7 Configurable Features Every Modern GRC Platform Should Have

When people hear the word compliance, they often think about a long list of strict actions and controls that their business needs to take. However, cybersecurity and data privacy laws and compliance frameworks are typically based on an organization’s risk assessment. This approach means that compliance is often related to a business’s unique operations, vertical, and risk tolerance. 

At its core, your Governance, Risk, and  Compliance (GRC) platform should allow you to automate the time-consuming manual tasks related to compliance and audits. Since your security and privacy controls are unique to your organization, you need technologies that provide customization. In an environment where one size does not fit all, customization is no longer a luxury but a necessity.

From frameworks and risk assessment levels to integrations for evidence tracking, these seven must-have configurable features will help you optimize your GRC platform implementation. 

What are GRC Platforms?

GRC platforms are solutions that help organizations manage their governance processes, risk assessments, and control mapping to reduce compliance burdens, like time spent gathering audit documentation. At minimum, a GRC platform should offer the following basic features:

• Third Party Risk Management: Evaluate and mitigate risks from external partners.

• Policy Management: Simplify the creation and distribution of company policies.

• Compliance Processes: Streamline efforts to meet industry standards and reduce manual processes.

• Risk Assessments: Regularly evaluate potential risks to the business.

• Compliance Tracking: Monitor and report on compliance efforts in real-time.

GRC platforms enable organizations to integrate business objectives into their compliance programs, offering benefits like:

• Single Platform: Centralize various compliance activities, audits, and risk management tasks.

• User Experience: Intuitive interfaces boost user adoption.

• Real-time Insights: Offer immediate data analysis for informed decision-making.

• Customizable Workflows: Adapt to fit unique business needs.

By managing tasks in a centralized location, organizations can more easily align their audit processes and compliance programs to data protection and cybersecurity regulations and frameworks. 

Why is Customization in a GRC Platform Important?

Most compliance mandates start with a foundation of risk which means that no two organizations will handle their compliance the same way. Since every business has unique compliance processes and regulatory requirements, customizable features allow them to tailor the platform to their specific needs and business objectives. 

Customizable workflows streamline compliance activities, reading manual efforts and enhancing the user experience. By providing various compliance frameworks, the platforms allow you to seamlessly track your compliance efforts while documenting your activities, like managing third party vendor risks or monitoring for control effectiveness. 

A platform with configurable features offers real-time insights based on your risk assessment and security controls to help you:

• Map controls across multiple regulations and frameworks that apply to your business.

• Make informed decisions. 

• Support internal and third-party audit documentation and processes.

7 Configurable Must-Have Features to Look For in a GRC Platform

To meet the unique needs of modern organizations, a GRC platform should offer configurability and adaptability.

1. Frameworks

A robust list of frameworks that the platform supports is the bare minimum for any GRC platform. As your business scales, you may move into new customer verticals that come with their own unique cybersecurity and data protection compliance requirements. 

Some key regulations, industry standards, and frameworks include:

• CCPA: California Consumer Privacy Act

• CMMC: Cybersecurity Maturity Model Certification

• DORA: Digital Operational Resilience Act

• GDPR: General Data Protection Regulation

• ISO 27001: Information Security Management

• ISO 27701: Privacy Information Management

• NIST CSF: National Institute of Standards and Technology Cybersecurity Framework

• NIST SP 800-171 Rev. 2: Protecting Controlled Unclassified Information

• NIST SP 800-53: Security and Privacy Controls for Information Systems

• PCI DSS v3.2.1: Payment Card Industry Data Security Standard

• PCI DSS v4.0: Updated Payment Card Industry Data Security Standard

• SOC 2 2017: System and Organization Controls

2. Risk or Requirement Level

Organizations have different needs, capabilities, and maturity levels. A small organization often has more limited resources than a large enterprise. Many frameworks and regulations take this difference into consideration, establishing different tiers of compliance or requiring different levels of program maturity. 

Some examples of compliance frameworks with different tiers include:

• CMMC: Options include Level 1 and Level 2.

• NIST 800-53: Control Baselines available are Security - Low, Security - Moderate, and Security - High.

• FFIEC: Maturity Levels range from Baseline to Innovative.

A GRC platform should allow you to tailor your compliance management with tiered requirements by allowing you to select the appropriate security or maturity levels. This configuration makes it easier for you to:

• Select controls that match your risk tolerance and risk management strategy.

• Allocate resources more effectively by focusing on the appropriate requirement levels.

