How to Build a GRC Program in a Year

Hey, thanks for joining the journey!

Every week for 52 weeks I document things you should consider to build a great GRC program. This article is a quick reference to every post in the weekly series. Save this link and check back every week for the latest in the series.

52 Weeks to Build a GRC Program

Stage 1: Planning

First, Seek to Understand

It is important that you first understand your organization, the people, and its objectives. This knowledge will enable you to align the GRC program's objectives with the objectives of the organization and make a huge impact.

• Week 1: Meet Your Team
• Week 2: Read Prior Year Reports
• Week 3: Status of Big Projects
• Week 4: Understand Your Role, Avoid Common Pitfalls

Implement a System to Organize and Run Your Team

Great GRC leaders must get their team rowing in the same direction as quickly as possible. This framework is a toolkit for leaders that want a high performing and happy team. If you implement this system - other departments will want to know how you do it!

• Week 5: Defining Your Purpose
• Week 6: Defining Your Team's Core Values
• Week 7: Documenting Roles and Responsibilities
• Week 8: Meeting Rhythms
• Week 9: Goals, KPIs, and Scorecard

This section is something I call the "Security Team Operating System". You can download the e-book and webinar materials to learn more.

Stage 2: Current State Assessment

Risk Management Program

Every organization needs a process to identify, assess, and take actions to address risks. Stage 3 outlines how to build a risk management program and get a seat with leadership at the table. Check out the Phalanx GRC risk register module to solve this problem.

• Week 10: Establish an IRC
• Week 11: Quarterly IRC Meetings
• Week 12: Doing a Risk Assessment
• Week 13: Tracking and Tacking Action on Risks

Security Program Gap Assessment

Stage 3b is all about understanding the current state of your organization's security program. This will help you identify potential gaps and develop a game plan for maturity. Check out the Phalanx GRC self-assessments module to solve this problem.

• Week 14: Selecting a Security Framework
• Week 15: Executing a Current State Assessment (Free Template)
• Week 16: Tracking and Tacking Action of Gaps (See video below)

Stage 3: Maturity Roadmap

Stage 3 is all about maturing your security program. It's not enough to understand your gaps. Now you have to do something about it. Check out the Phalanx GRC project management module to build a maturity roadmap.

• Week 17: Prioritizing Projects
• Week 18: Assigning Owners, Action Plans, Due Dates (See video below)
• Week 19: Weekly Accountability Meeting

Video: The video below is covers how to drive progress on maturing your security program once you have done a risk assessment/gap assessment.

• Week 20: Building a Resource Plan - People (Template)
• Week 21: Building a Resource Plan - Tools (Template)
• Week 22: Building a Resource Plan - Budgets (Template)

Stage 4: Building Your Program

Stage 4 breaks down some of the most common workstreams in a GRC program, how to implement them, and tools for the journey.

• Week 23: Policies and Procedures (Policy Tool)
• Week 24: Business Continuity (Link to Post)
• Week 25: Disaster Recovery
• Week 26: Incident Management
• Week 27: Vulnerability Management
• Week 28: Penetration Testing
• Week 29: Vendor Risk Management (Vendor Management Tool)
• Week 30: Security Training
• Week 31: GRC's Role in Sales (Link to Post)
• Week 32: GRC's Role with I.T.
• Week 33: GRC's Role with Product & Engineering
• Week 34: GRC's Role with Human Resources
• Week 35: GRC's Role with Legal
• Week 36: Organizational Structure Considerations
• Week 37: Internal Audit & Accountability Partnership (Assessment Tool)
• Week 38: List of Recurring Activities (Compliance Calendar Tool)

Stage 5: Getting Certified Against ISO 27001, SOC 2, or Others

Stage 5 is your guide to achieving certification and building a great relationship with your auditor. We discuss the nuances of common frameworks like SOC 2 and ISO 27001.

• Week 39: How to Get a SOC 2 Report (Free SOC 2 Assessment)
• Week 40: How to Get ISO 27001 Certified (Free ISO 27001 Assessment)
• Week 41: How to Get PCI DSS Certified
• Week 42: How to Get HITRUST Certified
• Week 43: How to Get HIPAA Compliant
• Week 44: Auditor Relationship Considerations
• Week 45: Evidence Gathering for Audits
• Week 46: Staying Compliant Between Audits
• Week 47: Implementing a Single Framework Strategy (4 Part YouTube Series, Whitepaper)

Video: The video below is a 4 Part Series on Building a GRC Program For Multiple Compliance Frameworks

Other Things GRC Leaders Should Consider

Tools GRC Leaders Must Have

• Week 48: Personal Planning, Goals, and Vacation
• Week 49: Communicating with Executives
• Week 50: Making a Business Case & Making Asks
• Week 51: Motivating Your Team
• Week 52: Celebrating Wins

Free Platform to Build and Manage Your Program

If you need a tool to help build and manage your SOC 2, ISO 27001, or larger GRC program, check out our FREE Platform Phalanx GRC.