Governance, Risk

and Compliance:
linkedIn: Murad ALzaeem
Your Guide for Selecting
the Right Framework
Asia-Pacific Edition

Certified in Governance
Risk and Compliance
CGRC TM
 CONTENTS
What is CGRC?������������������������������������������������������������������������������������������������������������������������������������������������������������������ 3
What is Governance? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
What is Risk Management?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
What is Compliance? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

The importance of GRC �������������������������������������������������������������������������������������������������������������������������������������������������� 4

How can GRC protect organizations?�������������������������������������������������������������������������������������������������������������������������� 4

Understanding and managing risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Protecting organizations through GRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

What is Risk Assessment? ���������������������������������������������������������������������������������������������������������������������������������������������� 6

What are essential GRC Frameworks? �������������������������������������������������������������������������������������������������������������������������7

ISO/IEC 27005:2022 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Japan: Cybersecurity Management Guidelines v 2.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Australia: Information Security Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Singapore: Guide to Conducting Cybersecurity Risk Assessment for Critical Information Infrastructure. 9

Other cybersecurity and privacy frameworks in GRC�������������������������������������������������������������������������������������������� 10

NIST Cybersecurity Framework. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Japan: Act on the Protection of Personal Information (APPI). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Australian Energy Sector Cyber Security Framework (AESCSF) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Singapore: Technology Risk Management Guidelines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
India: Information Technology Act, 2000. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Australia: Privacy Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Singapore: Personal Data Protection Act (PDPA). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
India: Framework for the Adoption of Cloud Services by SEBI Regulated Entities . . . . . . . . . . . . . . . . . . . . . 13

Notable International Frameworks in GRC �������������������������������������������������������������������������������������������������������������� 14

NIST Risk Management Framework. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
PCI DSS 4.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
GRDP .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
ANSI/ISA-62443-3-2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
IMO Guidelines on Maritime Cyber Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

The role of a Certified GRC Professional���������������������������������������������������������������������������������������������������������������������17

How CGRC certification helps�������������������������������������������������������������������������������������������������������������������������������������� 18

About (ISC)2 �������������������������������������������������������������������������������������������������������������������������������������������������������������������� 18

2 Return to Table of Contents

What is GRC?

GRC stands for Governance, Risk and Compliance. It refers to an organization’s strategy for handling the
interdependencies and alignment between three essential components of modern digital organizations:

• Corporate governance policies

• Enterprise risk management programmes
• Regulatory compliance

It includes tools and processes to unify an organization’s governance and risk management with technological
innovation and adoption. Companies use GRC to achieve organizational goals reliably, remove uncertainty and
meet compliance requirements.

Before GRC became common vernacular, most organizations were familiar with the elements but practiced each
of them separately. GRC emerged as a discipline when they recognized that coordinating the people, processes
and technologies they used to manage governance, risk and compliance could produce benefits. GRC combines
governance, risk management and compliance in a single coordinated model. This unified approach helps reduce
wastage, increase efficiency, reduce noncompliance risk and share information more effectively.

What is Governance?

Governance is an organization’s set of policies, rules or frameworks designed to achieve its goals. It defines the
responsibilities of key stakeholders, including the board of directors and senior management. Good governance
covers principles such as ethics, accountability, transparency, conflict resolution policies and resource
management.

What is Risk Management?

Organizations face different risks in finance, legal, strategy and security. Proper risk management helps them
identify the risks and find ways to remediate them. An enterprise risk management program is put in place to
predict potential problems and minimize losses.

What is Compliance?

Compliance is adhering to rules, laws and regulations. It applies to industrial bodies’ legal and regulatory
requirements and internal corporate policies. In GRC, compliance involves implementing procedures to ensure
activities comply with regulations. For example, telecommunication organizations must comply with laws like the
Telecommunications Business Act (TBA) to ensure the data transferred through telecom companies will remain
private.

3 Return to Table of Contents

The Importance of GRC

Organizations must identify and manage critical activities as they grow increasingly complex. They must also
be able to integrate traditional, distinct management activities into a cohesive discipline that increases the
effectiveness of people, business processes, technology, facilities and other essential business elements.

GRC achieves this by breaking down the traditional barriers between organizational units and requiring them to
collaborate to achieve strategic goals. By implementing GRC programs, organizations can make better decisions
in a risk-aware environment. An effective program helps key stakeholders set policies from a shared perspective
and comply with regulatory requirements. With GRC, the entire organization is united in its policies, decisions and
actions.

