������������������ 3
What is Governance? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
What is Risk Management?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
What is Compliance?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

The importance of GRC �������������������������������������������������������������������������������������������������������������������������������������������������� 4

How can GRC protect organizations?�������������������������������������������������������������������������������������������������������������������������� 4

Understanding and managing risk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Protecting organizations through GRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

What is Risk Assessment? ���������������������������������������������������������������������������������������������������������������������������������������������� 6

What are essential GRC Frameworks? �������������������������������������������������������������������������������������������������������������������������7

ISO/IEC 27005:2022. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
NIST Risk Management Framework (NIST SP 800-37 REV.2). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
NIST Guide for Conducting Risk Assessments (NIST SP 800-30 REV.1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Other Cybersecurity and Privacy Frameworks in GRC �������������������������������������������������������������������������������������������� 9

NIST Cybersecurity Framework. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
State Privacy Laws and Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
PIPEDA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Federal Information Security Modernization Act (FISMA). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
FedRamp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
HIPPA... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Notable International Frameworks in GRC���������������������������������������������������������������������������������������������������������������� 12

PCI DSS 4.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
General Data Protection Regulation (GDPR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
ANSI/ISA-62443-3-2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
IMO Guidelines on Maritime Cyber Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

The role of a Certified GRC Professional�������������������������������������������������������������������������������������������������������������������� 14

How (ISC)2 CGRC Certification Helps������������������������������������������������������������������������������������������������������������������������ 15

About (ISC)2 �������������������������������������������������������������������������������������������������������������������������������������������������������������������� 15

2
What is GRC?

GRC stands for Governance, Risk and Compliance. It refers to an organization’s strategy for handling the
interdependencies and alignment between three essential components of modern digital organizations:

• Corporate governance policies

• Enterprise risk management programs
• Regulatory compliance

It includes tools and processes to unify an organization’s governance and risk management with technological
innovation and adoption. Companies use GRC to achieve organizational goals reliably, remove uncertainty and
meet compliance requirements.

Before GRC became common vernacular, most organizations were familiar with the elements but practiced each
of them separately. GRC emerged as a discipline when they recognized that coordinating the people, processes
and technologies they used to manage governance, risk and compliance could produce benefits. GRC combines
governance, risk management and compliance in a single coordinated model. This unified approach helps reduce
wastage, increase efficiency, reduce noncompliance risk and share information more effectively.

What is Governance?

Governance is an organization’s set of policies, rules or frameworks designed to achieve its goals. It defines the
responsibilities of key stakeholders, including the board of directors and senior management. Good governance
covers principles such as ethics, accountability, transparency, conflict resolution policies and resource
management.

What is Risk Management?

Organizations face different risks in finance, legal, strategy and security. Proper risk management helps them
identify the risks and find ways to remediate them. An enterprise risk management program is put in place to
predict potential problems and minimize losses.

What is Compliance?

Compliance is adhering to rules, laws and regulations. It applies to industrial bodies’ legal and regulatory
requirements and internal corporate policies. In GRC, compliance involves implementing procedures to ensure
activities comply with regulations. For example, healthcare organizations must comply with laws like HIPAA that
protect patient privacy.

3 Return to Table of Contents

The Importance of GRC

Organizations must identify and manage critical activities as they grow increasingly complex. They must also
be able to integrate traditional, distinct management activities into a cohesive discipline that increases the
effectiveness of people, business processes, technology, facilities and other essential business elements.
GRC achieves this by breaking down the traditional barriers between organizational units and requiring
them to collaborate to achieve strategic goals. By implementing GRC programs, organizations can make
better decisions in a risk-aware environment. An effective program helps key stakeholders set policies from
a shared perspective and comply with regulatory requirements. With GRC, the entire organization is united
in its policies, decisions and actions.

The following are additional benefits that come with a GRC strategy:

• Data-driven decision-making that monitors resources, sets up rules or frameworks and uses
GRC software and tools

• Streamlined operations around a common culture that promotes ethical values and creates
a healthy environment for growth

• Improved cybersecurity to protect customer data and personal information

Implementing a GRC strategy is essential in today’s environment of increasing cyber risk that threatens users’ data
and privacy. It assists organizations in complying with data privacy regulations like the General Data Protection
Regulation, helps build customer trust and protects against penalties.

