Major components of IT GRC solutions

Governance, Risk and Compliance is sometimes a managerial step or a mandatory step to adhere with regulations & maintain compliant systems. It widely helps in Risk Management.

Some of the major components of IT GRC are:

  1. IT Policy Management
  2. IT Risk Management
  3. Compliance Management
  4. Threat & Vulnerability Management
  5. Vendor Risk Management
  6. Incident Management

1. IT Policy Management

An administrative method to simplify management by defining and enabling rules(policies) for various apprehensive situations. This is done keeping in mind the organization's goals & belief

  • Policy Life Cycle Management
  • Policy Creation
  • Establish Linkages
  • Alerts & Notification
  • Manage Exceptions
  • Metrics & Dashboard Reporting

2. IT Risk Management

This includes all risk associated with owning IT assets. In larger scales, for an organization, all the data stored is part of this.

  • Risk Identification
  • Risk Assessment Scheduling
  • Aggregate Data
  • Risk Assessment & Evaluation
  • Issue / Action Tracking
  • Metrics & Dashboard Reporting

( Read More: Checklist: Skillset required for an Incident Management Person )

3. IT Compliance Management

A proper framework in place can save money, time and energy. The framework should be set up once and your organization should be compliant while it should be able to notify on the new compliance requirements and licenses

  • Regulatory Alerts, Rule Mapping
  • Federation
  • Surveys, Assessment
  • Testing
  • Certification & Filing
  • Issue / Action Tracking
  • Metrics & Dashboard Reporting

4. Threat & Vulnerability Management

This is a continuous process to manage all the assets owned by the organization. Prioritization is key as it directly estimates loss.

  • Create Asset Repository
  • Prioritize Assets
  • Threat & Vulnerability Assessment
  • Analysis & Prioritization
  • Closed Loop Issue Management
  • Metrics & Dashboard Reporting

5. Vendor Risk Management

This refers to all third party vendor risk. Vendor selection should be preceded by checking their risk scenario.

  • Vendor Information Management
  • Vendor Risk Assessment
  • Vendor Compliance Management
  • Closed Loop Remediation
  • Metrics & Dashboard Reporting

6. Incident Management

This is constant monitoring, tracking analysis and reporting to make sure incidents are at bay. In case there is a breach, policies should be in place to tackle them.

  • Aggregate & Track Incidents
  • Incident & Issue Analysis
  • Integrate with 3rd Party Solutions
  • Resource Management & Collaboration
  • Closed Loop Monitoring
  • Metrics & Dashboard Reporting

( Read More: Critical Platform Capabilities For IT GRC Solution )


1.Extracts have been taken from IT GRC Workshop, Decision Summit, Delhi 2015 by Ravi Mishra



E-mail me when people leave their comments –

CISO Platform

You need to be a member of CISO Platform to add comments!

Join CISO Platform

RSAC Meetup Banner

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)