Preparing for a Successful GRC Gap Assessment

Posted: April 21, 2022

With rising regulatory compliance demands and the growing popularity of cybersecurity frameworks, there’s been increased interest in governance, risk, and compliance (GRC) gap assessments. The market research firm IDC expects enterprise global GRC spending to rise from $11.3 billion in 2020 to nearly $15.2 billion by 2025. And most of that GRC budget will be targeted toward IT and security risk management programs.

With that newfound interest in GRC initiatives, enterprises will want to ensure that they get the most from their efforts. And while many security and risk management professionals may be quite familiar with traditional application security assessments and penetration tests, GRC gap assessments are a little different and new to many organizations.

With traditional application security assessments and penetration tests, the objectives are typically to identify technical and logical flaws within specific technologies. This could be looking at the organization’s perimeter as an adversary might and trying to find vulnerabilities that could be exploited in attacks. Or, such assessments could be conducted upon a single application or set of related applications.

Instead, GRC gap assessments are designed to discover specific missing aspects of a security and risk management program as applied to particular frameworks or regulations, such as the ISO 27000 Series, NIST SP 800-53, NIST Cybersecurity Framework (CSF), GDPR (General Data Protection Regulation), HIPAA (Health Insurance Portability and Accountability Act) and more. GRC assessments should closely evaluate the physical, management, and technical security controls in place as it applies to the standard being assessed.

As a former enterprise senior security analyst, having run GRC programs for several divisions at health services provider MD Anderson Cancer Center, the processes associated with these assessments are something I know well. That experience and years of consulting engagements and assessing many organizations have helped me learn how to provide high-value GRC gap assessments for our customers. And if organizations don’t approach their GRC gap assessments properly, they will waste a lot of their time and budget, which will lead to a lot of overhead in double work, or perhaps missing serious gaps in risk management.

Next, we’ll examine why organizations conduct GRC assessments and detail what you need to know to ensure successful GRC gap assessments.

Successful GRC gap assessments

A successful GRC assessment helps establish a baseline detailing where the organization stands today related to the standards expected in the framework. If it’s done well, your technical, compliance teams, and senior leadership will all know where the organization would stand if it were audited and what they need to do to close any gaps to meet framework expectations.

Organizations often conduct a GRC gap assessment because they have mature risk management and security programs, hoping to become ISO 27001 certified or re-certified. Sometimes, it’s for a self-assessment to evaluate the maturity of their program, such as how well they are implementing the NIST CSF. Also, many companies with good security leaders understand what they are doing technically to defend their enterprises, and they may have that aspect down. Still, they don’t understand governance or risk management.

We’ve found, to get the most value from a GRC gap assessment, organizations need to understand what the process will look like and ways they can prepare before beginning the evaluation:

First, the organization must understand its goals. There are many reasons to conduct a GRC gap assessment. It could be to achieve certification to ISO 27001, or it might be to prepare to build a security and risk management program that may one day become certified. Other times clients simply want to measure their security capabilities against the guidelines and best practices of the NIST CSF, which is an excellent way to measure a security program’s posture qualitatively.

Regardless of the standard, your organization must have a firm grasp on the significant objective.

Make certain executive leadership is on board. With the broad objectives understood, it’s important to get leadership on board with the effort and make certain they know the importance of the gap assessment. This doesn’t just mean technical leaders, like the CIO, CTO, CSO, or risk officers, but also business leadership, including the CEO, risk as compliance executives, and the board of directors. It will be much easier to get the funding necessary to remedy any assessment findings with the proper executive backing.

Find the right partner. When seeking a GRC gap assessor, you are going to want a services provider that is experienced conducting the types of assessment the organization needs and one that you trust understands how to look at a complete security and risk management program and provide consultative advice on the steps necessary to build the most effective program to meet objectives. And while some organizations may want to conduct an assessment themselves, outside and objective eyes are essential for the most helpful review possible.

GRC Gap Assessment Statement of Work (SOW). A GRC gap assessment SOW will detail, from a high level, the nature of the gap assessment and the direction of work for the service provider to deliver. The SOW may also define what success will look like, standards that are expected, and what metrics, if any, will be used to measure success.

Determine the scope. When the assessment begins, one of the first things your assessor will do is determine the scope. While the work statement will broadly detail the definition of assessment scope, there will be much more detail determined during the assessment. The assessment team will evaluate the standard or framework the program is being assessed against and identify what controls apply to the organization.

To prepare for this phase, you’ll want to gather the proper documentation for security policies and procedures, architecture, and documentation that details the framework the services provider is assessing against, as well as the teams that will be part of the assessment, such as IT, legal, security, and compliance. The assessment process will be improved and expedited by gathering together everything needed ahead of time.

The assessment. The assessment will determine the difference between the actual maturity level of an organization pertaining to a standard so that areas that need improvement can be identified. This requires a review of business-technology systems, security controls, and the organization’s risk management processes.

This may mean a comprehensive review of systems architecture and organizational structure for large organizations. For smaller organizations, it may mean a look at the settings of their security tools. For all organizations, the assessor will be looking at how technical controls, compensating controls, policies, and procedures interrelate to reduce risk effectively. This includes everything from the effectiveness of those technical controls, compensating rules, and other related processes.

The final report: What to expect. In the assessor’s presentation, an executive summary will typically be delivered that explains, broadly, what was identified during the assessment. Every gap identified will be listed with a comprehensive explanation of the risk. There will also be provided a list of the controls that had deficiencies and the steps necessary to close each gap. And for every control identified, there will be a deeper explanation of the control and risks mitigated by the control.

Following the assessment and taking the subsequent steps to meet the standard requirements, your organization will be able to operate in a way that meets the standard. And there are long-term benefits from a gap assessment and eventually sustainably meeting the standard. By effectively meeting the standard, organizations can make better risk management decisions, maintain consistency in their program, and improve internal security and risk management communications. Perhaps most important of all: mitigate the risks of a nasty breach. And no organization wants to make the news the subject of a data breach. To learn more about Set Solutions and our GRC gap assessment services, call us today at 713-956-6600.


This blog was written by Stephen Alexander, GRC Practice Manager with Set Solutions