Skip to main content
SpringerLink
Log in

An ISO Compliant and Integrated Model for IT GRC (Governance, Risk Management and Compliance)

  • Conference paper
  • First Online:
Systems, Software and Services Process Improvement (EuroSPI 2015)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 543))

Included in the following conference series:

Abstract

GRC (Governance, Risk and Compliance) is an umbrella acronym covering the three disciplines of governance, risk management and compliance. The main challenge behind this concept is the integration of these three areas, generally dealt with in silos. At the IT level (IT GRC), some research works have been proposed towards integration. However, the sources used for the construction of the resulting models are generally mixing formal standards, de facto standards arising from industrial consortia, and research results. In this paper, we specifically focus on defining an ISO compliant IT GRC integrated model, ISO standards representing by nature an international consensus. To do so, we analyse the ISO standards related to the GRC field and propose a way of integration. The result of this paper is an ISO compliant integrated model for IT GRC, aiming at improving the efficiency when dealing with the three disciplines together.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Peterson, R.R.: Integration strategies and tactics for information technology governance. In: Strategies for Information Technology Governance, pp. 37–80. Idea Group Publishing, Hershey (2004)

    Google Scholar 

  2. Racz, N., Weippl, E., Seufert, A.: A frame of reference for research of integrated governance, risk and compliance (GRC). In: De Decker, B., Schaumüller-Bichl, I. (eds.) CMS 2010. LNCS, vol. 6109, pp. 106–117. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  3. Racz, N.: Governance, Risk and Compliance for Information Systems: Towards an Integrated Approach. Sudwestdeutscher Verlag Fur Hochschulschriften AG, Saarbrücken (2011)

    Google Scholar 

  4. Vicente, P., da Silva, M.M.: A business viewpoint for integrated IT governance, risk and compliance. In: 2011 IEEE World Congress on Services (SERVICES), pp. 422–428 (2011)

    Google Scholar 

  5. ISO/IEC 38500:2015: Information technology - Governance of IT for the organization. International Organization for Standardization, Geneva (2015)

    Google Scholar 

  6. ISO 31000:2009: Risk management – Principles and guidelines. International Organization for Standardization, Geneva (2009)

    Google Scholar 

  7. ISO 19600:2014: Compliance management systems — Guidelines. International Organization for Standardization, Geneva (2014)

    Google Scholar 

  8. Committee of Sponsoring Organizations of the Treadway Commission: Enterprise Risk Management – Integrated Framework (Executive Summary and Framework). Committee of Sponsoring Organizations of the Treadway Commission (2004)

    Google Scholar 

  9. Vicente, P., Mira da Silva, M.: A conceptual model for integrated governance, risk and compliance. In: Mouratidis, H., Rolland, C. (eds.) CAiSE 2011. LNCS, vol. 6741, pp. 199–213. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  10. The Open Group: ArchiMate 2.0 Specification. Van Haren Publishing, The Netherlands (2012)

    Google Scholar 

  11. OCEG: GRC Capability Model (Red Book 2.1) (2012). http://goo.gl/7nrKku

  12. ISACA: COBIT 5: A Business Framework for the Governance and Management of Enterprise IT (2012)

    Google Scholar 

  13. Gericke, A., Fill, H.-G., Karagiannis, D., Winter, R.: Situational method engineering for governance, risk and compliance information systems. In: Proceedings of the 4th International Conference on Design Science Research in Information Systems and Technology, pp. 24:1–24:12. ACM, New York (2009)

    Google Scholar 

  14. Asnar, Y., Massacci, F.: A method for security governance, risk, and compliance (GRC): a goal-process approach. In: Aldini, A., Gorrieri, R. (eds.) FOSAD 2011. LNCS, vol. 6858, pp. 152–184. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  15. RSA: The RSA GRC Reference Architecture (2013)

    Google Scholar 

  16. Frigo, M.L., Anderson, R.J.: A strategic framework for governance, risk, and compliance. Strateg. Finance 90, 20–61 (2009)

    Google Scholar 

  17. Paulus, S.: Overview Report: A GRC Reference Architecture (2009)

    Google Scholar 

  18. Krey, M., Furnell, S., Harriehausen, B., Knoll, M.: Approach to the Evaluation of a Method for the Adoption of Information Technology Governance, Risk Management and Compliance in the Swiss Hospital Environment. In: 2012 45th Hawaii International Conference on System Science (HICSS), pp. 2810–2819 (2012)

    Google Scholar 

  19. ISO/IEC TR 38502:2014: Information technology - Governance of IT - Framework and model. International Organization for Standardization, Geneva (2014)

    Google Scholar 

  20. ISO/IEC 27005:2011: Information technology – Security techniques – Information security risk management. International Organization for Standardization, Geneva (2011)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Luxembourg Institute of Science and Technology, 5 Avenue des Hauts-Fourneaux, L-4362, Esch-sur-Alzette, Luxembourg

    Nicolas Mayer, Béatrix Barafort, Michel Picard & Stéphane Cortina

Authors
  1. Nicolas Mayer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Béatrix Barafort
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Michel Picard
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Stéphane Cortina
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nicolas Mayer .

Editor information

Editors and Affiliations

  1. Dublin City University, Dublin 9, Ireland

    Rory V. O’Connor

  2. Turkish Standards Institution, Ankara, Turkey

    Mariye Umay Akkaya

  3. Turkish Standards Institution, Ankara, Turkey

    Kerem Kemaneci

  4. Çankaya University, Ankara, Turkey

    Murat Yilmaz

  5. Volkswagen AG, Wolfsburg, Germany

    Alexander Poth

  6. I.S.C.N. GesmbH, Graz, Austria

    Richard Messnarz

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Mayer, N., Barafort, B., Picard, M., Cortina, S. (2015). An ISO Compliant and Integrated Model for IT GRC (Governance, Risk Management and Compliance). In: O’Connor, R., Umay Akkaya, M., Kemaneci, K., Yilmaz, M., Poth, A., Messnarz, R. (eds) Systems, Software and Services Process Improvement. EuroSPI 2015. Communications in Computer and Information Science, vol 543. Springer, Cham. https://doi.org/10.1007/978-3-319-24647-5_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-24647-5_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-24646-8

  • Online ISBN: 978-3-319-24647-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation