https://community.isc2.org/t5/Governance-Risk-Compliance/GRC-Tool-s/m-p/50085#M636 <P>I have been struggling to find a good resource for juggling GRC and ITAM in a better way than spreadsheet tracking for a few months now.</P><P>&nbsp;</P><P>I can easily create a risk register for a single system, and I can track my GRC compliance for an individual project in a separate spreadsheet fairly easily.&nbsp; However, attempting to tie-in/track the overall program risks (both IT and operational) is something that has proven too difficult for me to track this way.</P><P>&nbsp;</P><P>I'm curious about the solutions in use in this community (ISC² professionals) and if you have any recommendations of things to avoid or look into.</P><P>&nbsp;</P><P>I have tried my best to look into Eramba as so many people recommend it, but the time investment required to get it to a usable state is too much for me.&nbsp; I would much rather build a database from scratch than try to understand someone else's concept of what makes for a good GRC solution, but I do not have the time for that either.</P><P>&nbsp;</P><P>I need to be able to create a database of threats, link those to a database of targets, link those to departments and assign individual departmental impacts, and then generate a risk register.&nbsp; Ideally, I could already have a database that links assets to departments and assigns a criticality to that department's workflow so when I assign a threat to the asset I would not have to manually assign an impact to the various departments.</P><P>&nbsp;</P><P>Is there anything out there like that?</P> Mon, 09 Oct 2023 10:07:48 GMT noel 2023-10-09T10:07:48Z https://community.isc2.org/t5/Governance-Risk-Compliance/GRC-Tool-s/m-p/50085#M636 <P>I have been struggling to find a good resource for juggling GRC and ITAM in a better way than spreadsheet tracking for a few months now.</P><P>&nbsp;</P><P>I can easily create a risk register for a single system, and I can track my GRC compliance for an individual project in a separate spreadsheet fairly easily.&nbsp; However, attempting to tie-in/track the overall program risks (both IT and operational) is something that has proven too difficult for me to track this way.</P><P>&nbsp;</P><P>I'm curious about the solutions in use in this community (ISC² professionals) and if you have any recommendations of things to avoid or look into.</P><P>&nbsp;</P><P>I have tried my best to look into Eramba as so many people recommend it, but the time investment required to get it to a usable state is too much for me.&nbsp; I would much rather build a database from scratch than try to understand someone else's concept of what makes for a good GRC solution, but I do not have the time for that either.</P><P>&nbsp;</P><P>I need to be able to create a database of threats, link those to a database of targets, link those to departments and assign individual departmental impacts, and then generate a risk register.&nbsp; Ideally, I could already have a database that links assets to departments and assigns a criticality to that department's workflow so when I assign a threat to the asset I would not have to manually assign an impact to the various departments.</P><P>&nbsp;</P><P>Is there anything out there like that?</P> Mon, 09 Oct 2023 10:07:48 GMT https://community.isc2.org/t5/Governance-Risk-Compliance/GRC-Tool-s/m-p/50085#M636 noel 2023-10-09T10:07:48Z https://community.isc2.org/t5/Governance-Risk-Compliance/GRC-Tool-s/m-p/50091#M637 <P>&nbsp;A question before I attempt to answer.</P><P>&nbsp;</P><P>Have you done Data and System Classification?</P><P>&nbsp;</P><P>The reason, I ask, is that I was faced with similar issues working for a Global corporation.</P><P>&nbsp;</P><P>I found many of my problems went away, once I classified the data and the systems (with the Business system owners).</P><P>&nbsp;</P><P>d</P><P>&nbsp;</P> Sat, 12 Mar 2022 05:49:58 GMT https://community.isc2.org/t5/Governance-Risk-Compliance/GRC-Tool-s/m-p/50091#M637 dcontesti 2022-03-12T05:49:58Z https://community.isc2.org/t5/Governance-Risk-Compliance/GRC-Tool-s/m-p/50598#M661 I have used ComplyAssistant. Affordable and robust, and good risk register and tracking, and auto send nag emails, etc. Mon, 18 Apr 2022 15:06:19 GMT https://community.isc2.org/t5/Governance-Risk-Compliance/GRC-Tool-s/m-p/50598#M661 jweller001 2022-04-18T15:06:19Z