Do I need IT GRC management?
Probably. Unless money is irrelevant and you simply want to protect anything and everything everywhere (as compared to leaving things unprotected or somewhat protected). But if you want to be risk focused and decide how much security is needed and where, why you invest in one place and not in another and follow that up, then yes.
Every management team is basically generally obliged to manage risk (including managing IT risks) as personal liability, insurability in the event of damage and so on depends on it. Suppliers are held accountable by their clients; regulated companies are usually held accountable anyway.
IT GRC management is thus a competitive advantage and also helps you save money.
Benefits
Many years of experience
We’ve been offering advice on this topic for more than 20 years and have helped countless companies achieve certification or pass critical infrastructure audits as per Section 8a (1) of the German Act to Strengthen the Security of Federal Information Technology.
A high level of expertise
In addition to our long-standing experience with respect to regulations and frameworks, our vast wealth of know-how in the other specialist areas of data protection and security testing helps us address the really relevant issues for you. We know what the auditors want – and also what’s practically relevant!
Position of an external CISO/Security Representative
n most cases, companies with IT GRC management need an Information Security Officer or Chief Information Security Officer.
In SMEs, this is often not a full-time employee and the controlling tasks could be performed part-time. However, the range of topics is so extensive and the content so complex that this usually doesn’t scale up.
An external CISO/ISR is therefore a good choice. Comparable to a data protection officer, this party can provide all their expertise in a manageable mandate.
Our approach
With regard to IT GRC management, we focus on information management tools and structures and on questions concerning the (potentially tool-supported) modelling of risk management and compliance requirements. We also concentrate on the targeted use of technical and organisational measures to precisely meet identified requirements.
To name but a few examples, our services in this respect include
- Consulting on efficiently setting up a structured risk and compliance management system
- Conducting risk analyses, preparing risk catalogues and mapping to ISO/IEC 2700x, COBIT or other checks
- Establishing information security management systems, e.g. according to ISO/IEC 27001 (also based on the basic protection catalogues).
- Offering guidance concerning certification or certification as an option
- Establishing information security management systems for financial service organisations according to ISO/TR 13569:2005
- Emergency preparedness/business continuity management (BCM) (BS 25999, BSI 100-4)
- Assisting with meeting IT compliance requirements (e.g. with respect to requirements from PCI DSS, data protection, operational risk or other regulatory, statutory or internal requirements)
- Preparing or reviewing ‘PPPs’ (policies, processes and procedures)
Conducting gap analyses