Module 1 · GRC Fundamentals 🔒

Governance, Risk, and Compliance (GRC) is the discipline that translates security work into something the business, board, and regulators understand. Done well, it aligns security investment with business risk and produces audit-ready evidence on demand. Done poorly, it generates spreadsheets nobody reads. This module covers the GRC mental model, the major frameworks, and how to set up a function that actually informs decisions.

The three components

• Governance: who decides what, with what authority. Security policies, decision rights, escalation paths, board oversight
• Risk: identifying what could harm the business, assessing likelihood and impact, deciding to accept, mitigate, transfer, or avoid
• Compliance: demonstrating adherence to required standards (regulations, contracts, certifications)

These overlap. A compliance requirement is also a risk if unmet. A governance decision shapes how risks are addressed. Treat them as one ecosystem.

Risk management — the operating loop

1. Identify: what threats and vulnerabilities exist that could harm the business?
2. Assess: for each risk, estimate likelihood (low/med/high or quantitative) and impact (financial, regulatory, reputational, operational)
3. Prioritise: rank by inherent risk score (likelihood × impact)
4. Treat: choose action — Accept, Mitigate, Transfer (insurance), Avoid (don’t do the thing)
5. Implement: deploy controls; track to completion
6. Monitor: measure residual risk; review regularly
7. Report: communicate risk posture to leadership and board

Most programs fail at #6 — risks logged at one point in time, never revisited. A risk register that hasn’t been updated in 6 months is fiction.

Quantitative vs qualitative risk

• Qualitative — high/medium/low ratings. Easy. Subjective. Useful for prioritisation among many risks
• Quantitative — actual numbers. “Annual loss expectancy = $850K.” Harder. More credible to finance/board. FAIR (Factor Analysis of Information Risk) is the leading methodology

Practical answer: qualitative for fast triage; quantitative for the top 5-10 risks where the analysis effort is justified by decision impact.

Major compliance frameworks

Information security management

• ISO 27001 — international standard for ISMS (Information Security Management System). Process-based; certification widely recognized
• NIST CSF — Cybersecurity Framework. Function-based (Identify, Protect, Detect, Respond, Recover). Voluntary in US; widely adopted
• NIST 800-53 — detailed control catalog. Mandatory for US federal; influential elsewhere
• CIS Controls — prioritised list of practical controls. Excellent starting point for SMEs

Sector-specific

• SOC 2 — service organisation controls. Type 1 (point-in-time), Type 2 (over time). Common requirement for SaaS vendors selling to enterprises
• PCI-DSS — Payment Card Industry Data Security Standard. Mandatory if you handle cardholder data
• HIPAA — US healthcare data protection
• GDPR / DPDP / CCPA — privacy regulations
• RBI guidelines — for Indian banks and financial services
• SEBI cybersecurity framework — for Indian capital markets entities
• NCIIPC requirements — for Indian Critical Information Infrastructure

Industry-specific

• NERC CIP — North American electric utilities
• FedRAMP — US federal cloud
• StateRAMP, GovRAMP — variants
• IRAP — Australian government
• C5 — German cloud

You don’t need every framework. Map your customer/regulator obligations and select. Many requirements overlap — controls satisfying SOC 2 typically satisfy 60-70% of ISO 27001.

Mapping controls across frameworks

If you serve enterprise customers globally, you’ll need multiple. The pattern that works:

1. Adopt one comprehensive framework as your “primary” (usually NIST CSF or ISO 27001)
2. Implement controls aligned to that framework
3. For each additional regime (SOC 2, PCI), maintain a mapping spreadsheet
4. Each control collects evidence once; mapping shows which frameworks it satisfies

Tools: SecureFrame, Drata, Vanta, Tugboat — automate evidence collection and framework mapping. Worth the cost for any team pursuing two or more certifications.

Audit readiness — the operational discipline

Audits assess whether your controls operate as documented. Survival approach:

• Document controls — what the control is, who owns it, how it operates, how evidence is collected
• Operate controls consistently — most audit failures are inconsistent operation, not missing controls. “We do quarterly access reviews” but the last one is 7 months old
• Collect evidence continuously — automated where possible. Manual evidence rarely catches up at audit time
• Run internal audits — at half the formal audit cadence. Catch and fix issues before external auditors find them
• Track exceptions and gaps — known issues with treatment plans look better than discovered surprises

Policy hierarchy

Documentation hierarchy that auditors expect:

1. Policy — what we will do (high-level, board-approved). Stable for years
2. Standard — specific requirements (e.g., minimum password length 14 chars). Updated quarterly to annually
3. Procedure — how we operationally satisfy standards (e.g., quarterly access review process). Updated as needed
4. Guideline — recommendations, not mandatory

Each level references the level above. A procedure traces to a standard, which traces to a policy. Auditor follows the trace; finds gaps if traces break.

Risk register — what it should contain

For each risk:

• Risk ID and short title
• Description (what could go wrong)
• Inherent likelihood and impact (before controls)
• Existing controls
• Residual likelihood and impact (after controls)
• Risk owner (the person accountable for managing)
• Treatment plan and target date
• Monitoring KPI
• Last reviewed date

Keep it in a system, not a spreadsheet, once it has more than 30 entries. Spreadsheets stop being reviewed at scale.

Board reporting

What the board wants to know:

• Top 5 risks and what we’re doing about them
• Critical incidents this quarter
• Compliance posture by framework (green/yellow/red)
• Major program milestones (audit dates, certification renewals)
• Investment requests with risk-based justification

Format: 1-2 page narrative + heat map of risks + traffic light dashboard. Rarely should board reports exceed 10 pages.

What the next modules cover

Module 2 dives deep into ISO 27001 implementation for Indian organisations. Module 3 covers SOC 2 specifically — the framework most Indian SaaS firms encounter from US enterprise customers. Module 4 covers third-party risk management. Module 5 covers running internal audits effectively.