GRC platforms are focused on efficiency. However, most GRC platforms offer no path to help a GRC customer advance on a path towards maturity. The Digital Security Program (DSP) can rapidly advance an organization to a high Capability Maturity Model (CMM) level of maturity, since the DSP comes with metrics, including recommended Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs).
Since a picture can be worth 1,000 words, the video to the right helps describe the methodology of how we developed the DSP so you can see examples of the hierarchy structure and overall flow of our documentation, including metrics.
Metrics: What Right Looks Like
The diagram shown below helps visualize the linkages in documentation that involve metrics:
CONTROL OBJECTIVES exist to support POLICIES
STANDARDS are written to support CONTROL OBJECTIVES
PROCEDURES are written to implement the requirements that STANDARDS establish
CONTROLS exist as a mechanism to assess/audit both the existence of PROCEDURES / STANDARDS and how well their capabilities are implemented and/or functioning
METRICS exist as a way to measure the performance of CONTROLS