What is the system?

GRC-ISMS plus is a cloud based Governance, Risk and Compliance system that is designed to help staff engage with an organisation’s information governance programme. The system provides a range of services to automate and simplify governance tasks.

Advantages of the integrated GRC-ISMS plus

GRC-ISMS plus, an integrated GRC system helps senior management demonstrate data protection leadership by:


1) Providing Improved Control - A centralised system to coordinate privacy management and the proactive control of cyber security risks

2) Getting all staff involved - Provide staff with tools to manage & safeguard information.

3) Improved Risk Management & Faster Breach identification - Integrate information from other security products

4) Improved Reporting & Compliance - Provide reports and an audit platform to monitor the Information governance programme as required by DPA, GDPR, PCI, IG Toolkit etc.


About the GRC System

The GRC-ISMS is self-service, meaning staff are encouraged to enter and maintain the information pertinent to themselves. This lessens the burden on key governance staff. The system has extensive reporting and alerting facilities designed to help people ‘manage by exception’.

The GRC-ISMS is designed to report on governance by presenting a visual dashboard featuring, real-time displays of pertinent information to relevant staff, to help support better decision making.

At the heart of the GRC-ISMS is the asset register. This facilitates the creation of a record of all assets, which can then be stored and risk assessed. Assets can be anything of value but would typically include Infrastructure assets containing personal information such as databases, and files stores. The assets will also include staff, together with supply organisations etc. The objective is to create records so that the risks to the organisation can be identified and managed more effectively.

The GRC-ISMS consists of a number of integrated modules (see side panel). Each module can be turned on or off depending upon client’s needs. Access is strictly controlled with extensive role based rights management to ensure only authorised personnel have access to the relevant service.

The GRC-ISMS links to well-known and trusted 3rd party cyber security products including vulnerability server scanning and privilege management.

information governance dashboard information governance dashboard


What does the system do?

Each User has a My Governance portal with access to the following services:




Enables staff to record and maintain correct contact info etc. A ACAS based HR module is available

lets staff record Absence & when they are out

enable staff to record the assets for whom they are the custodian. (i.e. user)

see entry below – what ‘Staff Briefings’ have been sent to the staff member

the systems to which the user is authorised to use

the policies, procedures & guidelines the user has been asked to agree to & follow

the ability to record an incident

the staff member’s induction programme listing the milestones they need to complete. Each milestone is selected when complete and reported on if a threshold is passed

enables staff to register a SAR and pass it to the relevant management group to deal with

means of registering flows of personal data shared with others. Gives access to the list of approved data sharing organisations


Several services are restricted on a ‘need to know basis'. Services available when ‘rights are assigned’ include:




Full asset register with barcode recognition etc.

Establishing an accurate and up-to-date asset register is a key process within all information governance programmes. The GRC-ISMS Asset Register is a comprehensive platform that enables items to be recorded and tracked. The asset register integrates with other GRC-ISMS modules to facilitate efficient risk assessments, effective business continuity and others.

Enable IAO’s to have visibility and approve users for system access

Making sure that only authorised staff have access to company systems is a fundamental governance requirement. The GRC-ISMS Authorisations module provides the facility for staff system authorisation requests to be processed and tracked. The authorisations module provides the workflow mechanism for system owners to approve who gets access to what systems and the appropriate assigned level of system rights. By having the Authorisations recorded in a separate management system, this facilitates simple auditing and verification of user accounts on the target system.

Audits can be described, scheduled, tracked, reported and alerted

Keeping track of user events helps ensure system integrity, helps solve day-to-day enquires and provides insight as to how the system helps support the business. Within the GRC-ISMS system, User events are categorised and recorded in Audit logs that are made available to selected users via the user’s assigned system rights.