How can GRC protect organizations?

Understanding and managing risk

Risk exists wherever and whenever there’s an
opportunity for compromise, threat or loss. ISO 31000
defines risk as “the effect of uncertainty on objectives.”
Risk affords opportunities for benefit (upside) or
perils to success (downside). Risk and opportunity go
together. To provide value to stakeholders, enterprises
must engage in activities and initiatives (opportunities),
all of which carry degrees of uncertainty and, therefore,
risk. Managing risk and opportunity is a critical
strategic activity for enterprise success.1

Commonly referred to as exposure to threats, risk can

be quantified by using the expression:

Risk = Probability x Severity 1

ISACA, Risk IT Framework, 2nd Edition, page 9, 27 July 2020

4 Return to Table of Contents

Probability is the likelihood of an event occurring, and severity is the extent and cost of the resulting loss.
Risk management identifies, assesses and controls threats to an organization’s capital and earnings.2
The source of these risks is diverse and includes financial uncertainty, technological evolution, legal
liabilities, strategic management errors, accidents and natural disasters.

Risk management creates outcomes that inform decisions for addressing risks and minimizing the adverse effects
of risk on an organization. The consequences of threats can be either objective or quantifiable, like lost revenue
and data theft, or subjective and difficult to quantify, such as damage to reputation and lost customer trust. By
considering risk in the decision-making process and committing the required resources to control and mitigate
the identified risk, organizations can protect themselves from uncertainty, prioritize investments, reduce costs
and increase business continuity and resilience.

Following the identification of risks, strategies to manage them include:

• Avoiding the threat

• Reducing the negative effect or probability of the threat

• Transferring or sharing all or part of the threat with another party

• Retaining some or all of the potential or actual consequences of a particular risk if the
anticipated gain is greater than the cost

Protecting organizations through GRC

As organizations become increasingly digitized and dependent on cyber-enabled technologies, cyberthreats and
data-related risks — and the risk management strategies to alleviate them— have become top priority.

The World Economic Forum 2023 Global Risk Report3

highlights the following regarding the cyber risk
environment in which organizations operate today:

“The rapid development and deployment of new

technologies, which often comes with limited protocols
governing their use, poses its own set of risks. The ever-
increasing intertwining of technologies with the critical
functioning of societies is exposing populations to direct
domestic threats, including those that seek to shatter
societal functioning. Alongside a rise in cybercrime,
attempts to disrupt critical technology-enabled resources
and services will become more common, with attacks
anticipated against agriculture and water, financial
systems, public security, transport, energy, and domestic,
space-based and undersea communication infrastructure.”

2
https://searchcompliance.techtarget.com/definition/risk-management
3
https://www.weforum.org/reports/global-risks-report-2023

5 Return to Table of Contents

 With cyber risks threatening both productivity and continuity, more corporate risk management plans are
including processes for identifying and controlling threats to digital assets, including proprietary corporate data,
personally identifiable information and intellectual property.

A report by the Organization for Economic Cooperation and Development (OECD)4 highlights that cybersecurity
incidents “undermine innovation, create privacy risk and erode trust.” The same report elaborates, “Risk
Management can help ensure digital security measures protect and support economic and social activities.”

Robust risk management strategies enable organizations to:

• Consider potential risks or events before they occur

• Establish procedures to avoid threats, minimize their impact and cope with the results

• Understand and control risk so leadership is more confident in their decision-making process

• Create a safe and secure environment for employees and customers

• Increase the stability and resilience of operations while decreasing legal liability

• Protect from events that are detrimental to the organization and the environment

• Establish insurance needs to save on unnecessary premiums

What is Risk Assessment?

Risk assessment is the process of identifying, analyzing and evaluating threats and vulnerabilities.5
In cybersecurity, they are essential for identifying how external threat actors or insiders, either negligent
or malevolent, could compromise sensitive information.

The results guide the actions that shoud be taken to build defense measures. For example, threats with the highest
score targeting critical systems and data should become organizational priorities and addressed urgently, whereas
businesses can generally tolerate those with lower scores.

4
OECD (2016), “Managing Digital Security and
Privacy Risk”, OECD Digital Economy Papers,
No. 254, OECD Publishing, Paris

5
Nicholas King, Risk Assessments are Essential
for GDPR Compliance, July 16, 2019

6 Return to Table of Contents

What are the essential GRC Frameworks?
This section describes the most prominent GRC frameworks and methodologies in the North American region
(United States and Canada).

