Governance, Risk management and Compliance, in other words GRC, is a cybersecurity domain at the intersection of People, Processes and Technologies. It aims to structure the way in which companies achieve business objectives, while maintaining regulatory compliance and managing the risks of using technology.
Governance
Governance is used to lay the foundations of how the company functions in order to reach its business objectives. For cybersecurity particularly, it represents the framework for secure operations in the company. Three main components are used to implement Governance in an organization: policies (state the behaviour expected by the company), standards (objective or quantifiable requirements allowing to contextualize the policies), and procedures (detailed instructions to effectively implement the policies).
Risk
The second aspect of GRC is Risk management, which aims to identify, assess, prioritize and address the risks faced by an organization, for improved resilience. Companies can address a given risk either by avoiding, accepting, transferring or mitigating it. By implementing a risk management methodology, company increase their awareness of their security exposure and
are able to make informed decisions regarding cybersecurity investments and better identify where to direct their efforts. There are a number of frameworks that can be use to that end: NIST RMF, NIST CSR, CIS RAM, ISO 27001, COBIT5, OCTAVE, FAIR or TARA.
Compliance
Compliance refers to regulatory compliance. Every industry is governed by a set of laws, regulations, industry standards that companies evolving in that sector must conform to.
However, compliant does not necessarily implies secure. It merely means meeting the minimum set of requirements imposed by regulations and establishes a baseline upon which companies can build additional measures to improve their defenses.
