How to Build a GRC Program in a Year

How to Build a GRC Program in a Year

Hey, thanks for joining the journey!

Every week for 52 weeks I document things you should consider to build a great GRC program. This article is a quick reference to every post in the weekly series. Save this link and check back every week for the latest in the series.

No alt text provided for this image

52 Weeks to Build a GRC Program

Stage 1: Planning

First, Seek to Understand

It is important that you first understand your organization, the people, and its objectives. This knowledge will enable you to align the GRC program's objectives with the objectives of the organization and make a huge impact.

Implement a System to Organize and Run Your Team

Great GRC leaders must get their team rowing in the same direction as quickly as possible. This framework is a toolkit for leaders that want a high performing and happy team. If you implement this system - other departments will want to know how you do it!

This section is something I call the "Security Team Operating System". You can download the e-book and webinar materials to learn more.

No alt text provided for this image

Stage 2: Current State Assessment

Risk Management Program

Every organization needs a process to identify, assess, and take actions to address risks. Stage 3 outlines how to build a risk management program and get a seat with leadership at the table. Check out the Phalanx GRC risk register module to solve this problem.

Security Program Gap Assessment

Stage 3b is all about understanding the current state of your organization's security program. This will help you identify potential gaps and develop a game plan for maturity. Check out the Phalanx GRC self-assessments module to solve this problem.

Stage 3: Maturity Roadmap

Stage 3 is all about maturing your security program. It's not enough to understand your gaps. Now you have to do something about it. Check out the Phalanx GRC project management module to build a maturity roadmap.

Video: The video below is covers how to drive progress on maturing your security program once you have done a risk assessment/gap assessment.

Stage 4: Building Your Program

Stage 4 breaks down some of the most common workstreams in a GRC program, how to implement them, and tools for the journey.

  • Week 23: Policies and Procedures (Policy Tool)
  • Week 24: Business Continuity (Link to Post)
  • Week 25: Disaster Recovery
  • Week 26: Incident Management
  • Week 27: Vulnerability Management
  • Week 28: Penetration Testing
  • Week 29: Vendor Risk Management (Vendor Management Tool)
  • Week 30: Security Training
  • Week 31: GRC's Role in Sales (Link to Post)
  • Week 32: GRC's Role with I.T.
  • Week 33: GRC's Role with Product & Engineering
  • Week 34: GRC's Role with Human Resources
  • Week 35: GRC's Role with Legal
  • Week 36: Organizational Structure Considerations
  • Week 37: Internal Audit & Accountability Partnership (Assessment Tool)
  • Week 38: List of Recurring Activities (Compliance Calendar Tool)

Stage 5: Getting Certified Against ISO 27001, SOC 2, or Others

Stage 5 is your guide to achieving certification and building a great relationship with your auditor. We discuss the nuances of common frameworks like SOC 2 and ISO 27001.

Video: The video below is a 4 Part Series on Building a GRC Program For Multiple Compliance Frameworks

Other Things GRC Leaders Should Consider

Tools GRC Leaders Must Have

  • Week 48: Personal Planning, Goals, and Vacation
  • Week 49: Communicating with Executives
  • Week 50: Making a Business Case & Making Asks
  • Week 51: Motivating Your Team
  • Week 52: Celebrating Wins

Free Platform to Build and Manage Your Program

If you need a tool to help build and manage your SOC 2, ISO 27001, or larger GRC program, check out our FREE Platform Phalanx GRC.

No alt text provided for this image
Rajesh T R

Director Cyber Security and Resiliency | DSCI certified Strategist | Consultant | BISO | Mentor | Inventor | Speaker | Thought Leader | Cloud | AI/ML/Gen AI | Zero Trust | Audit

1 年

THank you

回复
Mohammed Fouad

IT Consultant, Trainer, Communication and Partner @ IT Security @ Governance - Risk - Compliance - Helping companies secure their information systems & Technologies

1 年

Thank you...very helpful

Aaron Birnbaum

Security Savvy Speaker | vCISO | TRaViS ASM Founder | Cybersecurity Whisperer | CISSP | MBA Thoughts, opinions, rants, etc. are my own and are in no way affiliated with any employer/partner/contractor/babysitter/relative

1 年

Outstanding! And more to come! I'll be bookmarking this!

回复
Dr Runli Guo

CEO & Founder @ AI DIONIC | Former CISO, PhD in AI (NLP) | Onboard Trustworthy and Robust AI Agents for Due Diligence and Continuous Risk Monitoring

2 年

This is such a great guide. I've always found your content insightful. Thank you Christian Hyatt ??!

回复
Gordon Fiifi Donkoh

Transforming Businesses Digitally, Securely, and Sustainably

2 年

要查看或添加评论,请登录

Christian Hyatt的更多文章

社区洞察

其他会员也浏览了