ISO/IEC 27005:2022
ISO/IEC 27005:20226 “Information security, cybersecurity and privacy protection — Guidance on managing
information security risks” is a risk management framework applicable to all types of organizations intending
to manage risks that could compromise their information security. It supports the general concepts specified
in ISO/IEC 27001:2022 and is designed to assist in the implementation of information security based on a risk
management approach.
ISO 27005:2022 describes a cybersecurity risk management framework comprising the following processes:7

• Information security risk management: This covers the iterative process of identifying, assessing
and treating information security risks, comprising strategic (long-term) and operational
(medium- to short-term) cycles. It is important to note that risk identification can be either
event- or asset-based.

• Context establishment: This process concerns methods for determining risk evaluation and
acceptance criteria. The organization’s business context for information risk and security
management is also factored in.

• Information security risk assessment: This clause lays out the process of systematically identifying,
analyzing, evaluating and prioritizing information security risks. During the assessment, the risk is
estimated as a combination of the likelihood of an incident and its consequences.

• Information security risk treatment: This clause describes using information security controls
to modify (mitigate or maintain) information security risks. Should the remaining risk be deemed
unacceptable, the clause requires further treatment that implies an assessment is included.

• Operation: This clause mentions that organizations should review information security risks and
treatments regularly or when changes occur.

6
https://www.iso.org/standard/80585.html
7
https://www.linkedin.com/pulse/isoiec-270052022-what-new-paul-varela?trk=pulse-article

7 Return to Table of Contents

NIST Risk Management Framework (NIST SP 800-37 REV.2)
The NIST Risk Management Framework (RMF)8 provides a flexible, holistic and
repeatable seven-step process to manage security and privacy risk. It links to
a suite of NIST standards and guidelines to support the implementation of risk
management programs to meet the requirements of the Federal Information
Security Modernization Act (FISMA).

The NIST RMF risk-based approach helps organizations:

• Prepare for risk management through essential activities critical to designing and implementing a
risk management program

• Categorize systems and information based on impact analysis

• Select a set of NIST SP 800-53 controls to protect the system based on risk assessments

• Implement the controls and document how they are deployed

• Assess implementation to determine if the controls are operating as intended and producing the
desired results to manage risk

• Authorize the system to operate by a senior-level official who understands the controls in place to
manage risk and residual risk

• Monitor control implementation and changes to the risks

Since the standard does not suggest using a specific risk assessment methodology, it does not provide details
regarding assets and related taxonomies, threat and vulnerability catalogs, or risk calculation methods. However,
it references other NIST standards, including the NIST Cyber Security Framework (CSF).

NIST Guide for Conducting Risk Assessments (NIST SP 800–30 REV.1)

The purpose of NIST SP 800-30 REV.19 is to provide guidance and methodology for conducting risk assessments of
federal information systems and organizations. The ultimate goal is to help organizations manage the risks of IT-
related missions better.

The NIST SP 800-30 standard entails three functional components:

• Risk assessment - the use of risk to determine the extent of a potential threat and identify
appropriate controls for reducing or eliminating risk during the risk mitigation process

• Risk treatment - the process of risk mitigation, which involves prioritizing, evaluating and
implementing the appropriate risk-reduction controls based on risk assessment

• Risk monitoring - the final functional component that continually assesses the effectiveness of
security controls

8
https://csrc.nist.gov/projects/risk-management/about-rmf
9
https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final

8
8 Return to Table of Contents
Other cybersecurity and privacy frameworks in GRC

NIST Cybersecurity Framework

The NIST Cybersecurity Framework10 can be used as a top-level security management tool that aids in assessing
cybersecurity risk across the organization, whether just beginning to build a cybersecurity program or running a
relatively mature program.

The framework emphasizes the importance of addressing cybersecurity risks in the organization’s risk
management procedures and leveraging business drivers to direct cybersecurity operations. While this document
was created to better understand cybersecurity risk management in critical infrastructure, organizations can use
the framework in any field. Organizations of any size and level of cybersecurity risk or skill can use the framework
to improve their security and resilience by applying the concepts and best practices.

