Abstract
GRC (Governance, Risk and Compliance) is an umbrella acronym covering the three disciplines of governance, risk management and compliance. The main challenge behind this concept is the integration of these three areas, generally dealt with in silos. At the IT level (IT GRC), some research works have been proposed towards integration. However, the sources used for the construction of the resulting models are generally mixing formal standards, de facto standards arising from industrial consortia, and research results. In this paper, we specifically focus on defining an ISO compliant IT GRC integrated model, ISO standards representing by nature an international consensus. To do so, we analyse the ISO standards related to the GRC field and propose a way of integration. The result of this paper is an ISO compliant integrated model for IT GRC, aiming at improving the efficiency when dealing with the three disciplines together.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Peterson, R.R.: Integration strategies and tactics for information technology governance. In: Strategies for Information Technology Governance, pp. 37–80. Idea Group Publishing, Hershey (2004)
Racz, N., Weippl, E., Seufert, A.: A frame of reference for research of integrated governance, risk and compliance (GRC). In: De Decker, B., Schaumüller-Bichl, I. (eds.) CMS 2010. LNCS, vol. 6109, pp. 106–117. Springer, Heidelberg (2010)
Racz, N.: Governance, Risk and Compliance for Information Systems: Towards an Integrated Approach. Sudwestdeutscher Verlag Fur Hochschulschriften AG, Saarbrücken (2011)
Vicente, P., da Silva, M.M.: A business viewpoint for integrated IT governance, risk and compliance. In: 2011 IEEE World Congress on Services (SERVICES), pp. 422–428 (2011)
ISO/IEC 38500:2015: Information technology - Governance of IT for the organization. International Organization for Standardization, Geneva (2015)
ISO 31000:2009: Risk management – Principles and guidelines. International Organization for Standardization, Geneva (2009)
ISO 19600:2014: Compliance management systems — Guidelines. International Organization for Standardization, Geneva (2014)
Committee of Sponsoring Organizations of the Treadway Commission: Enterprise Risk Management – Integrated Framework (Executive Summary and Framework). Committee of Sponsoring Organizations of the Treadway Commission (2004)
Vicente, P., Mira da Silva, M.: A conceptual model for integrated governance, risk and compliance. In: Mouratidis, H., Rolland, C. (eds.) CAiSE 2011. LNCS, vol. 6741, pp. 199–213. Springer, Heidelberg (2011)
The Open Group: ArchiMate 2.0 Specification. Van Haren Publishing, The Netherlands (2012)
OCEG: GRC Capability Model (Red Book 2.1) (2012). http://goo.gl/7nrKku
ISACA: COBIT 5: A Business Framework for the Governance and Management of Enterprise IT (2012)
Gericke, A., Fill, H.-G., Karagiannis, D., Winter, R.: Situational method engineering for governance, risk and compliance information systems. In: Proceedings of the 4th International Conference on Design Science Research in Information Systems and Technology, pp. 24:1–24:12. ACM, New York (2009)
Asnar, Y., Massacci, F.: A method for security governance, risk, and compliance (GRC): a goal-process approach. In: Aldini, A., Gorrieri, R. (eds.) FOSAD 2011. LNCS, vol. 6858, pp. 152–184. Springer, Heidelberg (2011)
RSA: The RSA GRC Reference Architecture (2013)
Frigo, M.L., Anderson, R.J.: A strategic framework for governance, risk, and compliance. Strateg. Finance 90, 20–61 (2009)
Paulus, S.: Overview Report: A GRC Reference Architecture (2009)
Krey, M., Furnell, S., Harriehausen, B., Knoll, M.: Approach to the Evaluation of a Method for the Adoption of Information Technology Governance, Risk Management and Compliance in the Swiss Hospital Environment. In: 2012 45th Hawaii International Conference on System Science (HICSS), pp. 2810–2819 (2012)
ISO/IEC TR 38502:2014: Information technology - Governance of IT - Framework and model. International Organization for Standardization, Geneva (2014)
ISO/IEC 27005:2011: Information technology – Security techniques – Information security risk management. International Organization for Standardization, Geneva (2011)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Mayer, N., Barafort, B., Picard, M., Cortina, S. (2015). An ISO Compliant and Integrated Model for IT GRC (Governance, Risk Management and Compliance). In: O’Connor, R., Umay Akkaya, M., Kemaneci, K., Yilmaz, M., Poth, A., Messnarz, R. (eds) Systems, Software and Services Process Improvement. EuroSPI 2015. Communications in Computer and Information Science, vol 543. Springer, Cham. https://doi.org/10.1007/978-3-319-24647-5_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-24647-5_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-24646-8
Online ISBN: 978-3-319-24647-5
eBook Packages: Computer ScienceComputer Science (R0)