GRC stands for: Governance, Risk and Compliance.

It’s important to understand that this is different to corporate governance and corporate GRC as those are broader areas.

Governance is about the rules and procedures that an organisation has in place to manage cyber security risk. This includes things like having a security policy, appointing a Chief Information Security Officer (CISO), and setting up a risk management committee.

Risk management is about identifying, assessing, and prioritising potential security risks to an organisations assets. This includes things like identifying what data is important to the organisation, assessing the risks to that data, and prioritising the risks that need to be addressed first.

Compliance is about ensuring that an organisation is following the relevant laws, regulations, and standards in the area of cyber security. This includes things like complying with data privacy laws, industry-specific regulations, and best practice standards.

Let’s Simplify GRC

Imagine that you are the owner of a house. You want to protect your house from theives, so you put in a security alarm system. This is governance. You also want to make sure that your house is not too easy to break into, so you install locks on all the doors and windows. This is risk management. And finally, you want to make sure that your house is in compliance with all the relevant building codes and council regulationa. This is compliance.