The framework follows a risk-based approach to managing cybersecurity risk and includes three parts, each of
which reinforces the connection between business drivers and cybersecurity activities:

The Framework Core is a collection of industry-neutral cybersecurity practices, goals and principles. The five
core functions of the framework — identify, protect, detect, respond and recover — run simultaneously and
indefinitely. When taken as a whole, these functions offer a strategic overview of the full spectrum of cybersecurity
risk management inside an organization. The Framework Core then determines the underlying categories and
subcategories for each function, which are the individual results.

The Framework Implementation Tiers characterize the extent to which an organization’s cybersecurity risk
management processes reflect the criteria established by the framework (e.g., risk- and threat-aware, repeatable
and adaptive). These tiers range from quick ad hoc answers to more deliberate, calculated danger.

The Framework Profile is an implementation-specific set of rules, principles and practices that sync with the
Framework Core. By contrasting a “Current” (or “as is”) Profile with a “Target” (or “to be”) Profile, organizations
can spot areas in their cybersecurity operations that should be improved.

ER IDE
V NT
CO
IF
RE

CORE TIERS
OT E C T
RESPO

FRAMEWORK

PROFILE
D
PR
N

DETECT

https://www.nist.gov/cyberframework. All images used in this section are courtesy of the

10

National Institute of Science and Technology (NIST).

9
9 Return to Table of Contents
 State privacy laws and regulations
While there’s no comprehensive federal privacy decree, the United States has a patchwork of state laws governing
data privacy.11

The California Consumer Privacy Act (CCPA) sets strict standards for the ways service providers must handle
personal data in the state, including ensuring that data collection is transparent, secure and obtained with the
concerned individual’s consent. The standard also provides individuals the right to know what personal data is
collected about them and allows them to access it and request its deletion. In 2020, the state passed the California
Privacy Rights Act (CPRA), an amendment to the CCPA. The CPRA provides additional protection for Californians,
including the right to know what personal data entities are collecting about them and whether businesses are
selling their data and to whom.

The New York Privacy Act is one of the most comprehensive pieces of privacy and security legislation in the United
States. This law sets strict rules about the ways organizations must handle consumers’ personal information and
gives individuals new rights concerning data. The act significantly impacts companies operating in New York State
and helps ensure all residents control their personal information.

The Virginia Consumer Data Protection Act requires organizations to take reasonable steps to protect consumer
data privacy, confidentiality and integrity. The law applies to any company that collects, uses or discloses the
personal information of 100,000 or more Virginia consumers or derives 50 percent or more of its revenue from
the sale of consumer data. The law also gives Virginia residents the right to access their personal data and request
correction if inaccurate.

The Colorado Privacy Act is a new law that takes effect on July 1, 2023. It requires organizations to disclose their
data collection and sharing practices to consumers, and gives Colorado residents the right to opt out of the sale of
their personal data. The law also imposes strict penalties for companies and authorizes the state attorney general
to bring enforcement actions.

With information from: https://www.varonis.com/blog/

11

us-privacy-laws and https://pro.bloomberglaw.com/

brief/data-privacy-laws-in-the-u-s/

10 Return to Table of Contents

PIPEDA
The Personal Information Protection Electronic Documents Act (PIPEDA)12 is a Canadian privacy law that governs
the ways private sector organizations collect, use and disclose personal information. Organizations covered
by PIPEDA need to obtain an individual’s consent when they collect, use or disclose an individual’s personal
information. That same individual can also challenge the accuracy of the information.

PIPEDA applies to private-sector organizations across Canada that collect, use or disclose personal information
during commercial activity. Several actions need to be followed to ensure PIPEDA compliance, including:

• Receiving an individual’s consent before handling information

• Letting the individual see any personal information you have about them if they ask
• Sufficiently safeguarding all personal information (regardless of how it is stored) against loss, theft or any
unauthorized access, disclosure, copying, use or modification.

To fulfill the data protection requirement, organizations must develop and implement a security policy and use
appropriate security safeguards to provide the necessary protections. These security controls can include physical
measures, technologies like data encryption and organizational controls. The selection of controls is informed by
the sensitivity of the information, the risk of compromising data privacy and the harm to the individual.

