An ISO Compliant and Integrated Model for IT GRC (Governance, Risk Management and Compliance)

GRC (Governance, Risk and Compliance) is an umbrella acronym covering the three disciplines of governance, risk management and compliance. The main challenge behind this concept is the integration of these three areas, generally dealt with in silos. At the IT level (IT GRC), some research works have been proposed towards integration. However, the sources used for the construction of the resulting models are generally mixing formal standards, de facto standards arising from industrial consortia, and research results. In this paper, we specifically focus on defining an ISO compliant IT GRC integrated model, ISO standards representing by nature an international consensus. To do so, we analyse the ISO standards related to the GRC field and propose a way of integration. The result of this paper is an ISO compliant integrated model for IT GRC, aiming at improving the efficiency when dealing with the three disciplines together.

[1]  R. Peterson Integration Strategies and Tactics for Information Technology Governance , 2004 .

[2]  Robert Winter,et al.  Situational method engineering for governance, risk and compliance information systems , 2009, DESRIST.

[3]  Edgar R. Weippl,et al.  A Frame of Reference for Research of Integrated Governance, Risk and Compliance (GRC) , 2010, Communications and Multimedia Security.

[4]  Nicolas Racz Governance, Risk and Compliance for Information Systems , 2011 .

[5]  Miguel Mira da Silva,et al.  A Business Viewpoint for Integrated IT Governance, Risk and Compliance , 2011, 2011 IEEE World Congress on Services.

[6]  Miguel Mira da Silva,et al.  A Conceptual Model for Integrated Governance, Risk and Compliance , 2011, CAiSE.

[7]  Fabio Massacci,et al.  A Method for Security Governance, Risk, and Compliance (GRC): A Goal-Process Approach , 2011, FOSAD.

[8]  Mike Krey,et al.  Approach to the Evaluation of a Method for the Adoption of Information Technology Governance, Risk Management and Compliance in the Swiss Hospital Environment , 2012, 2012 45th Hawaii International Conference on System Sciences.

[9]  Stephen N. Luko,et al.  Risk Management Principles and Guidelines , 2013 .

[10]  N. Pletneva COMMENTARY ON THE INTERNATIONAL STANDARD ISO 31000–2009 “RISK MANAGEMENT. PRINCIPLES AND GUIDELINES” , 2014 .

[11]  Kridanto Surendro,et al.  A process capability assessment model of IT governance based on ISO 38500 , 2015, 2015 International Conference on Information Technology Systems and Innovation (ICITSI).