• Reduce complexity and administrative costs by focusing only on the relevant controls.

3. Controls Outside a Framework

Compliance is not security. Compliance frameworks offer baseline requirements for basic cyber hygiene. You may want to implement controls beyond the ones that your chosen framework requires to, such as:

• Addressing unique risks.

• Aligning with internal policies.

• Adapting to evolving threats. 

Look for a platform that offers the ability to create and manage custom controls. It should be able to provide the same monitoring capability without mapping the control to a specific requirement. This functionality allows you to centralize the management of all security-related controls for a unified view of your compliance and risk management efforts.

4. Marking Controls as Out of Scope

Marking certain controls as “out of scope” is often related to your business objectives or unique environment. For example, some reasons to mark controls as out of scope include:

• Using multiple frameworks: Some controls may not apply to all your chosen compliance frameworks, so marking them out of scope lets you customize your audit reporting and documentation. 

• Organizational risks: You may choose to focus on the security controls that respond to the highest risks facing your organization and mark controls responding to low-risk or no-risk issues as out of scope. 

• Resource optimization: Excluding unnecessary controls allows you to reduce your compliance program’s complexity, making it more manageable and cost effective. 

A GRC platform should allow you to determine the controls that are appropriate for your audits, like selecting desired controls using a checkbox or clicking on an icon. These capabilities help concentrate your compliance efforts on relevant controls. 

5. Custom Controls

Your business is unique. Even within the confines of compliance requirements, tailoring your compliance and risk management strategies may require creating a custom control. Custom controls can help you:

• Address specific risks: Your organization may have unique risks based on your business operations that require controls outside the ones listed in a compliance framework.

• Align with internal policies: Mapping your compliance efforts to both internal policies and external compliance requirements promotes a cohesive governance structure. 

• Operational efficiency: Focusing on controls that directly relate to your business and operations enables you to streamline processes. 

When choosing a GRC platform, you should make sure that it allows you to:

• Define controls and their details, like specifying the name, applying a code to it, or describing its purpose and application

• Map to framework requirements to align with your overarching compliance initiatives

• Attach supporting evidence, like policies, reports, or uploading external files to prove the control’s implementation works as intended.

6. Custom Tests

Just like you may need custom controls, you may want to have custom tests to document their effectiveness. Custom tests allow you to:

• Tailor your compliance monitoring: Design monitoring to align with your specific compliance needs, including all unique requirements. 

• Automate manual processes: Reduce human error risk and save time by bringing manually monitored controls into your automation. 

• Control over security: Improve oversight and assurance by monitoring your custom security controls and ensuring they function as intended.

Some use cases for custom tests include:

• Monitoring daily backup status: Implementing a custom test to verify the successful execution of daily backup jobs ensures data integrity and availability.

• Reviewing user access privileges: Custom tests can be designed to regularly assess user access levels, ensuring compliance with the principle of least privilege and enhancing security.

• Verifying anti-malware deployment: Creating tests to confirm the deployment and functionality of anti-malware solutions helps maintain a robust security posture.

• Ensuring alert systems for critical failures: Custom tests can verify the existence and functionality of alerting systems that notify personnel of critical system failures, facilitating prompt response and mitigation.

7. Integrations for Evidence and Tracking

A GRC platform makes compliance easier by automating your time-consuming manual tasks, especially when you need to gather audit documentation. To gain the most value from your platform, it should have native integrations with the business and cybersecurity technologies that your organization uses. 

For example, a GRC platform should offer integrations with categories of technologies like:

• Cloud Service Providers, like Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP)

• Identity Providers (IdP), like Microsoft 365, Google Workspace, and Okta

• Human Resources Information Systems (HRIS), like BambooHR, Gusto, and Justworks

• Version Control Systems, like GitHub, GitLab, and Bitbucket

• Project Management Tools, like Jira, Asana, and ServiceNow

• Security Tools, like CrowdStrike, Lacework, and KnowBe4

How Drata helps you customize your compliance

Drata’s GRC platform makes customization easy, so you can implement a compliance program tailored to your business operations and risk. Our platform provides:

• Custom risk scoring so you can define and configure your risk scores and thresholds to your business needs.

• Risk drawer that allows you to edit and add risk data, including descriptions, categories, owners, documents, and impact.

• Automated treatment plans based on your unique risks’ impact and likelihood.

• Custom frameworks so you can easily and quickly bring in requirements related to your unique business needs.