FISMA
The Federal Information Security Modernization Act (FISMA) requires each federal agency to develop, document
and implement an agency-wide information security program for the information and systems that support its
operations and assets, including those provided or managed by a third party. The amended FISMA 2014 aims
to address the evolving threat landscape, strengthen the use of continuous monitoring, and increase focus on
compliance and auditing.

FISMA requires that agencies within the federal government:13

• Plan for security
• Ensure that appropriate officials are assigned security responsibilities
• Periodically review the security controls in their systems
• Authorize system processing before operations and periodically afterward

FedRAMP
The Federal Risk and Authorization Management Program (FedRAMP)14 was established in 2011 to provide a
cost-effective, risk-based approach to the federal government’s adoption and use of cloud services. FedRAMP
empowers agencies to use modern cloud technologies, emphasizing the security and protection of federal
information. It provides a standardized approach to security assessment, authorization and continuous monitoring

12
https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-
protection-and-electronic-documents-act-pipeda/pipeda_brief/
13
https://csrc.nist.gov/Projects/risk-management/fisma-background
14
https://www.fedramp.gov/

11 Return to Table of Contents

for cloud-based services. FedRAMP uses a “do once, use many times” framework designed to save on costs, time
and staff required to conduct redundant agency security assessments and process monitoring reports.15

HIPAA
The Health Insurance Portability and Accounting Act (HIPAA)16 sets the standard for protecting sensitive patient
data. Organizations that deal with Protected Health Information (PHI) must have physical, network and process
security measures in place and follow them to ensure HIPAA compliance.

The HIPAA Security Rule requires that covered entities and their associates conduct a risk assessment of their
healthcare organization to help ensure compliance with HIPAA’s administrative, physical and technical safeguards.
The assessment also helps reveal areas where the organization’s protected health information (PHI) could be
at risk.17 Failure to conduct HIPAA risk assessments can be costly.

Notable international frameworks in GRC

PCI DSS 4.0

The Payment Card Industry Data Security Standard (PCI DSS) was developed to reinforce the security of credit
card transactions and facilitate the broad adoption of consistent data security measures. It provides a baseline
of technical and operational requirements to protect financial data. The goal of the PCI DSS, amended to version
4.0,18 is to protect cardholders and sensitive authentication data wherever it is processed, stored or transmitted.

Risk assessment and management are considered best practices for maintaining compliance with PCI DSS. The
standard asks organizations to “perform a risk assessment to determine the potential impact to PCI DSS scope.”

The risk assessment process must identify critical assets, threats and vulnerabilities and their effects on the
cardholder data environment and should result in a formal, documented analysis of risk. The PCI DSS risk
assessment offers organizations guidance to help identify, analyze, document and manage the information security
risks that may affect their cardholder data. It also provides organizations with remediation strategies to implement
risk management strategies that mitigate those vulnerabilities.

15
https://www.fedramp.gov/assets/resources/
documents/FedRAMP_Security_Assessment_
Framework.pdf
16
https://www.hhs.gov/hipaa/index.html
17
https://www.healthit.gov/topic/privacy-security-
and-hipaa/security-risk-assessment-tool
18
https://listings.pcisecuritystandards.org/
documents/PCI-DSS-v4_0.pdf

12 Return to Table of Contents

General Data Protection Regulation (GDPR)
The European Union General Data Protection Regulation (GDPR) is the cornerstone of privacy regulations, and its
impact goes well beyond the borders of the EU. Since its enforcement in May 2018, the regulation has served as
the foundation for many national or state privacy regulations and acts, such as the California Consumer Privacy Act
(CCPA), Brazil’s Lei Geral de Proteção de Dados (or LGPD) and others. GDPR impacts all organizations established
in the EU or any business that collects and stores the private data of EU citizens, including U.S. organizations.

All organizations within the scope of GDPR must conduct regular risk assessments to ensure potential risks to
personal data are identified and that the selected defense measures are adequate. Risk assessments are a core
component of GDPR: Article 32 states that organizations must implement “technical and organizational measures
to ensure a level of security appropriate to the risk.”

ANSI/ISA-62443-3-2
The ANSI/ISA-62443-3-2-2020 standard, titled
“Security for industrial automation and control systems,
Part 3-2: Security risk assessment for system design,”19
dedicates an entire section to assessing security risk
for system design. The standard targets security
professionals in industries mainly comprising
critical infrastructure.