The following are additional benefits that come with a GRC strategy:

• Data-driven decision-making that monitors resources, sets up rules or frameworks and uses
GRC software and tools

• Streamlined operations around a common culture that promotes ethical values and creates
a healthy environment for growth

• Improved cybersecurity to protect customer data and personal information

Implementing a GRC strategy is essential in today’s environment of increasing cyber risk that threatens users’
data and privacy. It assists organizations in complying with data privacy regulations like the Act on the Protection
of Personal Information in Japan or the Personal Information Protection Law in China. It also helps build customer
trust and protects against penalties.

How can GRC protect organizations?

Understanding and managing risk

Risk exists wherever and whenever there’s an
opportunity for compromise, threat or loss. ISO 31000
defines risk as “the effect of uncertainty on objectives.”
Risk affords opportunities for benefit (upside) or
perils to success (downside). Risk and opportunity go
together. To provide value to stakeholders, enterprises
must engage in activities and initiatives (opportunities),
all of which carry degrees of uncertainty and, therefore,
risk. Managing risk and opportunity is a critical
strategic activity for enterprise success.1

Commonly referred to as exposure to threats, risk can

be quantified by using the expression:
1
ISACA, Risk IT Framework, 2nd Edition, page 9, 27 July 2020
Risk = Probability x Severity
4 Return to Table of Contents
Probability is the likelihood of an event occurring, and severity is the extent and cost of the resulting loss.

Risk management identifies, assesses and controls threats to an organization’s capital and earnings.2 The source
of these risks is diverse and includes financial uncertainty, technological evolution, legal liabilities, strategic
management errors, accidents and natural disasters.

Risk management creates outcomes that inform decisions for addressing risks and minimizing the adverse effects
of risk on an organization. The consequences of threats can be either objective or quantifiable, like lost revenue
and data theft, or subjective and difficult to quantify, such as damage to reputation and lost customer trust. By
considering risk in the decision-making process and committing the required resources to control and mitigate
the identified risk, organizations can protect themselves from uncertainty, prioritize investments, reduce costs
and increase business continuity and resilience.

Following the identification of risks, strategies to manage them include:

• Avoiding the threat

• Reducing the negative effect or probability of the threat

• Transferring or sharing all or part of the threat with another party

• Retaining some or all of the potential or actual consequences of a particular risk if the
anticipated gain is greater than the cost

Protecting organizations through GRC

As organizations become increasingly digitised and dependent on cyber-enabled technologies, cyber threats and
data-related risks — and the risk management strategies to alleviate them— have become a top priority.

The World Economic Forum 2023 Global Risk Report3

highlights the following regarding the cyber risk
environment in which organizations operate today:

“The rapid development and deployment of new

technologies, which often comes with limited protocols
governing their use, poses its own set of risks. The ever-
increasing intertwining of technologies with the critical
functioning of societies is exposing populations to direct
domestic threats, including those that seek to shatter
societal functioning. Alongside a rise in cybercrime,
attempts to disrupt critical technology-enabled resources
and services will become more common, with attacks
anticipated against agriculture and water, financial
systems, public security, transport, energy, and domestic,
space-based and undersea communication infrastructure.”

2
https://searchcompliance.techtarget.com/definition/risk-management
3
https://www.weforum.org/reports/global-risks-report-2023

5 Return to Table of Contents

 With cyber risks threatening both productivity and continuity, more corporate risk management plans are
including processes for identifying and controlling threats to digital assets, including proprietary corporate data,
personally identifiable information and intellectual property.

A report by the Organization for Economic Cooperation and Development (OECD)4 highlights that cybersecurity
incidents “undermine innovation, create privacy risk and erode trust.” The same report elaborates, “Risk
Management can help ensure digital security measures protect and support economic and social activities.”

Robust risk management strategies enable organizations to:

• Consider potential risks or events before they occur

• Establish procedures to avoid threats, minimise their impact and cope with the results

• Understand and control risk so leadership is more confident in their decision-making process

• Create a safe and secure environment for employees and customers

• Increase the stability and resilience of operations while decreasing legal liability

• Protect from events that are detrimental to the organization and the environment

• Establish insurance needs to save on unnecessary premiums

What is Risk Assessment?

