Академический Документы
Профессиональный Документы
Культура Документы
and Compliance:
linkedIn: Murad ALzaeem
Your Guide for Selecting
the Right Framework
Asia-Pacific Edition
Certified in Governance
Risk and Compliance
CGRC TM
CONTENTS
What is CGRC?������������������������������������������������������������������������������������������������������������������������������������������������������������������ 3
What is Governance? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
What is Risk Management?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
What is Compliance? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
GRC stands for Governance, Risk and Compliance. It refers to an organization’s strategy for handling the
interdependencies and alignment between three essential components of modern digital organizations:
It includes tools and processes to unify an organization’s governance and risk management with technological
innovation and adoption. Companies use GRC to achieve organizational goals reliably, remove uncertainty and
meet compliance requirements.
Before GRC became common vernacular, most organizations were familiar with the elements but practiced each
of them separately. GRC emerged as a discipline when they recognized that coordinating the people, processes
and technologies they used to manage governance, risk and compliance could produce benefits. GRC combines
governance, risk management and compliance in a single coordinated model. This unified approach helps reduce
wastage, increase efficiency, reduce noncompliance risk and share information more effectively.
What is Governance?
Governance is an organization’s set of policies, rules or frameworks designed to achieve its goals. It defines the
responsibilities of key stakeholders, including the board of directors and senior management. Good governance
covers principles such as ethics, accountability, transparency, conflict resolution policies and resource
management.
Organizations face different risks in finance, legal, strategy and security. Proper risk management helps them
identify the risks and find ways to remediate them. An enterprise risk management program is put in place to
predict potential problems and minimize losses.
What is Compliance?
Compliance is adhering to rules, laws and regulations. It applies to industrial bodies’ legal and regulatory
requirements and internal corporate policies. In GRC, compliance involves implementing procedures to ensure
activities comply with regulations. For example, telecommunication organizations must comply with laws like the
Telecommunications Business Act (TBA) to ensure the data transferred through telecom companies will remain
private.
Organizations must identify and manage critical activities as they grow increasingly complex. They must also
be able to integrate traditional, distinct management activities into a cohesive discipline that increases the
effectiveness of people, business processes, technology, facilities and other essential business elements.
GRC achieves this by breaking down the traditional barriers between organizational units and requiring them to
collaborate to achieve strategic goals. By implementing GRC programs, organizations can make better decisions
in a risk-aware environment. An effective program helps key stakeholders set policies from a shared perspective
and comply with regulatory requirements. With GRC, the entire organization is united in its policies, decisions and
actions.
The following are additional benefits that come with a GRC strategy:
• Data-driven decision-making that monitors resources, sets up rules or frameworks and uses
GRC software and tools
• Streamlined operations around a common culture that promotes ethical values and creates
a healthy environment for growth
Implementing a GRC strategy is essential in today’s environment of increasing cyber risk that threatens users’
data and privacy. It assists organizations in complying with data privacy regulations like the Act on the Protection
of Personal Information in Japan or the Personal Information Protection Law in China. It also helps build customer
trust and protects against penalties.
Risk management identifies, assesses and controls threats to an organization’s capital and earnings.2 The source
of these risks is diverse and includes financial uncertainty, technological evolution, legal liabilities, strategic
management errors, accidents and natural disasters.
Risk management creates outcomes that inform decisions for addressing risks and minimizing the adverse effects
of risk on an organization. The consequences of threats can be either objective or quantifiable, like lost revenue
and data theft, or subjective and difficult to quantify, such as damage to reputation and lost customer trust. By
considering risk in the decision-making process and committing the required resources to control and mitigate
the identified risk, organizations can protect themselves from uncertainty, prioritize investments, reduce costs
and increase business continuity and resilience.
• Retaining some or all of the potential or actual consequences of a particular risk if the
anticipated gain is greater than the cost
2
https://searchcompliance.techtarget.com/definition/risk-management
3
https://www.weforum.org/reports/global-risks-report-2023
A report by the Organization for Economic Cooperation and Development (OECD)4 highlights that cybersecurity
incidents “undermine innovation, create privacy risk and erode trust.” The same report elaborates, “Risk
Management can help ensure digital security measures protect and support economic and social activities.”
• Establish procedures to avoid threats, minimise their impact and cope with the results
• Understand and control risk so leadership is more confident in their decision-making process
• Increase the stability and resilience of operations while decreasing legal liability
• Protect from events that are detrimental to the organization and the environment
Risk assessment is the process of identifying, analysing and evaluating threats and vulnerabilities.5
In cybersecurity, they are essential for identifying how external threat actors or insiders, either negligent
or malevolent, could compromise sensitive information.
