An ISO compliant and integrated model for it grc (Governance, risk management and compliance)

Abstract

GRC (Governance, Risk and Compliance) is an umbrella acronym covering the three disciplines of governance, risk management and compliance. The main challenge behind this concept is the integration of these three areas, generally dealt with in silos. At the IT level (IT GRC), some research works have been proposed towards integration. However, the sources used for the construction of the resulting models are generally mixing formal standards, de facto standards arising from industrial consortia, and research results. In this paper, we specifically focus on defining an ISO compliant IT GRC integrated model, ISO standards representing by nature an international consensus. To do so, we analyse the ISO standards related to the GRC field and propose a way of integration. The result of this paper is an ISO compliant integrated model for IT GRC, aiming at improving the efficiency when dealing with the three disciplines together.