Evaluate IT GRC framework

We ask You to fill out the questionnaire about the presented framework's completeness. Under each Process flow, You can leave comments/feedback.

1. Is the Risk management complete regarding Monitor process flow?

Process name Definitely include Maybe include Maybe exclude Definitely exclude
1) Monitoring
„continual checking, supervising, critically observing or determining the status in order to identify change from the performance level required or expected“ [ISO 31000:2009]

2. Is the Risk management complete regarding Evaluate process flow?

Process name Definitely include Maybe include Maybe exclude Definitely exclude
1) Internal environment - internal context
„internal environment in which the organization seeks to achieve its objectives“ [ISO 31000:2009]
2) Risk identification
„process of finding, recognizing and describing risks“ [ISO 31000:2009]
3) Determine risk appetite – risk attitude
„organization’s approach to assess and eventually pursue, retain, take or turn away from risk“ [ISO 31000:2009]
4) Evaluation of key risk management practices

3. Is the Risk management complete regarding Direct process flow?

Process name Definitely include Maybe include Maybe exclude Definitely exclude
1) Resource management
“is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimization of knowledge and infrastructure” [Krey, 2010]
2) Risk response - Risk treatment
„process to modify risk“ [ISO 31000:2009]
3) Control activities
„measure that is modifying the risk“ [ISO 31000:2009]
4) Manage risks
„systematic application of management policies, proceduresand practices to the activities of communicating, consulting, establishing the context, and identifying, analyzing, evaluating, treating, monitoring and reviewing risk“ [ISO 31000:2009]
5) Develop KRI - establish the context
„defining the external and internal parameters to be taken into account when managing risk, and setting the scope and risk criteria for the risk management policy“ [ISO 31000:2009]
6) Remediation & control management
„is the process for managing uncontrollable project activities or circumstances that may result in negative consequences to remediation system performance“ [http://www.itrcweb.org/Team/Public?teamID=43 Visited 15.05.2016]
7) Objective setting
„Derivation of IT compliance and IT compliance reporting objectives from business requirements“ [Racz, 2011b]

4. Is the Risk management complete regarding Report process flow?

Process name Definitely include Maybe include Maybe exclude Definitely exclude
1) Information & communication – communication and consultation
„continual and iterative processes that an organization conducts to provide, share or obtain information and to engage in dialogue with stakeholders regarding the management of risk“ [ISO 31000:2009]
Progress