Risk assessment is the process of identifying, analysing and evaluating threats and vulnerabilities.5
In cybersecurity, they are essential for identifying how external threat actors or insiders, either negligent
or malevolent, could compromise sensitive information.

The results guide the actions that shoud be taken to build defense measures. For example, threats with the highest
score targeting critical systems and data should become organizational priorities and addressed urgently, whereas
businesses can generally tolerate those with lower scores.

4
OECD (2016), “Managing Digital Security and
Privacy Risk”, OECD Digital Economy Papers,
No. 254, OECD Publishing, Paris

5
Nicholas King, Risk Assessments are Essential
for GDPR Compliance, July 16, 2019

6 Return to Table of Contents

What are the essential GRC Frameworks?

Risk management is an essential function for many countries in the region, including Australia, Japan, Singapore,
and India6. This section describes the most prominent GRC frameworks and methodologies in the APAC region.
Please note that separate papers discuss the methodologies applicable to the North America, European Union and
the United Kingdom.

ISO/IEC 27005:2022
ISO/IEC 27005:20227 “Information security, cybersecurity and privacy protection — Guidance on managing
information security risks” is a risk management framework applicable to all types of organizations intending to
manage risks that could compromise their information security. It supports the general concepts specified in
ISO/IEC 27001:2022 and is designed to assist in implementing information security based on a risk management
approach.

ISO 27005:2022 describes a cybersecurity risk management framework comprising the following processes:8

• Information security risk management: This covers the iterative process of identifying, assessing
and treating information security risks, comprising strategic (long-term) and operational
(medium- to short-term) cycles. It is important to note that risk identification can be either
event- or asset-based.

• Context establishment: This process concerns methods for determining risk evaluation and
acceptance criteria. The organization’s business context for information risk and security
management is also factored in.

• Information security risk assessment: This clause lays out the process of systematically identifying,
analysing, evaluating and prioritising information security risks. During the assessment, the risk is
estimated as a combination of the likelihood of an incident and its consequences.

• Information security risk treatment: This clause describes how to use information security controls
to modify (mitigate or maintain) information security risks. Should the remaining risk be deemed
unacceptable, the clause requires further treatment that implies an assessment is included.

• Operation: This clause mentions that organizations should review information security risks and
treatments regularly or when changes occur.

6
In India, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code)
Rules are applicable. For more information
7
https://www.iso.org/standard/80585.html
8
https://www.linkedin.com/pulse/isoiec-270052022-what-new-paul-varela?trk=pulse-article

7 Return to Table of Contents

 Japan: Cybersecurity Management Guidelines v 2.0
The overarching cybersecurity document in Japan is the Cybersecurity Strategy 20219 , which “intends to
tackle the uncertainty in cyberspace and control this uncertainty as much as possible by developing an accurate
understanding of both the benefits provided by cyberspace, but also the changes and risks surrounding it.” The
Cybersecurity Strategy follows a risk-based approach since the goal is to identify “the risk factors to be considered
based on the changes in the environment surrounding the economy, society and developments in international
affairs.”

In support of the Cybersecurity Strategy, the Ministry of Economy, Trade and Industry (MIET) and the independent
Information-Technology Promotion Agency (IPA) jointly issued the Cybersecurity Management Guidelines10. They
encourage businesses and organizations to follow a GRC approach underpinned by three principles:

• Corporate executives need to recognize cybersecurity risks and take leadership in driving
cybersecurity measures

• Security measures need to be taken not only for the company itself but also for the supply chain,
including business partners and outsourcing companies

• Companies need to communicate appropriately with relevant stakeholders by, for example,
disclosing information on cybersecurity risks and measures in normal times as well as in times of
emergency

These principles drive the 10 essential directions of cybersecurity management, which include:

• Recognizing cybersecurity risk and developing a companywide policy

• Building a management system for cybersecurity risk

• Securing resources to implement measures that address cybersecurity risk

• Identifying risks to corporate information, classifying their impact and developing a plan to
mitigate them that includes measures for risk transfer (i.e., cyber insurance or outsourcing) and
identification of residual risk

• Establishing a system to implement protection measures to address cybersecurity risk

It is important to note that the main reference of Cybersecurity Management Guidelines is the NIST Cybersecurity
Framework (see respective section).