The results guide the actions that shoud be taken to build defense measures. For example, threats with the highest
score targeting critical systems and data should become organizational priorities and addressed urgently, whereas
businesses can generally tolerate those with lower scores.
4
OECD (2016), “Managing Digital Security and
Privacy Risk”, OECD Digital Economy Papers,
No. 254, OECD Publishing, Paris
5
Nicholas King, Risk Assessments are Essential
for GDPR Compliance, July 16, 2019
Risk management is an essential function for many countries in the region, including Australia, Japan, Singapore,
and India6. This section describes the most prominent GRC frameworks and methodologies in the APAC region.
Please note that separate papers discuss the methodologies applicable to the North America, European Union and
the United Kingdom.
ISO/IEC 27005:2022
ISO/IEC 27005:20227 “Information security, cybersecurity and privacy protection — Guidance on managing
information security risks” is a risk management framework applicable to all types of organizations intending to
manage risks that could compromise their information security. It supports the general concepts specified in
ISO/IEC 27001:2022 and is designed to assist in implementing information security based on a risk management
approach.
ISO 27005:2022 describes a cybersecurity risk management framework comprising the following processes:8
• Information security risk management: This covers the iterative process of identifying, assessing
and treating information security risks, comprising strategic (long-term) and operational
(medium- to short-term) cycles. It is important to note that risk identification can be either
event- or asset-based.
• Context establishment: This process concerns methods for determining risk evaluation and
acceptance criteria. The organization’s business context for information risk and security
management is also factored in.
• Information security risk assessment: This clause lays out the process of systematically identifying,
analysing, evaluating and prioritising information security risks. During the assessment, the risk is
estimated as a combination of the likelihood of an incident and its consequences.
• Information security risk treatment: This clause describes how to use information security controls
to modify (mitigate or maintain) information security risks. Should the remaining risk be deemed
unacceptable, the clause requires further treatment that implies an assessment is included.
• Operation: This clause mentions that organizations should review information security risks and
treatments regularly or when changes occur.
6
In India, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code)
Rules are applicable. For more information
7
https://www.iso.org/standard/80585.html
8
https://www.linkedin.com/pulse/isoiec-270052022-what-new-paul-varela?trk=pulse-article
In support of the Cybersecurity Strategy, the Ministry of Economy, Trade and Industry (MIET) and the independent
Information-Technology Promotion Agency (IPA) jointly issued the Cybersecurity Management Guidelines10. They
encourage businesses and organizations to follow a GRC approach underpinned by three principles:
• Corporate executives need to recognize cybersecurity risks and take leadership in driving
cybersecurity measures
• Security measures need to be taken not only for the company itself but also for the supply chain,
including business partners and outsourcing companies
• Companies need to communicate appropriately with relevant stakeholders by, for example,
disclosing information on cybersecurity risks and measures in normal times as well as in times of
emergency
These principles drive the 10 essential directions of cybersecurity management, which include:
• Identifying risks to corporate information, classifying their impact and developing a plan to
mitigate them that includes measures for risk transfer (i.e., cyber insurance or outsourcing) and
identification of residual risk
It is important to note that the main reference of Cybersecurity Management Guidelines is the NIST Cybersecurity
Framework (see respective section).
9
https://www.dataguidance.com/opinion/
japan-nisc-cybersecurity-strategy
10
https://www.meti.go.jp/policy/
netsecurity/downloadfiles/CSM_
Guideline_v2.0_en.pdf
• Detect: Detecting and understanding cyber security events to identify cyber security incidents
ISM asks organizations to embed cybersecurity risk management processes into organizational risk management
frameworks so that security risks are identified, documented, and managed accordingly. In addition, residual risk
must be accepted before systems and applications are authorized for use. The manual also introduced the concept
of continuous risk assessment and management throughout the operational life of systems and applications.
• Establishing risk context which is an important pre-requisite for conducting risk assessment.
This step ensures that all stakeholders involved in the risk assessment exercise have a common
understanding of how the risk is framed, the risk tolerance to consider, and the responsibilities of
the risk owner.
• Risk assessment is about identifying risks specific to the environment and determining the
level of identified risks. According to the guidance, the main steps in a risk assessment are risk
identification, analysis, and evaluation.
• Risk mitigation. Having evaluated the identified risks, the next step is to identify and determine
the next course of action to keep the risks within the organization’s risk tolerance level. Four risk
response options exist: accept, avoid, transfer, and mitigate.
Other areas such as risk monitoring and reporting is beyond the scope of the guidance.
