Get information on the numbers and types of assets, the status of security controls, the results of security audits, and the risk status of information security. By monitoring these metrics, potential vulnerabilities and risks are identified and actions can be taken.

This function of the GRC Toolbox covers the identification and recording of an organisation’s critical assets (processes, information, secondary assets). The objective of the protection needs analysis is to determine the need for protection based on the identified assets and, consequently, to define appropriate security measures. The GRC Toolbox is often used to accompany the security process in the context of projects with questionnaires, checklists and workflows and thus to comply with the security and privacy by design principle.

With our new feature, you can now easily keep track of your asset landscape. Track the complex connections between your assets, including processes, data, systems, applications, and other resources, and see how changes to one asset can impact others. Identify vulnerabilities, risks, and potential bottlenecks to proactively close security gaps and optimize your business operations.

The GRC Toolbox Control Assessment is a tool that can provide a quick overview of the existing security level. With the help of a questionnaire, the status of an asset is determined and presented in relation to the degree of fulfillment of the defined security requirements. As a result, the degree of coverage becomes visible and potential areas for improvement or necessary exceptions to security requirements are identified. If required, questionnaires can also be used to carry out detailed risk analyses and, if necessary, to initiate extended security measures.

The GRC Toolbox has a comprehensive risk management function in accordance with ISO/IEC 27001 and ISO/IEC 27005. Risks can be recorded, analysed, evaluated, prioritised and their treatment planned and executed with the help of workflow support. With dashboards and risk matrices, the risk situation of information security can be made visible at any time.

With the GRC Toolbox, security events and incidents can be recorded and assessed and their handling tracked. In terms of comprehensive incident documentation, causes, effects, and affected assets can be described and the link to risk management can also be made to show the cause-event-impact chain.

Exception management is the process of handling and approving exceptions to an organisation’s established security policies and controls. The GRC Toolbox actively supports identifying exceptions, assessing their impact on the organisation’s security, approving them and monitoring their deadlines. Exception management is an important part of the ISMS as it ensures that exceptions are only approved in exceptional cases and that the impact on the organisation’s security is controlled.

The GRC Toolbox offers the possibility to centrally record, describe and assess identified vulnerabilities and to link them to affected assets and risks. The identified vulnerabilities can also be processed by means of workflow support to ensure a consistent process for the treatment of vulnerabilities.

Policy management is the process of developing and implementing policies for information security (and other areas). In this context, the GRC Toolbox with its comprehensive DMS helps to draft the policy documents, review them, have them approved and check them for up-to-dateness and appropriateness in case of changes or in regular operation and to make adjustments if necessary. For ISO/IEC 27001 certification, the policy documents can be referenced in the Statement of Applicability (SoA).

There are a number of important standards and frameworks in the GRC Toolbox. Some of these are: ISO/IEC 27001, NIST Cyber Security Framework, BSI Standards, IT-Security Baseline, CIS Controls, PCI-DSS, SCF, etc.

Internal audit management refers to the planning, execution and monitoring of internal information security audits. With the GRC Toolbox, the audits can be recorded centrally, carried out by means of assessments and their results (findings and improvement measures) are documented and implemented.

For ISO 27001 certification projects as well as for the maintenance of certifications, the GRC Toolbox supports the entire spectrum regarding the establishment and operation of an information security management system (ISMS). It helps to fulfill both the normative requirements for the management system from ISO/IEC 27001 as well as the controls from ISO/IEC 27001 Appendix A.