Provides central control of location BC plans with integration with BC Team , Supplier Management etc

Third party supplier organisations are recorded and risk assessed. It includes the facility for an automatic update from the Supplier contacts. Key suppliers are factored in the Business Continuity module

Enables authorised changes to systems to be recorded and managed- links to Privilege Management

The system integrates with other 3rd party cyber security products to enable senior management to have top-down visibility of current risks enabling them to be monitored and alerted on when risks exceed agreed thresholds

Means of recording and processing of FOI & SAR requests

SAR's must be responded to within the 40 day mandatory period. It’s vital that organisations take steps to establish processes to handle Subject Access Requests and that they are responded to in a prompt and organised manner. The GRC-ISMS SAR Management Module ensures that SARs are managed in a consistent process so that they are dealt with promptly and progress is tracked and reported upon.

e.g. for Joiners- an induction facility for new staff with steps defined, tracked & alerted on

When new staff join an organisation or leave or move between departments there are often prescribed tasks to be undertaken. Some of these tasks may be required for statutory reasons such as Health & Safety for operational reasons or as part of a Governance, Risk or Compliance programme. In all these instances it’s important for both the staff member and the management team that the tasks or steps are completed within the required timeframe. This makes for better operations, by promoting consistency and helps ensure that tasks are completed within the required target time. Moreover variances are highlighted and relevant staff are notified with sufficient time so that problems can be minimised. The GRC-ISMS provides support for managing joiners, leavers and those changing their job roles.

A integrated Learning Management System (LMS) for the creation of eLearning courses. The system has a 6 module Data Security suite which is available in a short and long duration versions- The long version has questions and final exam with PDF certificate. The LMS can be used to create courses (additional license required)

The GRC-ISMS has a built-in LMS (Learning Management System) for the administration and delivery of eLearning courses. The GRC-ISMS LMS module also tracks and reports on the courses users have undertaken. Users complete courses at their own pace and do not have to complete a course in a single session. The system has the facility to enable clients to build their own courses.

A facility to monitor and control data shared with other organisations. Approval is handled by the backend workflow

Project task module to record and schedule tasks for projects

Enables documents to be converted to HTML for display on popular browsers. The system has many features including recording staff agreement to the document, version control etc.

A reporting module that enables specific reports e.g. assets by department, to be formulated and printed. All reports include data classification, the name of the person printing etc.

Enables Risk Assessments to be undertaken on assets, suppliers etc. The Risk Assessment detail can be varied.

Organisations need to understand and manage their risk exposure and take steps to reduce risks when they exceed their agreed risk thresholds. This means organisations need to identify their information assets and understand the potential threats to which their assets are exposed and assess the likelihood of these threats materialising. Using this knowledge, they can decide upon their risk priorities and take steps to ensure risk level thresholds are not exceeded. Organisation will mitigate risks by implementing appropriate controls to reduce risks to within acceptable levels. This methodology is also known as taking a ‘risk based approach’ and forms the basis of most data protection compliance regimes e.g. Information Commissioners Office Guidance, General Data Protection Regulation, ISO27001, Payment Card Industry Data Security Standards (PCI-DSS) etc, etc. The GRC-ISMS provides a risk assessment process to identify potential risks that an asset can be exposed. There are a number of levels to cater for a clients risk assessment needs from a ‘simple risk assessment’ right through to an ISO27005 (BSI licensed) risk assessment.

A online display of the Risk Dashboard – displays risks in / out of scope, risk posture, risks per asset with a risk level above the acceptable level etc.

Means of staff to record incidents which can then be assessed, tracked, reported on and managed to resolution

It’s vital that staff have an easy way to report incidents affecting their work. The GRC-ISM provides all staff with a ‘My Incidents’ page where Security, Health & Safety and other categories of incidents can be entered and tracked. Once an incident is reported, the relevant team is notified and the Incident Management process is engaged.

A ITIL based register of services available to staff e.g. the governance system, the account system etc.

Organisations typically have a range of services that are made available to staff to ensure that they can perform their job role. The GRC-ISMS Service Catalogue displays a list of available electronic services that staff utilise for the ongoing operation of the organisation.

a communication facility to send staff a relatively short briefing and include questions to test their comprehension. Results of staff responses and a central record are available on the Staff Briefings dashboard.

