Governance, Risk and Compliance is sometimes a managerial step or a mandatory step to adhere with regulations & maintain compliant systems. It widely helps in Risk Management.

Some of the major components of IT GRC are:

  1. IT Policy Management
  2. IT Risk Management
  3. Compliance Management
  4. Threat & Vulnerability Management
  5. Vendor Risk Management
  6. Incident Management

1. IT Policy Management

An administrative method to simplify management by defining and enabling rules(policies) for various apprehensive situations. This is done keeping in mind the organization’s goals & belief

  • Policy Life Cycle Management
  • Policy Creation
  • Establish Linkages
  • Alerts & Notification
  • Manage Exceptions
  • Metrics & Dashboard Reporting


2. IT Risk Management

This includes all risk associated with owning IT assets. In larger scales, for an organization, all the data stored is part of this.

  • Risk Identification
  • Risk Assessment Scheduling
  • Aggregate Data
  • Risk Assessment & Evaluation
  • Issue / Action Tracking
  • Metrics & Dashboard Reporting

3. IT Compliance Management

A proper framework in place can save money, time and energy. The framework should be set up once and your organization should be compliant while it should be able to notify on the new compliance requirements and licenses

  • Regulatory Alerts, Rule Mapping
  • Federation
  • Surveys, Assessment
  • Testing
  • Certification & Filing
  • Issue / Action Tracking
  • Metrics & Dashboard Reporting

4. Threat & Vulnerability Management

This is a continuous process to manage all the assets owned by the organization. Prioritization is key as it directly estimates loss.

  • Create Asset Repository
  • Prioritize Assets
  • Threat & Vulnerability Assessment
  • Analysis & Prioritization
  • Closed Loop Issue Management
  • Metrics & Dashboard Reporting


5. Vendor Risk Management

This refers to all third party vendor risk. Vendor selection should be preceded by checking their risk scenario.

  • Vendor Information Management
  • Vendor Risk Assessment
  • Vendor Compliance Management
  • Closed Loop Remediation
  • Metrics & Dashboard Reporting

6. Incident Management

This is constant monitoring, tracking analysis and reporting to make sure incidents are at bay. In case there is a breach, policies should be in place to tackle them.

  • Aggregate & Track Incidents
  • Incident & Issue Analysis
  • Integrate with 3rd Party Solutions
  • Resource Management & Collaboration
  • Closed Loop Monitoring
  • Metrics & Dashboard Reporting
Previous articleBROAD UNDERSTANDING ABOUT PCI DSS
Next articleIT Audit Classroom Video 05-23-20
Sean Obi
“Sean has 9 years of experience in delivering diverse IT projects and managing IT audits as both auditee and auditor. Sean is Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), (CDPSE) Certified Data Protection Security Engineer, (PMP) Project Management Professional and has completed other related certified trainings. He has experience in implementing ISO27001 standards, executing ITGC's, PCI DSS and good knowledge of Information Systems inline with COSO & COBIT frameworks. He has managed several security tools, Access Management Review Cycle, Policies & Procedures, Audit & other integrated projects. Sean is a member of Information Systems Audit and Control Association and has completed his Bachelor’s in Management Sciences from Nigeria and currently embarking on his Master’s program at LSU. At work, his great passion is to drive process improvement, and off work he enjoys playing chess, comedy shows and spending quality time with family and friends .”

RELATED ARTICLESMORE FROM AUTHOR