Академический Документы
Профессиональный Документы
Культура Документы
and Compliance:
Your Guide for Selecting
the Right Framework
North American Edition
Certified in Governance
Risk and Compliance
CGRC TM
CONTENTS
What is CGRC?������������������������������������������������������������������������������������������������������������������������������������������������������������������ 3
What is Governance? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
What is Risk Management?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
What is Compliance?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2
What is GRC?
GRC stands for Governance, Risk and Compliance. It refers to an organization’s strategy for handling the
interdependencies and alignment between three essential components of modern digital organizations:
It includes tools and processes to unify an organization’s governance and risk management with technological
innovation and adoption. Companies use GRC to achieve organizational goals reliably, remove uncertainty and
meet compliance requirements.
Before GRC became common vernacular, most organizations were familiar with the elements but practiced each
of them separately. GRC emerged as a discipline when they recognized that coordinating the people, processes
and technologies they used to manage governance, risk and compliance could produce benefits. GRC combines
governance, risk management and compliance in a single coordinated model. This unified approach helps reduce
wastage, increase efficiency, reduce noncompliance risk and share information more effectively.
What is Governance?
Governance is an organization’s set of policies, rules or frameworks designed to achieve its goals. It defines the
responsibilities of key stakeholders, including the board of directors and senior management. Good governance
covers principles such as ethics, accountability, transparency, conflict resolution policies and resource
management.
Organizations face different risks in finance, legal, strategy and security. Proper risk management helps them
identify the risks and find ways to remediate them. An enterprise risk management program is put in place to
predict potential problems and minimize losses.
What is Compliance?
Compliance is adhering to rules, laws and regulations. It applies to industrial bodies’ legal and regulatory
requirements and internal corporate policies. In GRC, compliance involves implementing procedures to ensure
activities comply with regulations. For example, healthcare organizations must comply with laws like HIPAA that
protect patient privacy.
Organizations must identify and manage critical activities as they grow increasingly complex. They must also
be able to integrate traditional, distinct management activities into a cohesive discipline that increases the
effectiveness of people, business processes, technology, facilities and other essential business elements.
GRC achieves this by breaking down the traditional barriers between organizational units and requiring
them to collaborate to achieve strategic goals. By implementing GRC programs, organizations can make
better decisions in a risk-aware environment. An effective program helps key stakeholders set policies from
a shared perspective and comply with regulatory requirements. With GRC, the entire organization is united
in its policies, decisions and actions.
The following are additional benefits that come with a GRC strategy:
• Data-driven decision-making that monitors resources, sets up rules or frameworks and uses
GRC software and tools
• Streamlined operations around a common culture that promotes ethical values and creates
a healthy environment for growth
Implementing a GRC strategy is essential in today’s environment of increasing cyber risk that threatens users’ data
and privacy. It assists organizations in complying with data privacy regulations like the General Data Protection
Regulation, helps build customer trust and protects against penalties.
Risk management creates outcomes that inform decisions for addressing risks and minimizing the adverse effects
of risk on an organization. The consequences of threats can be either objective or quantifiable, like lost revenue
and data theft, or subjective and difficult to quantify, such as damage to reputation and lost customer trust. By
considering risk in the decision-making process and committing the required resources to control and mitigate
the identified risk, organizations can protect themselves from uncertainty, prioritize investments, reduce costs
and increase business continuity and resilience.
• Retaining some or all of the potential or actual consequences of a particular risk if the
anticipated gain is greater than the cost
2
https://searchcompliance.techtarget.com/definition/risk-management
3
https://www.weforum.org/reports/global-risks-report-2023
A report by the Organization for Economic Cooperation and Development (OECD)4 highlights that cybersecurity
incidents “undermine innovation, create privacy risk and erode trust.” The same report elaborates, “Risk
Management can help ensure digital security measures protect and support economic and social activities.”
