ROI in GRC

Return on Investment (ROI) discussions are challenging regarding GRC solution implementations for two reasons. First, GRC focuses on improving an organization’s risk and compliance status, increasing security controls and finding the balance between accepting and rejecting risks. Second, GRC solution implementation and maturing an organization’s risk and security posture occurs over a course of years. Therefore, ROI calculations may not show immediate (within the first year) financial performance results. However,…

CURRENT STATE OF GRC: THE CHALLENGES

GRC professionals are accustomed to change driven by professional standards or by regulators. Until recently, the vast majority of GRC projects were driven by external regulations or compliance requirements that offered little option over whether, when or how to implement. For example, the Sarbanes-Oxley Act and related PCAOB audit standards drove significant effort and influenced the methodology used to assess internal control over financial reporting. The business case for Sarbanes-Oxley…

ISO 27001 Control A.7

A.7.1 Responsibility for assets Objective: To achieve and maintain appropriate protection of organizational assets. A.7.1.1 Inventory of assets Control All assets shall be clearly identified and an inventory of all important assets drawn up and maintained. A.7.1.2 Ownership of assets Control All information and assets associated with information processing facilities shall be ‘owned’ by a designated part of the organization. A.7.1.3 Acceptable use of assets Control Rules for the acceptable…

ISO 27001 Control A.6

A.6 Organization of information security A.6.1 Internal organization Objective: To manage information security within the organization. A.6.1.1 Management commitment to information security Control Management shall actively support security within the organization through clear direction, demonstrated commitment, explicit assignment, and acknowledgment of information security responsibilities. A.6.1.2 Information security coordination Control Information security activities shall be co-ordinated by representatives from different parts of the organization with relevant roles and job functions. A.6.1.3…

A year into GDPR

In the run-up to its introduction on 25 May 2018, everyone was buried in the microscopic details of trying to become GDPR compliant. Much of the focus was on the fact that non-compliance could mean monetary penalties of up to €20m or 4% of total annual worldwide turnover in the preceding financial year, whichever was higher. As a result, little thought seemed to be given to how exactly the GDPR…