Staff awareness is a key component of any Governance, Risk and Compliance programme. Personnel need to be updated and kept informed of issues that can impact the organisation and their role. The GRC-ISMS Staff Briefings Module consists of a single webpage briefing delivered to staff which incorporates a optional multiple choice question to test their understanding and comprehension of the topic. Staff briefings can be sent to everyone or targeted to staff within specific Departments, Locations or Teams. Responses are aggregated and graphically displayed to relevant management staff. Responses can indicate where knowledge is limited and further training and/or development activities should be considered. The update messages are delivered as part of the GRC-ISMS system and displayed within the ‘My staff briefing’.

enables staff training records to be compiled and reported on

When staff undertake training, its vital that the training activities are recorded and held on a centralised system which is available to HR and others for reference. The GRC-ISMS Training Record Module enables staff and managers to record training whether it is undertaken with external trainers or as part of an in-house programme. If the training is delivered by the GRC-ISMS LMS, e.g. ‘Data Protection - a matter for everyone’ all courses undertaken and all access are automatically recorded. Users can also record CPD training course attended.

The system automatic optional email notifications are designed to improve efficiency which can be used to alert staff (and or their managers) when thresholds are broken e.g. when a new starter has not completed their mandatory induction steps by the agreed date.

Organisations must respond and adapt when events occur. It’s vital that important events are not forgotten but rather the relevant staff are notified and these ‘events’ are dealt with in line with policy. The GRC-ISMS Notifications engine provides the mechanism to inform relevant staff that something has occurred. Typically a notification is sent when a management threshold has been exceeded e.g. risk values for information assets exceed the agreed acceptable level, a system holding sensitive information is removed from the network, an insurance policy is within 1 month of its renewal date etc, etc. The notification can be via email or in some instances SMS or instant messaging e.g. Slack or Hip Chat. The important outcome is that matters and events concerning the Governance, Risk and Compliance obligations of the organisation are not forgotten, are tracked and relevant staff have visibility via online dashboards. This helps build a governance culture where all staff are involved.

The system enables staff, assets, training, staff briefing, business continuity, etc. to be targeted for reporting or service availability purposes

The system logs the vast majority of system events e.g. when users login, access a record or service etc. Confidentiality monitoring is provided.

Keeping track of user events helps ensure system integrity, helps solve day-to-day enquires and provides insight as to how the system helps support the business. Within the GRC-ISMS system, User events are categorised and recorded in Audit logs that are made available to selected users via the user’s assigned system rights.


E-Learning Data Protection Training

Integrated Compliance training

Versions of GRC-ISMS plus

The governance system is available in three versions. The table below illustrates what features are available in each version. The optional modules are available for each version. Contact us for details.

Feature Risk Manager Basic Premium Healthcare Enterprise Optional
Staff, Joiners & Leavers
Induction Process
Asset Register
Asset Auto Discovery
Training Records
Staff Briefings
Policy Management, Distribution & Response
Policy Template Packs
Notifications
Induction Process
Organisation Chart
Confidentiality Monitoring
Audit Log
Dashboard & Reports
Departments & Teams
Locations (Number included in base license)
2
2
5
5
10
Feature Risk Manager Basic Premium Healthcare Enterprise Optional
Incident Management Reporting & Management
Subject Access Request Reporting & Management
Task Scheduling
Audit Module
Service Catalogue
Data Catalogue
Threat Assessment
Risk Assessment Advanced
Risk Assessment (ISO 27005)
Data Flows
3rd Party Information Transfer Tracking
Clinical Staff
Revalidation
Information Governance Toolkit Aware
Authorisations
Business Continuity
Supplier Management
Learning Management System (LMS)
Learning Management System (LMS) Course Builder
DPA & Information Security Training Course
3rd Party Security Connector API