Evaluate IT GRC framework

We ask You to fill out the questionnaire about the presented framework's completeness. Under each Process flow, You can leave comments/feedback.

1. Is the Policy management complete regarding Direct process flow?

Process name Definitely include Maybe include Maybe exclude Definitely exclude
1) Strategic alignment
„(Business-IT-Alignment) – focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations“ [Krey, 2010].
2) Deficiency management
„Results from deviation analysis are taken as requirements for deficiency management. Deficiencies are eliminated through improving, creating new controls or modifying parts of the control system“ [Racz, 2011b]
3) Manage policies
from the definition of management system, „set of interrelated or interacting elements of an organization to establish policies ...“ where policy is „intentions and direction of an organization as formally expressed by its top management“ [ISO19600:2014]
4) Manage procedures
„specified way to carry out an activity or process“ [ISO19600:2009]
5) Define risk appetite
„organization’s approach to assess and eventually pursue, retain, take or turn away from risk“ [ISO 31000:2009]
6) Establish compliance management system
Demonstration of leadership and commitment with respect to compliance management system, active involvement in compliance management system, application of governance to the management system
7) Commitment to developing of a compliance culture
8) Definition of roles and responsibilities

2. Is the Policy management complete regarding Monitor process flow?

Process name Definitely include Maybe include Maybe exclude Definitely exclude
1) IT control self-assessment and measurement
„Control self-assessment is a methodology used to review key business objectives, risks involved in achieving the objectives, and internal controls designed to manage those risks“ [Institute of Internal Auditors. 1998. A Perspective on Control Self-Assessment. The Institute of Internal Auditing, Florida.]

3. Is the Policy management complete regarding Evaluate process flow?

Process name Definitely include Maybe include Maybe exclude Definitely exclude
1) Requirements analysis
„Requirements analysis comprises the identification od regulatory, legal, contractual, and other obligations that affect the organization’s IT operations.“ [Racz, 2011b]
2) Deviation analysis
„after requirements analysis, adherence is examined with internal and external audits“ [Racz, 2011b]

4. Is the Policy management complete regarding Report process flow?

Process name Definitely include Maybe include Maybe exclude Definitely exclude
1) Reporting/documentation
„All actions are documented and relevant information is reported to stakeholders“ [Racz, 2011b]
2) IT compliance reporting
„The governing body, management and the compliance function should ensure that they are effectively informed on the performance of the organization’s compliance management system and its continuing adequacy, including all relevant noncompliances..“ [ISO 19600:2014].
Progress