Governance, Risk and Compliance

Governance, Risk and Compliance (GRC) is the framework that aligns cybersecurity with business objectives, regulatory requirements, and risk tolerance. Without GRC, security efforts lack direction and accountability.

Information Security Governance

Governance establishes the policies, structure, and accountability for cybersecurity:

Key Components

Component	Description
Security policies	High-level statements of intent and direction
Standards	Mandatory requirements for implementing policies
Procedures	Step-by-step instructions for carrying out standards
Guidelines	Recommended practices (not mandatory)
Baselines	Minimum security configurations for systems

Policy Hierarchy

┌─────────────────────────┐
│    Security Policy       │  ← "What" (high-level intent)
├─────────────────────────┤
│    Standards             │  ← "What specifically" (mandatory requirements)
├─────────────────────────┤
│    Procedures            │  ← "How" (step-by-step instructions)
├─────────────────────────┤
│    Guidelines            │  ← "Recommendations" (best practices)
└─────────────────────────┘

Governance, Risk and Compliance

Governance, Risk and Compliance

Information Security Governance

Key Components

Policy Hierarchy

Example Policies

More in Cybersecurity