Resources

Reference Guide

Key Concepts in GRC

The disciplines, processes, and frameworks that define enterprise security programs. Hover over any concept to learn more.

GRC Governance • Risk • Compliance

Governance

Direction & Oversight

ERM

Enterprise Risk Management

BCP

Business Continuity Planning

DR

Disaster Recovery

BIA

Business Impact Analysis

CISO

Chief Information Security Officer

Risk Management

Identify & Treat

RA

Risk Assessment

KRI

Key Risk Indicators

KCI

Key Control Indicators

RCSA

Risk & Control Self-Assessment

TPRM

Third-Party Risk Management

Compliance

Prove & Maintain

Audit

Independent Audit

CSA

Control Self-Assessment

POA&M

Plan of Action & Milestones

CCM

Continuous Controls Monitoring

GRC

GRC Platform

Frameworks & Standards

NIST CSF

Cybersecurity Framework 2.0

800-53

Security & Privacy Controls

RMF

Risk Management Framework

Free NIST CSF Assessment Tool →

SOC 2

Trust Services Criteria

ISO 27001

Information Security Management

ISO 27005

Information Security Risk Management

Free SOC 2 Assessment Tool →

CMMC

Cybersecurity Maturity Model

FedRAMP

Federal Cloud Authorization

COBIT

IT Governance Framework

Free CMMC Assessment Tool →

Key Regulations

HIPAA

Health Information Privacy

GDPR

EU Data Protection

PCI DSS

Payment Card Security

SOX

Financial Reporting Controls

CCPA

California Privacy Rights

FISMA

Federal Information Security

Assess your vendors → TPRM Assessment Tool · Compare across all frameworks → Framework Crosswalk Tool · Track remediation → Risk Treatment Plan Tool · 50+ GRC Acronyms & Definitions →

Reference Guide

GRC KPIs & KRIs

Key Performance Indicators measure program effectiveness. Key Risk Indicators flag emerging threats. Hover over any metric to see its counterpart.

KPIs & KRIs 26 Metrics

Governance Structure

Oversight & Direction

KPI

GRC Committee Meeting Frequency

KPI

GRC Policy & Procedure Updates

Risk Identification

Discover & Classify

KPI

Number of Identified Risks

KPI

Timeliness of Risk Identification

Compliance Management

Obligations & Training

KPI

Compliance Obligations Met (%)

KPI

Compliance Training Completion

Risk Assessment

Evaluate & Measure

KPI

Risk Assessment Completion Rate

KPI

Risk Heatmap Accuracy

Control Effectiveness

Test & Remediate

KPI

Control Testing Frequency

KPI

Control Remediation Timeliness

Incident Management

Respond & Resolve

KPI

Incident Response Time

KPI

Incident Resolution Rate

Audit & Assurance

Verify & Validate

KPI

Audit Completion Timeliness

KPI

Audit Issue Resolution Rate

IT Security

Protect & Defend

KPI

IT Security Policy Compliance

KPI

Response Time to Security Incidents

Data Privacy & Protection

Safeguard & Comply

KPI

Data Privacy Compliance

KPI

Data Subject Request Handling

Business Continuity

Plan & Recover

KPI

Business Continuity Plan Testing

KPI

Business Impact Analysis Timeliness

Training & Awareness

Educate & Certify

KPI

GRC Training Participation

KPI

Employee Compliance Certification

Reporting & Analytics

Analyze & Report

KPI

GRC Reporting Accuracy

KPI

Predictive Analytics Utilization

External Resources

Useful Links

Official framework documentation and authoritative sources.

NIST CSF 2.0

Official NIST Cybersecurity Framework documentation, including the core framework, implementation tiers, and profiles.

nist.gov/cyberframework →

AICPA SOC 2

Trust services criteria and guidance for SOC 2 examinations from the American Institute of CPAs.

aicpa.org →

CMMC

Official Cybersecurity Maturity Model Certification resources from the Department of Defense.

dodcio.defense.gov/CMMC →

ISO 27001

Information security management system standards from the International Organization for Standardization.

iso.org →

FedRAMP

Federal Risk and Authorization Management Program — requirements and resources for cloud service providers.

fedramp.gov →

CIS Controls

Center for Internet Security's prioritized set of actions to protect organizations from cyber attacks.

cisecurity.org/controls →

Key Concepts in GRC

GRC KPIs & KRIs

Get Notified

Useful Links

NIST CSF 2.0

AICPA SOC 2

CMMC

ISO 27001

FedRAMP

CIS Controls

Need Help With Your Compliance Program?