Governance, risk, and compliance (GRC) encompasses the structured approach organizations follow to align IT and business strategies, manage risks effectively, and ensure organizational activities adhere to established regulations and standards.

Scoping the system defines the boundaries and characteristics of the system that will be assessed and protected. It helps in identifying the system's assets, functions, interconnections, dependencies, area of operations, users, and stakeholders, as well as the applicable laws, regulations, policies, and standards that govern the system. Scoping of the system also helps to determine the level of risk that the system poses to the organization and its mission, and the level of effort and resources that will be required to manage the risk.

The selection and approval of controls requires an understanding of what a control is, what it is designed to do, and what policy decisions shape the controls environment. Controls decisions are shaped by a variety of influences, including statutory or regulatory obligations, organizational security or privacy policies, the organization’s risk management practices, existing controls, system capabilities, and contractual requirements associated with the operation of the system.

Security and privacy controls are the technical, administrative, and physical measures that an organization implements to protect its information systems and data from unauthorized access, use, disclosure, modification, or destruction. Control implementation and alignment helps an organization ensure the confidentiality, integrity, and availability of their information systems and data; reduce its exposure to threats and vulnerabilities; and demonstrate its adherence to relevant laws, regulations, and standards. It also enables the organization to communicate its security and privacy posture to its stakeholders, customers, and partners, and to build trust and reputation.

The term assessment generally implies a less formal assessment activity, while the term audit implies a more formal assessment typically done to show compliance to a particular standard. Across industries, the utilization of these terms can be inconsistent. The GRC professional should understand how the terms are employed within the context of a specific use case. Here "assessment" is used as a broad term that encompasses both general evaluations and the specific instances of audits.

System compliance is the adherence of a system to the established standards, policies, and regulations that govern its operation, security, and performance. Documentation from security and privacy assessments after control implementation is reviewed to determine system compliance. These documents are analyzed against organizational risk strategy and risk assessments to determine residual risk compared to risk appetite. Once system compliance decisions are made and stakeholders acknowledge and agree on the risk treatment options, the system is authorized to operate and ready for production.

System compliance is not a one-time event. Compliance maintenance includes processes that ensure a system remains compliant throughout its life cycle and detects and resolves any compliance issues that may arise. It extends beyond periodic demonstration of compliance and involves a comprehensive approach to change management, ongoing activities, and system decommissioning with strict adherence to global and industry-specific frameworks.

ISC2 is the world’s leading member organization for cybersecurity professionals, driven by our vision of a safe and secure cyber world. Our certified members and associates are a force for good, safeguarding the way we live. Our certifications enable professionals to demonstrate their knowledge, skills, and abilities at every stage of their careers. Becoming a certified professional through the CGRC demonstrates to employers and peers that you have the knowledge and skills to integrate governance, risk management, and regulatory compliance within an organization. It shows that you are able to use various international frameworks to manage risk and authorize and maintain information systems. Official trainings, seminars, courseware, and self-study aids from ISC2 are available to help you get ready for the rigorous CGRC exam by reviewing relevant domains and topics. Whether you prefer self-paced, online instructor-led, or in-person classroom training, ISC2 has an option to fit your schedule and learning style.