Governance, Risk & Compliance (GRC) is an integrated collection of capabilities that enable an organisation to reliably achieve objectives, address uncertainty and act with integrity. GRC can help your organisation align its IT activities to business goals, manage risk effectively and stay ahead of compliance. A well-planned GRC strategy can deliver solid benefits, namely improved decision-making, more efficiency in IT investments and the elimination of silos, which reduces fragmentation between departments.

Because cybersecurity is such an important driver in governance there are a number of areas where GRC and cybersecurity interact. Data privacy is one such driver and over the last few years we have seen new data regulation and new data privacy strategies applied by governments globally, the European GDPR legislation is a good example of this and a forewarning of legislation to come. There is also a strong link between the risk element of GRC and cybersecurity because security risks are such an important factor in the overall risk exposure of the organisation. This is where ITSEC can help, our GRC team is experienced at helping organisations get in front and ahead of GRC best practice.

Security Compliance Services

End to End Implementation Services across various standards and frameworks to aid in certification success

ITSEC’s Security Compliance Services are built on time tested & efficient methodologies to ensure success. A managed services approach useful for companies who are looking to meet the certification requirements but, do not necessarily want to recruit internal staff or, invest significantly on mitigation of risks or, could use an experienced approach to meet the requirement.

Our certified team have extensive frontline security experience with clients across various industry segments.

Additionally, we can also program manage the entire effort for the organisation and ensure success.


In response to the increasing prevalence of cyberattacks, the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) recently developed a set of strategies to help organisations mitigate common attack vectors. These strategies are known as the Essential Eight.

The Essential Eight is divided into three main objectives, which are then further divided into eight strategies. If your organization finds itself in the category of maturity level one or two, then ITSEC can certainly help you mature your cybersecurity to the point where you can achieve a level three maturity in your cybersecurity posture.


Health Information Trust Alliance (HITRUST) CSF is a certifiable framework, designed to provide organisations who work with health data with a comprehensive & streamlined approach to regulatory compliance, privacy & risk management. Thus, the HITRUST CSF aids in safeguarding electronic protected health information (ePHI) & other critical information and helps organisations streamline their security and compliance requirements.


The Health Insurance Portability and Accountability Act (HIPAA) passed by the US House of Representatives defines how electronic protected health information (ePHI) needs to be managed and secured.  Whether you are a Covered Entity (CE) or a Business Associate (BA) there are policies, procedures and processes you need to comply with.  As data breaches and regulatory oversight increases on health-related companies, maintaining HIPAA compliance is the absolute minimum standard companies should adhere to.


A SOC 2, or “System and Organisation Controls 2” is quickly becoming one of the most sought-after compliance standards in North America. The SOC 2 framework is an auditing procedure that ensures your service providers securely manage the data to protect the interests of your organization and client’s privacy on five principles – Security, Availability, Processing integrity, Confidentiality and Privacy.


NIST Cybersecurity Framework is a voluntary framework that consists of customisable standards, guidelines, and best practices to manage cybersecurity-related risk. 

The main purpose of NIST CSF is “Improving Critical Infrastructure Cybersecurity,”

The Cybersecurity Framework’s prioritised, flexible and cost-effective approach helps promote the protection and resilience of critical infrastructure.

ISO 27001

ISO 27001 is a popular & well-accepted security standard & certification to implement & showcase an organization’s security posture. The objective of the standard is to “provide requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS)”. The independent certification to the standard is recognised around the world as an indication that your organisation is aligned with information security best practices.


A breach of the GDPR requirements can results in fines and mandates that can significantly impact your ability to operate your business and additional fines, compliance mandate, etc. If your business is collecting and/or storing data from citizens or residents in Europe, you will be affected by the provisions of GDPR. Complying to GDPR takes more than adding a banner to your website making visitors aware of cookies from your website.

European citizens have a right to request their personal data in an easily readable format that provides the relevant information on the data being processed, the purpose, and if it was sent to a third party.


PCI DSS (Payment Card Industry Data Security Standard) is an information security standard for organisations that handle and process credit card transactions. It is presided over by all the major credit card providers including American Express, Visa, Mastercard, Discover, and JCB. Like the healthcare industry, the payment card industry retains and processes billions of sensitive records annually, making organisational security paramount.

PCIDSS ensures that controls are in place to limit access to cardholder data, protect the confidentiality of transactions, and continuously protect organisations’ security posture through mandatory testing and scanning by certified PCI ASV testers.