Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Newcomer II

GRC Tool(s)

I have been struggling to find a good resource for juggling GRC and ITAM in a better way than spreadsheet tracking for a few months now.


I can easily create a risk register for a single system, and I can track my GRC compliance for an individual project in a separate spreadsheet fairly easily.  However, attempting to tie-in/track the overall program risks (both IT and operational) is something that has proven too difficult for me to track this way.


I'm curious about the solutions in use in this community (ISC² professionals) and if you have any recommendations of things to avoid or look into.


I have tried my best to look into Eramba as so many people recommend it, but the time investment required to get it to a usable state is too much for me.  I would much rather build a database from scratch than try to understand someone else's concept of what makes for a good GRC solution, but I do not have the time for that either.


I need to be able to create a database of threats, link those to a database of targets, link those to departments and assign individual departmental impacts, and then generate a risk register.  Ideally, I could already have a database that links assets to departments and assigns a criticality to that department's workflow so when I assign a threat to the asset I would not have to manually assign an impact to the various departments.


Is there anything out there like that?

2 Replies
Community Champion

 A question before I attempt to answer.


Have you done Data and System Classification?


The reason, I ask, is that I was faced with similar issues working for a Global corporation.


I found many of my problems went away, once I classified the data and the systems (with the Business system owners).




Newcomer I

I have used ComplyAssistant. Affordable and robust, and good risk register and tracking, and auto send nag emails, etc.