Companies list governance, risk, and compliance (GRC) as a top priority, but “doing GRC” isn’t easy. It takes time, effort and a strategy – and starting is usually the hardest part.

So, in the first of our Back to Basics blogs, we’re going to focus on where every compliance and risk practitioner should start when building a GRC program: selecting the compliance frameworks which will form the foundation of your GRC program…

When building out a GRC program, you’ll need to start by selecting a core compliance framework. A compliance framework, also known as a compliance program, is a structured set of guidelines and best practices that details a company’s processes for meeting regulatory requirements. In addition to meeting regulatory compliance requirements, an organization uses its compliance frameworks to enhance security, improve business processes, and realize other business objectives, such as selling cloud products and services to government agencies.

As there are a number of compliance frameworks that a company’s information security team can adopt to meet regulatory requirements, we’ve pulled together some common frameworks you will want to be familiar with before setting up your GRC program.

TIP: Never take an ad-hoc approach to building a GRC program, as it can create unnecessary, additional work when you do move into a required framework.

Many of these frameworks have been developed over time and include built-in risk assessment capabilities, which means they will provide a solid foundation for building a GRC program and maturing it over time:

  • SOC: If your business provides services to other businesses — say, data storage or payroll management — you’ll need to provide assurance to your customers that your organization won’t expose them to any undue security or compliance risks. The two most common ways to provide that assurance are to pass a SOC 1 or SOC 2 audit, which provide a framework (and testing processes) for financial controls. These frameworks have become ‘table stakes’ for any service organization, and your compliance will be expected by potential customers.
  • PCI: The Payment Card Industry (PCI) cybersecurity compliance standard protects debit and credit cardholder data from unauthorized access via data breaches, ransomware, and other security breaches. The standard encompasses all of the IT and operational controls that organizations must implement to protect credit card data, and includes multiple frameworks. The PCI DSS (Data Security Standard) is a core framework, which is required if you process, transmit or store credit card data.
  • HIPAA: Also known as the Health Insurance Portability and Accountability Act, this framework mandates cybersecurity standards for businesses in healthcare-related industries that handle information related to protected health information (PHI). So, if you’re in the healthcare industry, you’re going to have to comply with HIPAA.
  • FedRAMP & CMMC: These frameworks apply to organizations that conduct business with the US Federal Government. FedRAMP dictates a standardized approach for security assessment, authorization, and continuous monitoring of cloud products and services offered by cloud service providers (CSPs). So, if your business has a specific product or environment in which you are processing federal data, you’ll need to achieve certification to obtain an Authorization To Operate (ATO). CMMC requires a similar certification, for companies doing business with the US Department of Defense.
  • GDPR & CCPA: Over the last several years, there has been a growing demand for greater oversight on how companies collect, use, share, and delete customer data. GDPR (aka General Data Protection Regulation) requires that if your business collects personal data of European Union (EU) citizens – regardless of where your business is located – that you have controls in place to protect your customers. CCPA is very similar, however it is state specific and focused on anyone processing data of California residents.
  • Sarbanes-Oxley (SOX) & COBIT: SOX was created to provide greater accuracy and transparency of corporate disclosures in financial statements and to safeguard investors from fraudulent accounting practices through effective risk management. It is a requirement for any publicly traded organization within the US and while it’s focused on financial reporting, there is a component that is related to cybersecurity programs and how those IT processing activities feed into your financial reporting. COBIT is a governance framework that is often used in conjunction with SOX as it helps you establish an IT governance program that will aid you in complying with the SOX framework.

These are just a few of the most common frameworks to consider when building out your GRC program. If you’d like to see a more comprehensive list of compliance frameworks – and when it’s appropriate to use them – we’ve created this Compliance Framework Content Registry.

Once you’ve determined which core frameworks your organization needs to comply with, you’ll be ready to begin building out your GRC program. Check out our latest webinar to learn more: Back to Basics: How to Stand Up Your GRC Program.

Recommended