9
https://www.dataguidance.com/opinion/
japan-nisc-cybersecurity-strategy
10
https://www.meti.go.jp/policy/
netsecurity/downloadfiles/CSM_
Guideline_v2.0_en.pdf

8 Return to Table of Contents

Australia: Information Security Manual
In an effort to increase the cyber resilience of the Australian businesses, the Australian Cyber Security Center
(ACSC) publishes the Information Security Manual (ISM)11 . The purpose of the ISM is to outline a cyber security
framework that an organization can apply, using their risk management framework, to protect their systems and
data from cyber threats.

The manual follows a risk-based approach and is governed by four principles:

• Govern: Identifying and managing security risks

• Protect: Implementing controls to reduce security risks

• Detect: Detecting and understanding cyber security events to identify cyber security incidents

• Respond: Responding to and recovering from cyber security incidents

ISM asks organizations to embed cybersecurity risk management processes into organizational risk management
frameworks so that security risks are identified, documented, and managed accordingly. In addition, residual risk
must be accepted before systems and applications are authorized for use. The manual also introduced the concept
of continuous risk assessment and management throughout the operational life of systems and applications.

Singapore: Guide to Conducting Cybersecurity Risk Assessment for Critical

Information Infrastructure
The Cyber Security Agency of Singapore has published the Guide to provide guidance to Critical Information
Infrastructure (CII) Owners on how to perform a proper cybersecurity risk assessment12 . The Guide is published as
a supplementary reference to the country’s Cybersecurity Act.

The scope of the guidance focuses only on three areas:

• Establishing risk context which is an important pre-requisite for conducting risk assessment.
This step ensures that all stakeholders involved in the risk assessment exercise have a common
understanding of how the risk is framed, the risk tolerance to consider, and the responsibilities of
the risk owner.

• Risk assessment is about identifying risks specific to the environment and determining the
level of identified risks. According to the guidance, the main steps in a risk assessment are risk
identification, analysis, and evaluation.

• Risk mitigation. Having evaluated the identified risks, the next step is to identify and determine
the next course of action to keep the risks within the organization’s risk tolerance level. Four risk
response options exist: accept, avoid, transfer, and mitigate.

Other areas such as risk monitoring and reporting is beyond the scope of the guidance.

11
https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism
12
https://www.csa.gov.sg/docs/default-source/csa/documents/legislation_supplementary_references/guide-to-conducting-cybersecurity-risk-assessment-
for-cii.pdf?sfvrsn=a63bf6d8_0. For frequently asked questions, please visit https://www.csa.gov.sg/faq/cybersecurity-risk-assessment-for-cii

9 Return to Table of Contents

Other Cybersecurity and Privacy Frameworks in GRC

NIST Cybersecurity Framework

Although the NIST Cybersecurity Framework is developed to help US-based companies and organizations mitigate
cyber risks, the Framework is fully adopted by all Japanese businesses. An important factor that enabled Japan's
smooth and successful adoption of NIST CSF is the mapping between the Framework and ISO/IEC 27001, which
Japanese companies were familiar with13.

The NIST Cybersecurity Framework14 emphasizes the importance of addressing cybersecurity risks in the
organization’s risk management procedures and leveraging business drivers to direct cybersecurity operations.
While this document was created to better understand cybersecurity risk management in critical infrastructure,
organizations can use the framework in any field. Organizations of any size and level of cybersecurity risk or skill
can use the framework to improve their security and resilience by applying the concepts and best practices.

The framework follows a risk-based approach to managing cybersecurity risk and includes three parts, each of
which reinforces the connection between business drivers and cybersecurity activities:

The Framework Core is a collection of industry-neutral

cybersecurity practices, goals and principles. The five core
ER IDE
V NT
CO
functions of the framework — identify, protect, detect, respond
and recover — offer a strategic overview of the full spectrum of

IF
RE

Y
cybersecurity risk management inside an organization.

OT E C T
RESPO

The Framework Implementation Tiers characterise the extent to FRAMEWORK

which an organization’s cybersecurity risk management processes
reflect the criteria established by the framework.

PR
ND

The Framework Profile is an implementation-specific set of rules,

principles and practices that sync with the Framework Core. By
DETECT
contrasting a “Current” (or “as is”) Profile with a “Target” (or “to
be”) Profile, organizations can spot areas in their cybersecurity
operations that should be improved.

The Framework is currently under revision and version 2.0 is expected by the end of 2023.

