How to Build a GRC Program in a Year
Christian Hyatt
CEO & Co-Founder | risk3sixty | Harmonized security compliance programs across SOC 2, ISO 27001, PCI DSS, FedRAMP, AI, & Privacy
Hey, thanks for joining the journey!
Every week for 52 weeks I document things you should consider to build a great GRC program. This article is a quick reference to every post in the weekly series. Save this link and check back every week for the latest in the series.
52 Weeks to Build a GRC Program
Stage 1: Planning
First, Seek to Understand
It is important that you first understand your organization, the people, and its objectives. This knowledge will enable you to align the GRC program's objectives with the objectives of the organization and make a huge impact.
Implement a System to Organize and Run Your Team
Great GRC leaders must get their team rowing in the same direction as quickly as possible. This framework is a toolkit for leaders that want a high performing and happy team. If you implement this system - other departments will want to know how you do it!
This section is something I call the "Security Team Operating System". You can download the e-book and webinar materials to learn more.
Stage 2: Current State Assessment
Risk Management Program
Every organization needs a process to identify, assess, and take actions to address risks. Stage 3 outlines how to build a risk management program and get a seat with leadership at the table. Check out the Phalanx GRC risk register module to solve this problem.
Security Program Gap Assessment
Stage 3b is all about understanding the current state of your organization's security program. This will help you identify potential gaps and develop a game plan for maturity. Check out the Phalanx GRC self-assessments module to solve this problem.
领英推荐
Stage 3: Maturity Roadmap
Stage 3 is all about maturing your security program. It's not enough to understand your gaps. Now you have to do something about it. Check out the Phalanx GRC project management module to build a maturity roadmap.
Video: The video below is covers how to drive progress on maturing your security program once you have done a risk assessment/gap assessment.
Stage 4: Building Your Program
Stage 4 breaks down some of the most common workstreams in a GRC program, how to implement them, and tools for the journey.
Stage 5: Getting Certified Against ISO 27001, SOC 2, or Others
Stage 5 is your guide to achieving certification and building a great relationship with your auditor. We discuss the nuances of common frameworks like SOC 2 and ISO 27001.
Video: The video below is a 4 Part Series on Building a GRC Program For Multiple Compliance Frameworks
Other Things GRC Leaders Should Consider
Tools GRC Leaders Must Have
Free Platform to Build and Manage Your Program
If you need a tool to help build and manage your SOC 2, ISO 27001, or larger GRC program, check out our FREE Platform Phalanx GRC.
Director Cyber Security and Resiliency | DSCI certified Strategist | Consultant | BISO | Mentor | Inventor | Speaker | Thought Leader | Cloud | AI/ML/Gen AI | Zero Trust | Audit
1 年THank you
IT Consultant, Trainer, Communication and Partner @ IT Security @ Governance - Risk - Compliance - Helping companies secure their information systems & Technologies
1 年Thank you...very helpful
Security Savvy Speaker | vCISO | TRaViS ASM Founder | Cybersecurity Whisperer | CISSP | MBA Thoughts, opinions, rants, etc. are my own and are in no way affiliated with any employer/partner/contractor/babysitter/relative
1 年Outstanding! And more to come! I'll be bookmarking this!
CEO & Founder @ AI DIONIC | Former CISO, PhD in AI (NLP) | Onboard Trustworthy and Robust AI Agents for Due Diligence and Continuous Risk Monitoring
2 年This is such a great guide. I've always found your content insightful. Thank you Christian Hyatt ??!
Transforming Businesses Digitally, Securely, and Sustainably
2 年Farida Baberin-Yor Beacher