🛡️

Understanding Governance, Risk, and Compliance

Aug 6, 2024

Governance, Risk, and Compliance Framework Overview

Introduction to Governance, Risk, and Compliance (GRC)

  • Overview of how governance, risk, and compliance interact.
  • Discussion on ISO 27001 implementation as part of the GRC framework.

Drivers for ISO 27001 Implementation

  • Often driven by commercial requirements.
  • Importance of understanding the fit within GRC.

Key Components of GRC Framework

Senior Management Buy-In

  • Senior management sets organizational direction.
  • Critical for successful engagement and resource allocation.
  • Political dynamics can complicate engagement if not from senior levels.

Management Review Team (MRT)

  • Composition:
    • Representatives from all business areas (HR, IT, Ops, etc.).
  • Purpose:
    • Ensure policies and procedures are implemented.
    • Oversee and approve policies.
  • Responsibilities include:
    • Communication, continual improvement, and governance.

Policies vs. Procedures

  • Policy: Statement of what the organization does.
  • Procedure: Statement of how the organization does it.
  • Importance of separation for clarity and compliance.

Risk-Based Approach

  • Policies and procedures should be based on risk assessment.
  • Differentiation between risk-based and rule-based approaches:
    • ISO 27001 is risk-based (controls based on organizational risk appetite).
    • Rule-based systems (e.g., PCI DSS) dictate strict compliance.
  • Importance of auditing based on risk level.

Incident Management

  • Definition: A deviation from a policy or procedure.
  • Examples include:
    • Leaving laptops unattended, unauthorized access incidents.
  • Incidents lead to continual improvement and adjustments in controls.

Continual Improvement Process

  • Continuous cycle of:
    • Implementing policies.
    • Auditing procedures.
    • Addressing incidents.
    • Adjusting policies based on findings.
  • Management Review Team plays a crucial role in this process.

External Audits

  • Types of audits:
    • Certification audits (ISO 27001, SOC 1/2).
    • Compliance audits (PCI DSS).
  • Importance of external validation for organizational controls.

ISO 27001 Framework

Implementation Steps

  1. Engage with accredited certification bodies.
  2. Obtain quotes and understand costs (UK vs. non-UK pricing).
  3. Understand the audit process:
    • Stage one: Documentation review.
    • Stage two: Walkthrough of controls.
  4. Annual audits for continual assessment.

Cost and Timeline Considerations

  • ISO 27001 certification can range from £4,000 to £12,000 based on organizational size.
  • SOC audits can be significantly more expensive ($40,000 for SOC 2 type 2 audits).
  • Importance of transparency in ongoing costs with certification bodies.

Concluding Points

  • The governance framework emphasizes the importance of management buy-in, structured teams, and risk-based policies.
  • Organizations should start with ISO 27001 as a foundation for other compliance requirements.
  • Future discussions to cover roles during audits and effective management strategies.

Full transcript