There is an organization which has a solution to the next steps after  you have some compliance set up: OCEG with their pdf  “A Maturity Model For Integrated GRC”

First page of report:



As in title the goal is integrated GRC  where the company business goals are intertwined with Compliance, Risk, and Governance. It turns out this organization has been working on integrated GRC for a while now (founded in 2002)


Well, assuming you have GRC – Governance, Risk, Compliance or at least a little bit, like you started a PCI compliance program or a HIPAA compliance program , or another compliance program it is a good start.  Of course you can hear a ‘but’ in this line of thinking…

Or rather now what? having an initial compliance program is nice, working on security is also nice.  So let’s be more secure while being compliant.

The idea is to integrate GRC and Security with business goals.  Now I can say that in one sentence, but the actual hard work of getting to integrated GRC is not easy.


Imagine every time you make a potential decision now you will also think about the compliance and security implications. Too draconian for you?  I can easily add keep your customer data private (within privacy laws).


Notice the idea is to make this a goal of the organization with the understanding that it is not going to be easy as many decisions are made without compliance or risk being thought of.

How else does one think of security while making decisions?

And this is the real reason to introduce an integrated GRC methodology

Buying new products, installing products, creating new services and products and on and on. Every decision could be the next point of GRC issue.  You may not be aware of it until it happens and the IT department asks the million $ question.  “How does this issue affect” Security?

And right after that question IT or your compliance department will ask how to keep the new program compliant.

It might be second nature to you, but it may not. I like the structured methods of OCEG, and it bears further review and understanding.


Contact Us to discuss your potential GRC issues.


By zafirt

One thought on “We Set Up Compliance Policies! Now What?”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.