Governance, Risk & Compliance
From ISO to NIST and GDPR to HIPAA, we help you design and run robust governance programs that reduce risk, simplify compliance, and align with your business goals.
Strong governance and effective risk management are the backbone of sustainable cybersecurity. Without a clear understanding of your risk landscape and accountability framework, even the best technical controls can fall short. At IGCCD, our Governance, Risk & Compliance (GRC) services help organisations design, implement, and continuously improve robust cybersecurity governance structures. We translate risk into business language, align with global standards, and enable leadership to make informed, auditable decisions.
-
Cyber Governance Frameworks
We help you define and implement cyber governance structures, roles, and decision-making processes that align with your size, industry, and regulatory needs. This includes Board-level reporting, cyber steering groups, and integration of cyber risk into business governance.
Risk Management & Register Development
We work with stakeholders to identify, assess, prioritise, and document cyber risks. Our risk registers are tailored to your context and map directly to mitigation plans, owners, and review cycles. We support both qualitative and quantitative risk models (e.g., FAIR).
Policy Frameworks & Document Packs
We build or review cybersecurity policies and procedures across domains including access control, incident response, encryption, remote work, third-party risk, and more. These documents meet ISO, NIST, and regulatory requirements and are tailored for real-world usability.
Compliance Mapping & Readiness
Whether you're aiming for ISO 27001, NIS2, Cyber Essentials, or sector-specific compliance, we help you map existing controls, identify gaps, and build a roadmap to full alignment. We also prepare you for audits and certification assessments.
Board / SMT-Level Risk Briefings
We provide cyber risk briefings, training, and risk dashboards for senior executives and boards. These are designed to increase engagement, build confidence, and enable informed oversight.
-
You’re preparing for ISO 27001, Cyber Essentials, or NIS2 compliance.
Leadership needs better visibility of cybersecurity risks.
Your policies are outdated or inconsistent across departments.
You're struggling to align cybersecurity with business objectives.
You want to move from ad hoc to structured risk management.
-
We begin by engaging senior stakeholders to understand business priorities and regulatory obligations. Then we assess your current governance and risk maturity using structured frameworks like NIST CSF, ISO 27005, and CIS RAM. From there, we co-develop or refine your cyber policies, build risk registers, assign control owners, and integrate these into a repeatable review cycle. We also offer optional tooling to automate GRC processes and visualise risk trends over time.
-
ISO/IEC 27001:2022 – Information Security Management Systems (ISMS)
ISO 27005 – Risk management for information security
NIS2 Directive – Network & Information Systems security requirements
Cyber Essentials / CE+
NIST Cybersecurity Framework (CSF)
CIS RAM & FAIR – Risk analysis methodologies
DORA, PCI DSS, HIPAA – For finance, health, and regulated industries
-
Cyber Governance Framework – Roles, reporting lines, responsibilities
Cyber Risk Register – Ranked risks, controls, owners, and KPIs
Custom Policy Pack – 10–25 policies aligned to ISO/NIST
Compliance Gap Analysis – Mapping of current controls vs requirements
Executive Cyber Risk Dashboards – For board or CxO reporting
Audit & Certification Readiness Pack – Controls evidence binder, review checklist
-
ServiceNow GRC, OneTrust, or Archer for larger orgs
Excel-based or lightweight tooling for SMEs
Risk heat maps and dashboards in Power BI or Tableau
Word/Markdown-based documentation packs for flexibility
-
Identify GRC lead or contact for coordination
Provide access to existing policies, risk logs, and compliance evidence
Facilitate engagement with senior management
Review and validate proposed governance models
-
Cyber Governance Framework: 2–3 weeks
Risk Register & Heatmap Development: 2 weeks
Policy Pack Creation or Review: 3–4 weeks
Compliance Gap Review: 2–3 weeks
Board Training & Briefings: 1–2 days or ongoing quarterly support
Milestones:
Governance & Risk Discovery Workshop
Framework & Policy Development
Risk Register Creation + Control Mapping
Compliance Gap Closure Plan
Board Briefing & Handover
-
Risk: Governance model lacks executive support
Mitigation: Early CxO engagement and board-level education sessionsRisk: Risk registers become shelfware
Mitigation: Ownership, review cycles, and integration with KPIsRisk: Policies are copied templates and don’t reflect practice
Mitigation: Context-driven policy customisation with operational inputRisk: Audit failure due to weak documentation
Mitigation: Audit-ready evidence packs and gap remediation roadmaps
-
Q: What’s the difference between cybersecurity governance and IT governance?
Cyber governance focuses specifically on security-related risks, controls, and decisions. It complements IT governance but requires dedicated focus and reporting structures.Q: How often should a cyber risk register be reviewed?
Typically quarterly—or more often if your threat landscape changes significantly. We can help automate reminders and updates.Q: Do you help with certification or just preparation?
Both. We help you build the evidence and controls and can also guide you through certification audits or help select certification bodies. -
GRC Starter Pack (SMEs): From £5,500
Custom Policy Framework: From £3,000 (10–15 policies)
Full GRC Programme Setup: From £9,000
Board Briefing & Training Package: From £1,800
Ongoing GRC Management Support: Retainer pricing available