Governance, Risk & Compliance (GRC)
The ambition of the GRC Focus Group is to build a trust platform for the exchange of success factors and delivery methods, the ‘how’ (e.g., when should a security policy be reviewed, how to do security-by-design, etc.) but also the ‘what content’, such as challenges faced with new technologies’ implementation (e.g., defining efficient security controls for mobile devices, defining suppliers’ requirements, etc.).
Objectives
The objective of the GRC Focus Group is to share experiences in three challenging GRC aspects supporting organizational agility:
Security policies
Keeping security under control is becoming increasingly challenging: digital transformation, continuous development, mobility, cloud usage, etc. require much more agile security controls and processes. Security policies need to stay relevant to keep up with changes.
Security processes
Security processes must not jeopardize the way of business but instead foster it (security-by-design, vulnerability management, exception management, etc.)
Security risk & compliance measurement
Furthermore, as boards and executive committees are getting more and better informed, being able to measure the security risk and communicate it effectively becomes an indicator of how relevant the Security Function is.
Topics
The members are currently focusing on:
- Metrics, KPI, KRI & ways to report
- Conducting risk assessment
- Legal compliance (NIS2 & DORA)
Activities range from presenting lessons learned & sharing best practices on methods applied to sharing or co-creating assets.
Recent topics included an ISO 27002 and ISO 27701 update; integration of IT control frameworks; tooling for mapping industry standards to control assessments; risk appetite, risk registers and risk assessments; vendor management recommendations based on ISO 27001 audits, and practical application of the FAIR risk assessment methodology.
Practices
The GRC Focus Group generally convenes in-person on a quarterly basis.
How to join the group
The members of this Focus Group are all active in GRC domains.