Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

You're reading from   ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide A primer on GRC and an exam guide for the most recent and rigorous IT risk certification

Arrow left icon
Product type Paperback
Published in Sep 2023
Publisher Packt
ISBN-13 9781803236902
Length 316 pages
Edition 1st Edition
Arrow right icon
Author (1):
Arrow left icon
Shobhit Mehta Shobhit Mehta
Author Profile Icon Shobhit Mehta
Shobhit Mehta
Arrow right icon
View More author details
Toc

Table of Contents (28) Chapters Close

Preface 1. Part 1: Governance, Risk, and Compliance and CRISC
2. Chapter 1: Governance, Risk, and Compliance FREE CHAPTER 3. Chapter 2: CRISC Practice Areas and the ISACA Mindset 4. Part 2: Organizational Governance, Three Lines of Defense, and Ethical Risk Management
5. Chapter 3: Organizational Governance, Policies, and Risk Management 6. Chapter 4: The Three Lines of Defense and Cybersecurity 7. Chapter 5: Legal Requirements and the Ethics of Risk Management 8. Part 3: IT Risk Assessment, Threat Management, and Risk Analysis
9. Chapter 6: Risk Management Life Cycle 10. Chapter 7: Threat, Vulnerability, and Risk 11. Chapter 8: Risk Assessment Concepts, Standards, and Frameworks 12. Chapter 9: Business Impact Analysis, and Inherent and Residual Risk 13. Part 4: Risk Response, Reporting, Monitoring, and Ownership
14. Chapter 10: Risk Response and Control Ownership 15. Chapter 11: Third-Party Risk Management 16. Chapter 12: Control Design and Implementation 17. Chapter 13: Log Aggregation, Risk and Control Monitoring, and Reporting 18. Part 5: Information Technology, Security, and Privacy
19. Chapter 14: Enterprise Architecture and Information Technology 20. Chapter 15: Enterprise Resiliency and Data Life Cycle Management 21. Chapter 16: The System Development Life Cycle and Emerging Technologies 22. Chapter 17: Information Security and Privacy Principles 23. Part 6: Practice Quizzes
24. Chapter 18: Practice Quiz – Part 1
25. Chapter 19: Practice Quiz – Part 2
26. Index 27. Other Books You May Enjoy

Governance, risk, and compliance

In this section, we’ll look at the concepts of GRC, their interrelationships, and how to differentiate among them.

What is GRC?

GRC is an acronym that stands for governance, risk, and compliance. It can be defined as a common set of practices and processes, supported by a risk-aware culture and enabling technologies that improve decision-making and performance through an integrated view of how well an organization manages its unique set of risks.

A GRC program aims to provide organizations with an overarching framework that can be used to streamline different organizational functions, such as legal, IT, human resources, security, compliance, privacy, and more so that they can all collaborate under a common framework and set of principles instead of running individual functions and programs.

Governance is the organizational framework that helps the stakeholder set the tone for the stakeholders on the direction and alignment with business objectives. These are the rules that run the organization, including policies, standards, and procedures that set the direction and control of the organization’s activities. These stakeholders can be a board of directors in large companies or senior executives in small and medium enterprises.

Risk or risk management is the process of optimizing organizational risk to acceptable levels, identifying potential risk and its associated impacts, and prioritizing the mitigation based on the impact of risk on business objectives. The purpose of risk management is to analyze and control the risks that can deflect an organization from achieving its strategic objectives.

Qualitative risk is defined as likelihood * probability of impact, whereas the Factor Analysis of Information Risk (FAIR) methodology is widely used for quantitative risk assessment in matured organizations.

Compliance requirements for an organization ensure that all obligations including but not limited to regulatory factors, contractual requirements, federal and state laws, certification requirements such as ISO 27001 or SOC 2 audit, and more are adhered to and any gaps in compliance are logged, monitored, and corrected within a reasonable timeframe. The entire organization must follow a standard set of policies and standards to achieve these objectives.

An integrated approach to GRC that is communicated to the entire organization ensures that the main strategies, processes, and resources are aligned according to the organization’s risk appetite. A strong compliance program with the sponsorship of a senior leadership team is better suited to align its internal and external compliance requirements, leading to increased efficiency and effectiveness.

In the next section, we’ll learn about the relationship between these concepts.

Simplified relationship between GRC components

I would not blame you if you found the preceding concepts tedious and confusing. It took me a good 5 years to make sense of all the concepts. The following paragraph should serve as an adage for the preceding concepts:

Governance is guidance from stakeholders (board of directors or senior leadership) to put the processes and practices in place to optimize (not reduce) the risk and comply with external and internal compliance obligations.

The following figure shows a simplistic view of GRC. It should be noted that the activities included under each pillar are not holistic and an organization may have an overlap between these activities. You should also be mindful that these activities are not standalone programs but need inputs from other pillars to be implemented successfully:

Figure 1.1 – Relationship between the components of GRC

Figure 1.1 – Relationship between the components of GRC

Now that we know what GRC entails, we’ll learn about the importance of various factors for a successful GRC program in the next section.

Key ingredients of a successful GRC program

A successful GRC program requires collaboration across all layers of the organization. Three major components are a must-have for successful implementation:

  • Sponsorship: A successful GRC implementation should have the sponsorship of a senior leader such as a Chief Information Security Officer (CISO), Chief Risk Officer (CRO), Chief Information Officer (CIO), Chief Financial Officer (CFO), Chief Executive Officer (CEO), or someone else. These sponsors have a wider overview of not only the organization’s risk but also the industry peers across multiple verticals. Sponsorship from leadership is also important to have a risk-focused culture.
  • Stewardship: The GRC program requires participation from all businesses and functions of an organization. Stewards play an important role in the GRC program and make information sharing across the organization easier for developing a common understanding across the organization and making relevant information available for everyone. These stewards, while translating the requirements from governance, are better able to target and address business risks. Stewards of the program are better suited to create business-oriented, process-based workflows to identify risks across functions, analyze for cascading risks, and treat them accordingly.
  • Monitoring and reporting: It is easy to roll out a GRC program across the organization, but over time, it becomes extremely difficult to keep pace with internal and external regulations without continuously monitoring risks and controls without efficient risk indicators. It is important to enable continuous monitoring of risks and controls by using automated risk indicators and keep the stakeholders abreast of risk in business terms through business-focused indicators and reports periodically circulated to the appropriate audience with actionable insights.

An important pillar of the monitoring function is to monitor the security controls of critical vendors and perform an ongoing assessment for each department and functional group across the enterprise to provide a holistic real-time view of risk.

In the next section, we’ll learn about how to differentiate between governance and management.

Governance is not management

Those new to the GRC domain often confuse governance with management and think both are the same; however, in the realm of GRC, governance and management serve very different functions.

Governance provides oversight and is highly focused on risk optimization for the stakeholders. Governance always focuses on the following aspects:

  • Is the organization doing the right things?
  • Are these things done in the right away?
  • Is the team getting things done on time and within budget?
  • Are we continuously optimizing the risk and getting benefits?

Once these questions have been answered, the management team focuses on planning, building, executing, and monitoring to ensure that that all projects, processes, and activities are aligned with the direction and business objectives set by governance. It is expected that as management progresses in achieving these goals, the results are shared with governance (board of directors) periodically and additional inputs are taken into consideration.

You have been reading a chapter from
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
Published in: Sep 2023
Publisher: Packt
ISBN-13: 9781803236902
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image