11
https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism
12
https://www.csa.gov.sg/docs/default-source/csa/documents/legislation_supplementary_references/guide-to-conducting-cybersecurity-risk-assessment-
for-cii.pdf?sfvrsn=a63bf6d8_0. For frequently asked questions, please visit https://www.csa.gov.sg/faq/cybersecurity-risk-assessment-for-cii
The NIST Cybersecurity Framework14 emphasizes the importance of addressing cybersecurity risks in the
organization’s risk management procedures and leveraging business drivers to direct cybersecurity operations.
While this document was created to better understand cybersecurity risk management in critical infrastructure,
organizations can use the framework in any field. Organizations of any size and level of cybersecurity risk or skill
can use the framework to improve their security and resilience by applying the concepts and best practices.
The framework follows a risk-based approach to managing cybersecurity risk and includes three parts, each of
which reinforces the connection between business drivers and cybersecurity activities:
IF
RE
Y
cybersecurity risk management inside an organization.
OT E C T
RESPO
PR
ND
The Framework is currently under revision and version 2.0 is expected by the end of 2023.
13
https://www.nist.gov/document/japan-cross-sector-forum-success-story-062920-508pdf
14
https://www.nist.gov/cyberframework
APPI is based on the eight basic privacy protection principles defined by OECD. The fundamental principle of
Japan’s data protection laws is protecting the right to privacy but also recognizing the increased scope, nature and
volume of personal data and the ever-expanding use of personal information in various forms by organizations. Key
elements of the legislation are to restrict the use of personal information for the purposes it was obtained for, to
protect sensitive information from online risks and to limit the dissemination of personal information without the
data subject’s consent.
AESCSF is a cyber security framework developed and tailored to the Australian energy sector. The framework
enables participants to assess, evaluate, prioritize, and improve their cyber security capability and maturity. The
Framework has been established to address increasing cyber security risks the Australian energy sector faces.
To apply the highest level of cyber threat protection to Australian energy infrastructures, the AESCSF combines
aspects of recognized security frameworks such as NIST Cybersecurity Framework, NIST SP 800-53, the
Cybersecurity Capability Maturity Model (C2M2), and others.
15
https://www.dataguidance.com/notes/japan-data-protection-overview
16
https://aemo.com.au/en/initiatives/major-programs/cyber-security/
aescsf-framework-and-resources
• Establishing robust technology risk governance and oversight. The board of directors and senior
management at an FI play an integral part in the oversight and management of technology risk.
Financial institutions executives should cultivate a strong risk culture and ensure the establishment
of a sound and robust technology risk management framework.
• Maintaining cyber resilience. Strong cyber resilience is critical for sustaining trust and confidence
in financial services. FIs should adopt a defense-in-depth approach to strengthening cyber
resilience. It is also important that FIs establish and continuously improve their IT processes and
controls to preserve confidentiality, integrity and availability of data and IT systems.
Financial institutions should establish effective risk management practices and internal controls to achieve data
confidentiality and integrity, system security and reliability, as well as stability and resilience in its IT operating
environment. The risk management framework should encompass the elements of risk identification, assessment,
treatment, and monitoring.
This Act applies to all of India, and its provisions also apply to any offense or violation, committed even outside
the territorial jurisdiction of Republic of India, by any person irrespective of his nationality. In order to attract
provisions of this Act, such an offence or infringement should involve a computer, computer system, or computer
network located in India.
17
https://www.mas.gov.sg/regulation/guidelines/technology-risk-management-guidelines
18
https://www.meity.gov.in/content/information-technology-act-2000-0
19
https://www.oaic.gov.au/privacy/privacy-legislation/the-privacy-act
20
https://www.oaic.gov.au/privacy/australian-privacy-principles
A Privacy Impact Assessment ('PIA') is contemplated by Australian privacy law but, apart from government
agencies, is not mandated. However, a PIA is highly recommended to fulfil obligations under APP. The guidance
and recommendations of the OAIC are that a PIA should be used for any new, changed/varied or altered process,
method, or technology used that processes any personal information.
While there is no standalone obligation to conduct a Data Protection Impact Assessment (DPIA) under the PDPA,
there are provisions in the PDPA which require organizations to conduct 'assessments' (which may be narrower in
scope than a full DPIA) under certain circumstances. In addition, the Data Protection Commissioner recommends
that a DPIA is undertaken as part of an organization’s Data Protection Management Program and their obligation
to develop and implement policies and practices that are necessary for the organization to comply with the PDPA22.
