A policy is a document which defines an internal practice that processes must follow.
The Policy [grc_policy] table extends Knowledge [kb_knowledge], so each policy is stored in the
Knowledge Base and can be accessed in the same way as any other published article.
Standards and Standard Operating Procedures
GRC offers two additional policy classes called Standards and Standard Operating Procedures,
that are used to define specific practices at different levels within an organization.
To manage elements of the policy, the policy can be associated with:
- Scopes that define the level for which a policy class applies.
- Authority documents and citations to which a policy class applies.
- Risks associated with compliance failures.
- Controls that enforce the policy class and mitigate identified risks.
GRC Policy enforcement
After policies are defined, there are two processes available for ensuring that their
provisions are followed:
- Risk Managing: After risks are defined, they can be managed using
Controls and Control Tests to protect against the consequences of breaching policies.
- Audits: After all the processes for policies have been defined,
audits can be performed to confirm that they are being performed properly.