Technical controls protect systems; governance, risk, and compliance (GRC) is what aligns those controls with the business and proves to auditors, customers, and regulators that you're running a credible program.
Governance vs Risk vs Compliance
| Governance | Who decides? What are our objectives, policies, accountabilities? |
| Risk Management | What could hurt us, how badly, how likely, and what do we do about it? |
| Compliance | Are we meeting laws, regulations, contracts, internal policies? |
Compliance is a useful side-effect of a real security program, not the goal. "Compliant but breached" happens regularly when organisations chase audits instead of outcomes.
The Policy Hierarchy
- Policy — high-level "what" and "why". Approved by leadership.
- Standard — mandatory specifics. "All passwords must be at least 12 characters."
- Procedure — step-by-step "how". "Onboarding a new employee: steps 1–14."
- Guideline — recommended best practice; not mandatory.
NIST Cybersecurity Framework (CSF) 2.0
The most widely used framework outside compliance-mandated industries. Six functions (Govern was added in 2.0):
- Govern — establish, communicate, and monitor cybersecurity strategy and risk management
- Identify — understand assets, risks, supply chain, regulatory requirements
- Protect — access control, awareness training, data security, maintenance
- Detect — anomaly and event detection, continuous monitoring
- Respond — incident response planning, communications, analysis, mitigation
- Recover — recovery planning, improvements, communications
Each function breaks down into categories and subcategories with concrete outcomes — flexible enough for any size organisation.
ISO 27001 and 27002
- ISO/IEC 27001 — specifies an Information Security Management System (ISMS). Certifiable. Requires risk assessment, Statement of Applicability, controls, internal audits, management review, continual improvement.
- ISO/IEC 27002 — accompanying control catalogue (93 controls in the 2022 revision, organised into Organisational, People, Physical, Technological themes).
An ISO 27001 certification is recognised globally — common for European and international B2B sales.
SOC 2
System and Organization Controls 2 reports, issued by AICPA. The lingua franca of B2B SaaS in the US.
- Type 1 — controls are designed appropriately at a point in time. Faster to obtain.
- Type 2 — controls operated effectively over a period (typically 6–12 months). What enterprise customers actually want.
Five Trust Services Criteria — pick which apply:
- Security (mandatory)
- Availability
- Processing Integrity
- Confidentiality
- Privacy
Compliance-automation platforms (Vanta, Drata, Secureframe) have made SOC 2 readiness dramatically faster for startups by integrating with cloud providers and pulling evidence automatically.
PCI DSS
Payment Card Industry Data Security Standard. Required if you store, process, or transmit cardholder data. v4.0 has 12 high-level requirements; the easiest path is usually to not handle card data — use a tokenising provider like Stripe so PCI scope shrinks to a few pages of self-assessment.
HIPAA
US healthcare privacy and security law. Covers Protected Health Information (PHI). Three rules:
- Privacy Rule — limits use and disclosure of PHI
- Security Rule — administrative, physical, technical safeguards
- Breach Notification Rule — notify affected individuals and HHS
Cloud providers offer Business Associate Agreements (BAAs) and HIPAA-eligible service lists.
GDPR (and Privacy Laws Generally)
EU's General Data Protection Regulation, in force since 2018. Applies to any processing of EU residents' personal data, regardless of where the processor sits.
Key concepts:
- Lawful basis for processing — consent, contract, legal obligation, vital interests, public task, or legitimate interest
- Data subject rights — access, rectification, erasure ("right to be forgotten"), portability, objection
- Data Protection Officer (DPO) — required for some organisations
- 72-hour breach notification to the supervisory authority
- Penalties up to €20M or 4% of global annual revenue
Similar regimes elsewhere: UK GDPR, CCPA/CPRA (California), LGPD (Brazil), POPIA (South Africa), PIPEDA (Canada), various US state laws.
Other Frameworks Worth Knowing
- CIS Controls v8 — pragmatic 18-control list, ordered by impact. Good starting point.
- FedRAMP — required to sell cloud services to US federal agencies. Three impact levels (Low/Moderate/High). Painful and expensive.
- HITRUST CSF — healthcare-flavoured, popular with US health systems
- ISO 27017 / 27018 — cloud and personal-data extensions to ISO 27001
- NIS2 — EU directive raising the bar for critical sectors
- DORA — EU financial-sector resilience regulation
Risk Management
Standard process (per NIST 800-30 or ISO 27005):
- Identify assets, threats, vulnerabilities
- Assess likelihood × impact = inherent risk
- Decide response: mitigate, transfer (insurance, vendor), avoid, or accept
- Implement controls; calculate residual risk
- Monitor and review
Document it in a risk register and review at a fixed cadence. Track control coverage to ensure nothing falls through the cracks.
Business Continuity and Disaster Recovery
- BCP (Business Continuity Plan) — keeping critical functions running during disruption
- DRP (Disaster Recovery Plan) — restoring IT systems after disruption
- RTO (Recovery Time Objective) — how fast must we be back?
- RPO (Recovery Point Objective) — how much data loss is acceptable?
Test the plans. Untested plans are wishes, not plans.
Third-Party Risk
Your security posture is only as strong as your vendors'. Standard practices:
- Security questionnaires (SIG, CAIQ) before signing contracts
- Review SOC 2 reports and penetration test summaries
- Contractual obligations: breach notification windows, audit rights, subprocessor disclosure
- Continuous monitoring of vendors via tools like SecurityScorecard or BitSight