Part 3-2 of the document details the requirements

for practical risk assessment at the design stage, even
though the risk has yet to materialize. A vital feature of
this publication is assessing risk for zones individually.
Risk assessments include the following actions:

• Define a system for an industrial automation

and control system (IACS)

• Segment the system into zones and conduits

• Assess risk for each defined zone and conduit

• Establish the target security level for each

zone and conduit

• Document the security requirements

The focus is on identifying and, where required, further

compartmentalizing risks during the design phase. The
controls for the specific design derive from security
requirements. Risks are assessed at the system design
level, and definitions, such as likelihood, impact and https://www.isa.org/products/ansi-isa-62443-3-2-
19

2020-security-for-industrial-a
analysis of process hazards, are included.

13 Return to Table of Contents

IMO guidelines on Maritime Cyber Risk Management
Official International Maritime Organization (IMO) guidelines20 provide a high-level approach to managing
maritime cyber risk. In this case, risk refers to the extent a technology asset is exposed to threats during a cyber
incident that could result in shipping operational failure.

In the context of these guidelines, cyber risk management entails the process of identifying, analyzing, assessing
and communicating a cyber risk and accepting, avoiding, transferring or mitigating it to an acceptable level,
considering the costs and benefits to stakeholders of the actions undertaken.

These guidelines present the functional components that support the effective management of cyber risk. They
follow the NIST Cybersecurity Framework, they should be concurrent and continuous in practice, and shipping
organizations should incorporate them appropriately in a maritime risk management framework.

The role of a Certified GRC Professional

All of the risk management frameworks analyzed here are closely related to each other. Each framework references
and maps controls and procedures with the others. They are used to:

• Assess the state of the overall security program

Certified in Governance
• Build a comprehensive security program Risk and Compliance
• Measure maturity and conduct industry comparisons CGRC TM

• Simplify communications with business leaders

Understanding, selecting and applying the proper framework falls within the responsibilities of a Certified
in Governance, Risk and Compliance (CGRC) professional. The CGRC professional is an information security
practitioner who advocates for aligning security risk management processes with the organization’s governance
strategies to support its mission and operations under legal and regulatory requirements.

CGRC professionals have the knowledge and skills to:

• Understand the foundations of an Information

Security Risk Management Program
• Define the Scope of the Information System
• Select and approve security and privacy controls to
meet the objectives of the risk management program
• Implement the selected security and privacy controls
• Assess the applicability and effectiveness of
established security and privacy controls
• Authorize an Information System
• Establish continuous monitoring to adapt the
risk management program to the changing risk
20
https://www.imo.org/en/OurWork/Security/Pages/ environment
Cyber-security.aspx

14 Return to Table of Contents

How CGRC certification helps

Earning the CGRC from (ISC)² is a proven way to build your

career and demonstrate your expertise within various risk
management frameworks. It demonstrates to employers that you
have the knowledge and advanced technical skills to understand
Governance, Risk and Compliance (GRC). CGRC certification
shows you’re able to authorize and maintain information
systems utilizing various risk management frameworks, as well
as best practices, policies and procedures established by the
cybersecurity experts at (ISC)².

about the ways CGRC can help you gain

LEARN MORE expertise and advance your career.

Next step: Get The Ultimate Guide

Take your next step toward a career in GRC with The Ultimate
Guide to the CGRG. It covers everything you need to know about
CGRC certification. Find out how CGRC and (ISC)² can help you
discover your certification path, create your plan and acquire the
knowledge and skills for a successful career.

GET YOUR GUIDE

About (ISC)²

(ISC)² is an international nonprofit membership association focused on inspiring a safe and secure cyber world.
Best known for the acclaimed Certified Information Systems Security Professional (CISSP®) certification, (ISC)²
offers a portfolio of credentials that are part of a holistic, programmatic approach to security. Our association of
candidates, associates, and members, nearly 330,000 strong, is made up of certified cyber, information, software
and infrastructure security professionals who are making a difference and helping to advance the industry. Our
vision is supported by our commitment to educate and reach the public through our charitable foundation –
The Center for Cyber Safety and EducationTM. For more information on (ISC)², visit www.isc2.org, follow us on
Twitter, or connect with us on Facebook and LinkedIn.

15 Return to Table of Contents