Introduction to GRC Templates
How templates help you implement eramba
eramba is a tool that should reflect the reality of your organisational GRC practices, in the end, auditors need to see the real thing.
Telling people (inside or outside) the organisation that you are aware of the Risks that exist in your organisation and what mitigation is in place is only true if those Risks and mitigation elements (Controls, Policies, etc.) actually exist in the organisation and are tested regularly.
The only way to reflect the reality is by talking to people in your company and asking what there is and what is not. Our documentation describes many methods to identify Risks, Controls, Policies, Etc.
Often, we see GRC departments creating Policies, Controls, Risks, etc in isolation. That is a big no at least in eramba.
While it does seem that every organisation does "more or less the same" the reality is different. Two companies will do account reviews, but the tools, people, frequency, and processes they use will be different. A banana and an apple are both fruits, but very different things.
GRC templates provide the community with "inspirational" material as to what Internal Controls and policies could be used to meet different compliance requirements. They should not be used "as is".
What we provide:
- For certain compliance packages (ISO, PCI, etc) what typical Internal Controls and Policies are used
- Internal Controls will include a testing methodology, remember if you do not test Internal Controls you can not know if they work, ergo you do not know if they are mitigating something.
- Policies include Standards, Procedures and other documents. They include the typical content you will see in most policies.
The diagram above explains what is offered here when it comes to compliance. For every compliance requirement, you will have associated Internal Controls and Policies. You will also see the relationship between Internal Control and a Policy, remember in eramba Internal Controls are activities that must be done systematically (like laptop encryption or change management or supplier registration, etc) and therefore a process is required. how else can you test these activities if no process describes how the activity is supposed to be performed?
Our templates include Questionnaires used in the eramba Online Assessment module, they help us make questions to different types of people based on different scenarios:
- Departments inside our organisation to perform a Risk Identification exercise
- Suppliers to identify what data is shared with them and what controls they have in place
- Customers to perform a "Gap Assessment" of their compliance with PCI-DSS