India: Framework for the Adoption of Cloud Services by SEBI Regulated Entities
The Securities and Exchange Board of India (SEBI) introduced the Framework for the Adoption of Cloud Services
by SEBI Regulated Entities (REs)23 on March 6, 2023. The Framework is a crucial addition to SEBI’s existing
guidelines on cloud computing, sets baseline standards for security and regulatory compliances, and is designed to
help REs implement secure and compliant cloud adoption practices.
The primary purpose of this Framework is to highlight the key risks and mandatory control measures
regulated entities need to implement before adopting cloud computing. The circular outlines nine principles
and requirements for REs to consider when adopting cloud computing, including GRC, how to select a cloud
service provider, data ownership and localization, selecting security controls, ensuring cyber resilience, and
accountability.
21
https://www.pdpc.gov.sg/overview-of-pdpa/the-legislation/personal-data-protection-act
22
https://www.pdpc.gov.sg/Help-and-Resources/2021/09/Accountability
23
https://www.sebi.gov.in/legal/circulars/mar-2023/framework-for-adoption-of-cloud-
services-by-sebi-regulated-entities-res-_68740.html
• Prepare for risk management through essential activities critical to designing and implementing a
risk management program
• Assess implementation to determine if the controls are operating as intended and producing the
desired results to manage risk
• Authorize the system to operate by a senior-level official who understands the controls in place to
manage risk and residual risk
Since the standard does not suggest using a specific risk assessment methodology, it does not provide details
regarding assets and related taxonomies, threat and vulnerability catalogs, or risk calculation methods. However,
it references other NIST standards, including the NIST Cyber Security Framework (CSF).
24
https://csrc.nist.gov/projects/risk-
management/about-rmf
Risk assessment and management are considered best practices for maintaining compliance with PCI DSS. The
standard asks organizations to “perform a risk assessment to determine the potential impact to PCI DSS scope.”
The risk assessment process must identify critical assets, threats and vulnerabilities and their effects on the
cardholder data environment and should result in a formal, documented analysis of risk. The PCI DSS risk
assessment offers organizations guidance to help identify, analyze, document and manage the information security
risks that may affect their cardholder data. It also provides organizations with remediation strategies to implement
risk management strategies that mitigate those vulnerabilities.
GDPR
The European Union GDPR is the cornerstone of privacy regulations, and its impact goes well beyond the borders
of the EU. Since its enforcement on May 2018, the Regulation has been the foundation for many national or state
privacy regulations and acts, such as the California Consumer Privacy Act (CCPA), Brazil’s Lei Geral de Proteção
de Dados (or LGPD) and others. GDPR impacts all organizations established in the EU or any business that collects
and stores the private data of EU citizens, including APAC businesses.
Any organization within the scope of GDPR must conduct regular risk assessments to ensure all potential risks to
personal data are identified and that the selected defense measures are adequate. Risk assessments are a core
component of GDPR. Article 32 states that organizations must implement “technical and organizational measures
to ensure a level of security appropriate to the risk.”
ANSI/ISA-62443-3-2
The ANSI/ISA-62443-3-2-2020 standard, titled “Security for industrial automation and control systems, Part 3-2:
Security risk assessment for system design,”26 dedicates an entire section to assessing security risk for system
design. The standard targets security professionals in industries mainly comprising critical infrastructure.
25
https://listings.pcisecuritystandards.org/
documents/PCI-DSS-v4_0.pdf
26
https://www.isa.org/products/ansi-isa-62443-3-2-
2020-security-for-industrial-a
• Establish the target security level for each zone and conduit
The focus is on identifying and, where required, further compartmentalising risks during the design phase. The
controls for the specific design derive from security requirements. Risks are assessed at the system design level,
and definitions, such as likelihood, impact and analysis of process hazards, are included.
In the context of these guidelines, cyber risk management entails the process of identifying, analysing, assessing
and communicating a cyber risk and accepting, avoiding, transferring or mitigating it to an acceptable level,
considering the costs and benefits to stakeholders of the actions undertaken.
These guidelines present the functional components that support the effective management of cyber risk. They
follow the NIST Cybersecurity Framework, they should be concurrent and continuous in practice, and shipping
organizations should incorporate them appropriately in a maritime risk management framework.
https://www.imo.org/en/OurWork/
27
Security/Pages/Cyber-security.aspx
All of the risk management frameworks analyzed here are closely related to each other. Each framework references
and maps controls and procedures with the others. They are used to:
Understanding, selecting and applying the proper framework falls within the responsibilities of a Certified
in Governance, Risk and Compliance (CGRC) professional. The CGRC professional is an information security
practitioner who advocates for aligning security risk management processes with the organization’s governance
strategies to support its mission and operations under legal and regulatory requirements.
Certified in Governance
Risk and Compliance
CGRC TM