13
https://www.nist.gov/document/japan-cross-sector-forum-success-story-062920-508pdf
14
https://www.nist.gov/cyberframework

10 Return to Table of Contents

 Japan: Act on the Protection of Personal Information (APPI)
Japan’s data protection laws were substantially revised in 2015, with further revisions that came into effect in
202215. Data protection is probably the most active area of law and is constantly evolving as the scope of personal
information disclosed by individuals in day-to-day transactions expands and use by organizations becomes more
widespread. The revised laws impose wider obligations on data transfers, particularly to offshore entities, and on
the handling of data breaches.

APPI is based on the eight basic privacy protection principles defined by OECD. The fundamental principle of
Japan’s data protection laws is protecting the right to privacy but also recognizing the increased scope, nature and
volume of personal data and the ever-expanding use of personal information in various forms by organizations. Key
elements of the legislation are to restrict the use of personal information for the purposes it was obtained for, to
protect sensitive information from online risks and to limit the dissemination of personal information without the
data subject’s consent.

Australian Energy Sector Cyber Security Framework (AESCSF)

The Australian Energy Sector Cyber Security Framework (AESCSF)16 has been developed through collaboration
with industry and government stakeholders, including the Australian Energy Market Operator (AEMO), Australian
Cyber Security Centre (ACSC), Cyber and Infrastructure Security Centre (CISC), and representatives from
Australian energy organizations.

AESCSF is a cyber security framework developed and tailored to the Australian energy sector. The framework
enables participants to assess, evaluate, prioritize, and improve their cyber security capability and maturity. The
Framework has been established to address increasing cyber security risks the Australian energy sector faces.

To apply the highest level of cyber threat protection to Australian energy infrastructures, the AESCSF combines
aspects of recognized security frameworks such as NIST Cybersecurity Framework, NIST SP 800-53, the
Cybersecurity Capability Maturity Model (C2M2), and others.

15
https://www.dataguidance.com/notes/japan-data-protection-overview
16
https://aemo.com.au/en/initiatives/major-programs/cyber-security/
aescsf-framework-and-resources

11 Return to Table of Contents

 Singapore: Technology Risk Management Guidelines
The Monetary Authority of Singapore (MAS) has published guidelines17 on risk management practices. The
guidelines set out technology risk management principles and best practices for the financial sector, to guide
financial institutions (FI) in:

• Establishing robust technology risk governance and oversight. The board of directors and senior
management at an FI play an integral part in the oversight and management of technology risk.
Financial institutions executives should cultivate a strong risk culture and ensure the establishment
of a sound and robust technology risk management framework.

• Maintaining cyber resilience. Strong cyber resilience is critical for sustaining trust and confidence
in financial services. FIs should adopt a defense-in-depth approach to strengthening cyber
resilience. It is also important that FIs establish and continuously improve their IT processes and
controls to preserve confidentiality, integrity and availability of data and IT systems.

Financial institutions should establish effective risk management practices and internal controls to achieve data
confidentiality and integrity, system security and reliability, as well as stability and resilience in its IT operating
environment. The risk management framework should encompass the elements of risk identification, assessment,
treatment, and monitoring.

India: Information Technology Act, 2000

The Information Technology Act, 200018, is the primary law in India dealing with cybercrime and electronic
commerce. The laws apply to the whole of India. This is a modern legislation which makes acts like hacking, data
theft, spreading of virus, identity theft, defamation (sending offensive messages) pornography, child pornography
and cyber terrorism, a criminal offence.

This Act applies to all of India, and its provisions also apply to any offense or violation, committed even outside
the territorial jurisdiction of Republic of India, by any person irrespective of his nationality. In order to attract
provisions of this Act, such an offence or infringement should involve a computer, computer system, or computer
network located in India.

Australia: Privacy Act

Australia regulates data privacy and protection through a mix of federal, state and territory laws. The federal
Privacy Act 198819 and the Australian Privacy Principles20 ("APPs") contained in the Privacy Act apply to private
sector entities with an annual turnover of at least AU$3 million, and all Commonwealth Government and Australian
Capital Territory Government agencies.