• Establish procedures to avoid threats, minimize their impact and cope with the results
• Understand and control risk so leadership is more confident in their decision-making process
• Increase the stability and resilience of operations while decreasing legal liability
• Protect from events that are detrimental to the organization and the environment
Risk assessment is the process of identifying, analyzing and evaluating threats and vulnerabilities.5
In cybersecurity, they are essential for identifying how external threat actors or insiders, either negligent
or malevolent, could compromise sensitive information.
The results guide the actions that shoud be taken to build defense measures. For example, threats with the highest
score targeting critical systems and data should become organizational priorities and addressed urgently, whereas
businesses can generally tolerate those with lower scores.
4
OECD (2016), “Managing Digital Security and
Privacy Risk”, OECD Digital Economy Papers,
No. 254, OECD Publishing, Paris
5
Nicholas King, Risk Assessments are Essential
for GDPR Compliance, July 16, 2019
ISO/IEC 27005:2022
ISO/IEC 27005:20226 “Information security, cybersecurity and privacy protection — Guidance on managing
information security risks” is a risk management framework applicable to all types of organizations intending
to manage risks that could compromise their information security. It supports the general concepts specified
in ISO/IEC 27001:2022 and is designed to assist in the implementation of information security based on a risk
management approach.
ISO 27005:2022 describes a cybersecurity risk management framework comprising the following processes:7
• Information security risk management: This covers the iterative process of identifying, assessing
and treating information security risks, comprising strategic (long-term) and operational
(medium- to short-term) cycles. It is important to note that risk identification can be either
event- or asset-based.
• Context establishment: This process concerns methods for determining risk evaluation and
acceptance criteria. The organization’s business context for information risk and security
management is also factored in.
• Information security risk assessment: This clause lays out the process of systematically identifying,
analyzing, evaluating and prioritizing information security risks. During the assessment, the risk is
estimated as a combination of the likelihood of an incident and its consequences.
• Information security risk treatment: This clause describes using information security controls
to modify (mitigate or maintain) information security risks. Should the remaining risk be deemed
unacceptable, the clause requires further treatment that implies an assessment is included.
• Operation: This clause mentions that organizations should review information security risks and
treatments regularly or when changes occur.
6
https://www.iso.org/standard/80585.html
7
https://www.linkedin.com/pulse/isoiec-270052022-what-new-paul-varela?trk=pulse-article
• Prepare for risk management through essential activities critical to designing and implementing a
risk management program
• Select a set of NIST SP 800-53 controls to protect the system based on risk assessments
• Assess implementation to determine if the controls are operating as intended and producing the
desired results to manage risk
• Authorize the system to operate by a senior-level official who understands the controls in place to
manage risk and residual risk
Since the standard does not suggest using a specific risk assessment methodology, it does not provide details
regarding assets and related taxonomies, threat and vulnerability catalogs, or risk calculation methods. However,
it references other NIST standards, including the NIST Cyber Security Framework (CSF).
• Risk assessment - the use of risk to determine the extent of a potential threat and identify
appropriate controls for reducing or eliminating risk during the risk mitigation process
• Risk treatment - the process of risk mitigation, which involves prioritizing, evaluating and
implementing the appropriate risk-reduction controls based on risk assessment
• Risk monitoring - the final functional component that continually assesses the effectiveness of
security controls
8
https://csrc.nist.gov/projects/risk-management/about-rmf
9
https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final
8
8 Return to Table of Contents
Other cybersecurity and privacy frameworks in GRC
The framework emphasizes the importance of addressing cybersecurity risks in the organization’s risk
management procedures and leveraging business drivers to direct cybersecurity operations. While this document
was created to better understand cybersecurity risk management in critical infrastructure, organizations can use
the framework in any field. Organizations of any size and level of cybersecurity risk or skill can use the framework
to improve their security and resilience by applying the concepts and best practices.
