Could you please suggest few IT GRC tools .

Top 3 products along with comparison and pricing would be helpful.. (question posted on behalf of a CISO member)

Views: 158

Reply to This

Replies to This Discussion

My company uses the StandardFusion GRC tool as a “single source of truth” for managing all aspects of an organization’s security program.   We configured the GRC tool by mapping controls back to security policies and standards so that it is clear how an organization complies with whatever standard (HIPAA, GRPD, ISO2700x,…) they are measuring against.   It's easy to use and produces great reports.   Happy to provide more details if you like.

In my personal opinion, there's nothing called as "the best" GRC solution. With that said, there do exist established players like Metric Stream, RSAM, Archer, etc. Some of these better known name are also associated with their respective USP in terms of what do they do best (eg. Process Unity is better known for TPRM). At the end of the how any of these tools are implemented with integrations tailored to fit requirement and environment is where the meat is. And, the required element of rigor of managing the show post onboarding any of the GRC solution will define the success of it going forward.
You might want to check out below tools / services:
1. LockPath
2. RiskSense
3. ServiceNow

There are so many different GRC software solutions available, so, choosing the right one can be really difficult. Do you really know what to achieve with this solution? Do you really know which projects, workflows, and processes are in scope before starting a tool acquisition process? Because GRC tools are good for automating the existing working processes. And if you don’t have a risk assessment, for example, buying a GRC tool is not going to give it to you.

There have been suggestions about products that fulfill only part of your requirements. The notion that a GRC tool is only about managing compliance workflow but forget about things like risk assessment. It's true, the suggested solutions are limited and do not fully address the entire life-cycle of your GRC program. I'm here to tell you that there is a solution actually doing it.

We use Continuum GRC for our compliance and audits, risk assessments and management, policy and governance development and management. For example, we use Continuum GRC to create our FedRAMP SSP and all the security documentation for our certification. The auditors then use what we have in this SaaS solution attaching evidence in the systems blockchain for chain of custody evidence management. We schedule input from people, generate documentation and reports and everything needed to support or whole mission-not just a part of the mission. Even better is that Continuum GRC automaps to every other framework and easily does so for emerging standards.

The Continuum GRC solution was fully deployed in 24 hours. They are currently going through a FedRAMP High certification and already have HIPAA, PCI, SOC 2, GDPR and CCPA accreditations on the solution. No other solution out there can say that.

For what it is worth ..

There are many IT GRC tools and you could compare them and see what best suits your requirement.

You can compare them based on capabilities for 

  • Policy Management
  • Risk management
  • Compliance Management
  • Audit Management
  • Vendor Risk Management
  • Threat & Vulnerability Management
  • Incident Management
  • Platform Capabilities

Here is a quick comparison between RSA Archer, Metric Stream GRC & LockpathClick Here

There is no best platform, each of them have their strengths and weaknesses. SAI is good, as are many others, ServiceNow is also there, there are many others.

What you want to do is make sure your implementation is simple in nature, if you want people participating in risk management as such. And make it easy and intuitive if you want to be able to manage things in the future.

Whatever platform you choose, I would advise having a resource on board, if this is a new initiative, it will be a long journey, with many iterations over the next two years.

There are good GRC tool available in industry today such as Archer & Metric Stream and all of them are almost equal in terms on functionality. In order to decide which one to choose, it is important to understand the requirement and identify which workflows, and processes to be automated. To achieve value out of GRC tool, the implementation needs to be customized as per requirement and continuous maintenance will determine the result.


© 2020   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service