17
https://www.mas.gov.sg/regulation/guidelines/technology-risk-management-guidelines
18
https://www.meity.gov.in/content/information-technology-act-2000-0
19
https://www.oaic.gov.au/privacy/privacy-legislation/the-privacy-act
20
https://www.oaic.gov.au/privacy/australian-privacy-principles

12 Return to Table of Contents

The Privacy Act regulates the handling of personal information by relevant entities, and under the Privacy Act,
the Privacy Commissioner (OAIC) has the authority to conduct investigations to enforce the Act and seek civil
penalties for serious and egregious breaches or for repeated breaches of the APPs where an entity has failed to
implement remedial efforts.

A Privacy Impact Assessment ('PIA') is contemplated by Australian privacy law but, apart from government
agencies, is not mandated. However, a PIA is highly recommended to fulfil obligations under APP. The guidance
and recommendations of the OAIC are that a PIA should be used for any new, changed/varied or altered process,
method, or technology used that processes any personal information.

Singapore: Personal Data Protection Act (PDPA)

The Personal Data Protection Act21 (PDPA) provides a baseline standard of protection for personal data in
Singapore. It comprises various requirements governing the collection, use, disclosure and care of personal data in
Singapore. The PDPA recognizes both the need to protect individuals’ personal data and the need of organizations
to collect, use or disclose personal data for legitimate and reasonable purposes.

While there is no standalone obligation to conduct a Data Protection Impact Assessment (DPIA) under the PDPA,
there are provisions in the PDPA which require organizations to conduct 'assessments' (which may be narrower in
scope than a full DPIA) under certain circumstances. In addition, the Data Protection Commissioner recommends
that a DPIA is undertaken as part of an organization’s Data Protection Management Program and their obligation
to develop and implement policies and practices that are necessary for the organization to comply with the PDPA22.

India: Framework for the Adoption of Cloud Services by SEBI Regulated Entities
The Securities and Exchange Board of India (SEBI) introduced the Framework for the Adoption of Cloud Services
by SEBI Regulated Entities (REs)23 on March 6, 2023. The Framework is a crucial addition to SEBI’s existing
guidelines on cloud computing, sets baseline standards for security and regulatory compliances, and is designed to
help REs implement secure and compliant cloud adoption practices.

The primary purpose of this Framework is to highlight the key risks and mandatory control measures
regulated entities need to implement before adopting cloud computing. The circular outlines nine principles
and requirements for REs to consider when adopting cloud computing, including GRC, how to select a cloud
service provider, data ownership and localization, selecting security controls, ensuring cyber resilience, and
accountability.

21
https://www.pdpc.gov.sg/overview-of-pdpa/the-legislation/personal-data-protection-act
22
https://www.pdpc.gov.sg/Help-and-Resources/2021/09/Accountability
23
https://www.sebi.gov.in/legal/circulars/mar-2023/framework-for-adoption-of-cloud-
services-by-sebi-regulated-entities-res-_68740.html

13 Return to Table of Contents

Notable International Frameworks with a Risk-based Approach

NIST Risk Management Framework

The NIST Risk Management Framework (RMF)24 provides a flexible, holistic and
repeatable seven-step process to manage security and privacy risk. It links to a suite
of NIST standards and guidelines to support the implementation of risk management
programs to meet the requirements of the Federal Information Security Modernization
Act (FISMA).

The NIST RMF risk-based approach helps organizations:

• Prepare for risk management through essential activities critical to designing and implementing a
risk management program

• Categorize systems and information based on impact analysis

• Select a set of controls to protect the system based on risk assessments

• Implement the controls and document how they are deployed

• Assess implementation to determine if the controls are operating as intended and producing the
desired results to manage risk

• Authorize the system to operate by a senior-level official who understands the controls in place to
manage risk and residual risk

• Monitor control implementation and changes to the risks

Since the standard does not suggest using a specific risk assessment methodology, it does not provide details
regarding assets and related taxonomies, threat and vulnerability catalogs, or risk calculation methods. However,
it references other NIST standards, including the NIST Cyber Security Framework (CSF).

24
https://csrc.nist.gov/projects/risk-
management/about-rmf

14 Return to Table of Contents

 PCI DSS 4.0
The Payment Card Industry Data Security Standard (PCI DSS) was developed to reinforce the security of credit
card transactions and facilitate the broad adoption of consistent data security measures. It provides a baseline
of technical and operational requirements to protect financial data. The goal of the PCI DSS, amended to version
4.025, is to protect cardholders and sensitive authentication data wherever it is processed, stored or transmitted.