The framework follows a risk-based approach to managing cybersecurity risk and includes three parts, each of
which reinforces the connection between business drivers and cybersecurity activities:
The Framework Core is a collection of industry-neutral cybersecurity practices, goals and principles. The five
core functions of the framework — identify, protect, detect, respond and recover — run simultaneously and
indefinitely. When taken as a whole, these functions offer a strategic overview of the full spectrum of cybersecurity
risk management inside an organization. The Framework Core then determines the underlying categories and
subcategories for each function, which are the individual results.
The Framework Implementation Tiers characterize the extent to which an organization’s cybersecurity risk
management processes reflect the criteria established by the framework (e.g., risk- and threat-aware, repeatable
and adaptive). These tiers range from quick ad hoc answers to more deliberate, calculated danger.
The Framework Profile is an implementation-specific set of rules, principles and practices that sync with the
Framework Core. By contrasting a “Current” (or “as is”) Profile with a “Target” (or “to be”) Profile, organizations
can spot areas in their cybersecurity operations that should be improved.
ER IDE
V NT
CO
IF
RE
CORE TIERS
OT E C T
RESPO
FRAMEWORK
PROFILE
D
PR
N
DETECT
9
9 Return to Table of Contents
State privacy laws and regulations
While there’s no comprehensive federal privacy decree, the United States has a patchwork of state laws governing
data privacy.11
The California Consumer Privacy Act (CCPA) sets strict standards for the ways service providers must handle
personal data in the state, including ensuring that data collection is transparent, secure and obtained with the
concerned individual’s consent. The standard also provides individuals the right to know what personal data is
collected about them and allows them to access it and request its deletion. In 2020, the state passed the California
Privacy Rights Act (CPRA), an amendment to the CCPA. The CPRA provides additional protection for Californians,
including the right to know what personal data entities are collecting about them and whether businesses are
selling their data and to whom.
The New York Privacy Act is one of the most comprehensive pieces of privacy and security legislation in the United
States. This law sets strict rules about the ways organizations must handle consumers’ personal information and
gives individuals new rights concerning data. The act significantly impacts companies operating in New York State
and helps ensure all residents control their personal information.
The Virginia Consumer Data Protection Act requires organizations to take reasonable steps to protect consumer
data privacy, confidentiality and integrity. The law applies to any company that collects, uses or discloses the
personal information of 100,000 or more Virginia consumers or derives 50 percent or more of its revenue from
the sale of consumer data. The law also gives Virginia residents the right to access their personal data and request
correction if inaccurate.
The Colorado Privacy Act is a new law that takes effect on July 1, 2023. It requires organizations to disclose their
data collection and sharing practices to consumers, and gives Colorado residents the right to opt out of the sale of
their personal data. The law also imposes strict penalties for companies and authorizes the state attorney general
to bring enforcement actions.
PIPEDA applies to private-sector organizations across Canada that collect, use or disclose personal information
during commercial activity. Several actions need to be followed to ensure PIPEDA compliance, including:
To fulfill the data protection requirement, organizations must develop and implement a security policy and use
appropriate security safeguards to provide the necessary protections. These security controls can include physical
measures, technologies like data encryption and organizational controls. The selection of controls is informed by
the sensitivity of the information, the risk of compromising data privacy and the harm to the individual.
FISMA
The Federal Information Security Modernization Act (FISMA) requires each federal agency to develop, document
and implement an agency-wide information security program for the information and systems that support its
operations and assets, including those provided or managed by a third party. The amended FISMA 2014 aims
to address the evolving threat landscape, strengthen the use of continuous monitoring, and increase focus on
compliance and auditing.
FedRAMP
The Federal Risk and Authorization Management Program (FedRAMP)14 was established in 2011 to provide a
cost-effective, risk-based approach to the federal government’s adoption and use of cloud services. FedRAMP
empowers agencies to use modern cloud technologies, emphasizing the security and protection of federal
information. It provides a standardized approach to security assessment, authorization and continuous monitoring
12
https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-
protection-and-electronic-documents-act-pipeda/pipeda_brief/
13
https://csrc.nist.gov/Projects/risk-management/fisma-background
14
https://www.fedramp.gov/
HIPAA
The Health Insurance Portability and Accounting Act (HIPAA)16 sets the standard for protecting sensitive patient
data. Organizations that deal with Protected Health Information (PHI) must have physical, network and process
security measures in place and follow them to ensure HIPAA compliance.
