GRC: Governance, Risk and Compliance

Controls

GRC-01: Governance Program Policy and Procedures

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for an information governance program, which is sponsored by the leadership of the organization. Review and update the policies and procedures at least annually.

GRC-02: Risk Management Program

Establish a formal, documented, and leadership-sponsored Enterprise Risk Management (ERM) program that includes policies and procedures for identification, evaluation, ownership, treatment, and acceptance of cloud security and privacy risks.

GRC-03: Organizational Policy Reviews

Review all relevant organizational policies and associated procedures at least annually or when a substantial change occurs within the organization.

GRC-04: Policy Exception Process

Establish and follow an approved exception process as mandated by the governance program whenever a deviation from an established policy occurs.

GRC-08: Special Interest Groups

Establish and maintain contact with cloud-related special interest groups and other relevant entities in line with business context.