Risk assessment and management are considered best practices for maintaining compliance with PCI DSS. The
standard asks organizations to “perform a risk assessment to determine the potential impact to PCI DSS scope.”

The risk assessment process must identify critical assets, threats and vulnerabilities and their effects on the
cardholder data environment and should result in a formal, documented analysis of risk. The PCI DSS risk
assessment offers organizations guidance to help identify, analyze, document and manage the information security
risks that may affect their cardholder data. It also provides organizations with remediation strategies to implement
risk management strategies that mitigate those vulnerabilities.

GDPR
The European Union GDPR is the cornerstone of privacy regulations, and its impact goes well beyond the borders
of the EU. Since its enforcement on May 2018, the Regulation has been the foundation for many national or state
privacy regulations and acts, such as the California Consumer Privacy Act (CCPA), Brazil’s Lei Geral de Proteção
de Dados (or LGPD) and others. GDPR impacts all organizations established in the EU or any business that collects
and stores the private data of EU citizens, including APAC businesses.

Any organization within the scope of GDPR must conduct regular risk assessments to ensure all potential risks to
personal data are identified and that the selected defense measures are adequate. Risk assessments are a core
component of GDPR. Article 32 states that organizations must implement “technical and organizational measures
to ensure a level of security appropriate to the risk.”

ANSI/ISA-62443-3-2
The ANSI/ISA-62443-3-2-2020 standard, titled “Security for industrial automation and control systems, Part 3-2:
Security risk assessment for system design,”26 dedicates an entire section to assessing security risk for system
design. The standard targets security professionals in industries mainly comprising critical infrastructure.

25
https://listings.pcisecuritystandards.org/
documents/PCI-DSS-v4_0.pdf
26
https://www.isa.org/products/ansi-isa-62443-3-2-
2020-security-for-industrial-a

15 Return to Table of Contents

Part 3-2 of the document details the requirements for practical risk assessment at the design stage, even though
the risk has yet to materialize. A vital feature of this publication is assessing risk for zones individually. Risk
assessments include the following actions:

• Define a system for an industrial automation and control system (IACS)

• Segment the system into zones and conduits

• Assess risk for each defined zone and conduit

• Establish the target security level for each zone and conduit

• Document the security requirements

The focus is on identifying and, where required, further compartmentalising risks during the design phase. The
controls for the specific design derive from security requirements. Risks are assessed at the system design level,
and definitions, such as likelihood, impact and analysis of process hazards, are included.

IMO guidelines on Maritime Cyber Risk Management

Official International Maritime Organization (IMO) guidelines27 provide a high-level approach to managing
maritime cyber risk. In this case, risk refers to the extent a technology asset is exposed to threats during a cyber
incident that could result in shipping operational failure.

In the context of these guidelines, cyber risk management entails the process of identifying, analysing, assessing
and communicating a cyber risk and accepting, avoiding, transferring or mitigating it to an acceptable level,
considering the costs and benefits to stakeholders of the actions undertaken.

These guidelines present the functional components that support the effective management of cyber risk. They
follow the NIST Cybersecurity Framework, they should be concurrent and continuous in practice, and shipping
organizations should incorporate them appropriately in a maritime risk management framework.

https://www.imo.org/en/OurWork/
27

Security/Pages/Cyber-security.aspx

16 Return to Table of Contents

The role of a Certified GRC Professional

All of the risk management frameworks analyzed here are closely related to each other. Each framework references
and maps controls and procedures with the others. They are used to:

• Assess the state of the overall security program

• Build a comprehensive security program
• Measure maturity and conduct industry comparisons
• Simplify communications with business leaders

Understanding, selecting and applying the proper framework falls within the responsibilities of a Certified
in Governance, Risk and Compliance (CGRC) professional. The CGRC professional is an information security
practitioner who advocates for aligning security risk management processes with the organization’s governance
strategies to support its mission and operations under legal and regulatory requirements.

Certified in Governance
Risk and Compliance
CGRC TM

CGRC professionals have the knowledge and skills to:

• Understand the foundations of an Information Security Risk

Management Program
• Define the Scope of the Information System
• Select and approve security and privacy controls to meet the
objectives of the risk management programme
• Implement the selected security and privacy controls
• Assess the applicability and effectiveness of established
security and privacy controls
• Authorize an Information System
• Establish continuous monitoring to adapt the
risk management programme to the changing
risk environment

17 Return to Table of Contents