The HIPAA Security Rule requires that covered entities and their associates conduct a risk assessment of their
healthcare organization to help ensure compliance with HIPAA’s administrative, physical and technical safeguards.
The assessment also helps reveal areas where the organization’s protected health information (PHI) could be
at risk.17 Failure to conduct HIPAA risk assessments can be costly.
Risk assessment and management are considered best practices for maintaining compliance with PCI DSS. The
standard asks organizations to “perform a risk assessment to determine the potential impact to PCI DSS scope.”
The risk assessment process must identify critical assets, threats and vulnerabilities and their effects on the
cardholder data environment and should result in a formal, documented analysis of risk. The PCI DSS risk
assessment offers organizations guidance to help identify, analyze, document and manage the information security
risks that may affect their cardholder data. It also provides organizations with remediation strategies to implement
risk management strategies that mitigate those vulnerabilities.
15
https://www.fedramp.gov/assets/resources/
documents/FedRAMP_Security_Assessment_
Framework.pdf
16
https://www.hhs.gov/hipaa/index.html
17
https://www.healthit.gov/topic/privacy-security-
and-hipaa/security-risk-assessment-tool
18
https://listings.pcisecuritystandards.org/
documents/PCI-DSS-v4_0.pdf
All organizations within the scope of GDPR must conduct regular risk assessments to ensure potential risks to
personal data are identified and that the selected defense measures are adequate. Risk assessments are a core
component of GDPR: Article 32 states that organizations must implement “technical and organizational measures
to ensure a level of security appropriate to the risk.”
ANSI/ISA-62443-3-2
The ANSI/ISA-62443-3-2-2020 standard, titled
“Security for industrial automation and control systems,
Part 3-2: Security risk assessment for system design,”19
dedicates an entire section to assessing security risk
for system design. The standard targets security
professionals in industries mainly comprising
critical infrastructure.
2020-security-for-industrial-a
analysis of process hazards, are included.
In the context of these guidelines, cyber risk management entails the process of identifying, analyzing, assessing
and communicating a cyber risk and accepting, avoiding, transferring or mitigating it to an acceptable level,
considering the costs and benefits to stakeholders of the actions undertaken.
These guidelines present the functional components that support the effective management of cyber risk. They
follow the NIST Cybersecurity Framework, they should be concurrent and continuous in practice, and shipping
organizations should incorporate them appropriately in a maritime risk management framework.
All of the risk management frameworks analyzed here are closely related to each other. Each framework references
and maps controls and procedures with the others. They are used to:
Understanding, selecting and applying the proper framework falls within the responsibilities of a Certified
in Governance, Risk and Compliance (CGRC) professional. The CGRC professional is an information security
practitioner who advocates for aligning security risk management processes with the organization’s governance
strategies to support its mission and operations under legal and regulatory requirements.
Take your next step toward a career in GRC with The Ultimate
Guide to the CGRG. It covers everything you need to know about
CGRC certification. Find out how CGRC and (ISC)² can help you
discover your certification path, create your plan and acquire the
knowledge and skills for a successful career.
About (ISC)²
(ISC)² is an international nonprofit membership association focused on inspiring a safe and secure cyber world.
Best known for the acclaimed Certified Information Systems Security Professional (CISSP®) certification, (ISC)²
offers a portfolio of credentials that are part of a holistic, programmatic approach to security. Our association of
candidates, associates, and members, nearly 330,000 strong, is made up of certified cyber, information, software
and infrastructure security professionals who are making a difference and helping to advance the industry. Our
vision is supported by our commitment to educate and reach the public through our charitable foundation –
The Center for Cyber Safety and EducationTM. For more information on (ISC)², visit www.isc2.org, follow us on
Twitter, or connect with us on Facebook and LinkedIn.