Skip to main content
SpringerLink
Log in

A Framework for Assessing Organisational IT Governance, Risk and Compliance

  • Conference paper
  • First Online:
Book cover Software Process Improvement and Capability Determination (SPICE 2017)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 770))

Abstract

Enterprises have reached to understanding that information technology (IT) is more than just a technical issue. Domains such as IT governance, risk management and compliance (GRC) have been established to steer it. Though there has been some improvements, these domains are usually considered separately, thus less business value is created due to complexity of the process flows. There has been little attempts to integrate all three aspects, however this was done using domain specific standard and not taking into account the existing state of the art. In this paper, we conduct a systematic literature review to understand the processes, roles, strategies, and technologies of IT GRC as well as their integration. Based on the results of the review, we propose an assessment framework, which could guide evaluation of the enterprise’s IT GRC concerns.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    http://dl.acm.org/.

  2. 2.

    http://ieeexplore.ieee.org/.

  3. 3.

    http://link.springer.com/.

  4. 4.

    http://mihkel.joulukiri.ee.

  5. 5.

    http://mihkel.joulukiri.ee/evaluate/renderform.

References

  1. Racz, N., Weippl, E., Seufert, A.: A frame of reference for research of integrated governance, risk and compliance (GRC). In: De Decker, B., Schaumüller-Bichl, I. (eds.) CMS 2010. LNCS, vol. 6109, pp. 106–117. Springer, Heidelberg (2010). doi:10.1007/978-3-642-13241-4_11

    Chapter  Google Scholar 

  2. ISACA: COBIT 5: A Business Framework for the Governance and Management of Enterprise IT (2012)

    Google Scholar 

  3. ISO/IEC 27005:2011: Information technology – security techniques – information security risk management. International Organization for Standardization, Geneva (2011)

    Google Scholar 

  4. ISO/IEC 38500:2015: Information technology - Governance of IT for the organization. International Organization for Standardization, Geneva (2015)

    Google Scholar 

  5. Racz, N.: Governance, Risk and Compliance for Information Systems: Towards an Integrated Approach. Sudwestdeutscher Verlag, Saarbrücken (2011)

    Google Scholar 

  6. Kitchenham, B., Charters, S.: Guidelines for performing systematic literature reviews in software engineering. School of Computer Science and Mathematics, Keele University (2007)

    Google Scholar 

  7. Mayer, N., Barafort, B., Picard, M., Cortina, S.: An ISO compliant and integrated model for IT GRC (Governance, Risk Management and Compliance). In: O’Connor, R., Umay Akkaya, M., Kemaneci, K., Yilmaz, M., Poth, A., Messnarz, R. (eds.) Systems, Software and Services Process Improvement. CCIS, vol. 543, pp. 87–99. Springer, Cham (2015). doi:10.1007/978-3-319-24647-5_8

    Chapter  Google Scholar 

  8. De Smet, D., Mayer, N.: Integration of IT governance and security risk management: a systematic literature review. In: 2016 International Conference on Information Society (i-Society), pp. 143–148 (2016)

    Google Scholar 

  9. Racz, N., Weippl, E., Seufert, A.: Governance, risk & compliance (GRC) software - an exploratory study of software vendor and market research perspectives. In: 44th Hawaii International Conference on System Sciences, pp. 1–10 (2011)

    Google Scholar 

  10. Vicente, P., da Silva, M.M.: A business viewpoint for integrated IT governance, risk and compliance. In: 2011 IEEE World Congress on Services, pp. 422–428 (2011)

    Google Scholar 

  11. Krey, M.: Information technology governance, risk and compliance in health care - a management approach. In: 2010 Developments in E-systems Engineering, pp. 7–11 (2010)

    Google Scholar 

  12. Racz, N., Weippl, E., Seufert, A.: Integrating IT governance, risk, and compliance management processes. In: Proceedings of the 2011 Conference on Databases and Information Systems VI: Selected Papers from the Ninth International Baltic Conference, DB&IS 2010, pp. 325–338. IOS Press, Amsterdam, The Netherlands (2011)

    Google Scholar 

  13. Vicente, P., Mira da Silva, M.: A conceptual model for integrated governance, risk and compliance. In: Mouratidis, H., Rolland, C. (eds.) CAiSE 2011. LNCS, vol. 6741, pp. 199–213. Springer, Heidelberg (2011). doi:10.1007/978-3-642-21640-4_16

    Chapter  Google Scholar 

  14. Puspasari, D., Hammi, M.K., Sattar, M., Nusa, R.: Designing a tool for IT governance risk compliance: a case study. In: 2011 International Conference on Advanced Computer Science and Information Systems, pp. 311–316 (2011)

    Google Scholar 

  15. Shahim, A., Batenburg, R., Vermunt, G.: Governance, risk and compliance: a strategic alignment perspective applied to two case studies. In: Hercheui, M.D., Whitehouse, D., McIver, W., Phahlamohlaka, J. (eds.) HCC 2012. IAICT, vol. 386, pp. 202–212. Springer, Heidelberg (2012). doi:10.1007/978-3-642-33332-3_19

    Chapter  Google Scholar 

  16. Rath, D.M., Sponholz, R.: IT-Compliance: Erfolgreiches Management regulatorischer Anforderungen. Erich Schmidt Verlag GmbH & Co., Berlin (2009)

    Google Scholar 

  17. Racz, N., Weippl, E., Seufert, A.: A process model for integrated IT governance, risk, and compliance management. In: Proceedings of the Ninth International Baltic Conference on Databases and Information Systems, DB&IS 2010, Baltic. pp. 155–170 (2010)

    Google Scholar 

  18. Vunk, M.: A framework for assessing organisational IT governance risk and compliance (2017). http://comserv.cs.ut.ee/ati_thesis/datasheet.php?id=57229&year=2017

  19. ISO 31000:2009: Risk management – principles and guidelines. International Organization for Standardization, Geneva (2009)

    Google Scholar 

  20. ISO 19600:2014: Compliance management systems — guidelines. International Organization for Standardization, Geneva (2014)

    Google Scholar 

  21. ISO/IEC 33020:2015: Information technology – process assessment – process measurement framework for assessment of process capability. International Organization for Standardization, Geneva (2015)

    Google Scholar 

Download references

Acknowledgments

Supported by the National Research Fund, Luxembourg, and financed by the ENTRI project (C14/IS/8329158).

Author information

Authors and Affiliations

  1. Institute of Computer Science, University of Tartu, Tartu, Estonia

    Mikhel Vunk & Raimundas Matulevičius

  2. Luxembourg Institute of Science and Technology, 5 Avenue des Hauts-Fourneaux, 4362, Esch-sur-Alzette, Luxembourg

    Nicolas Mayer

Authors
  1. Mikhel Vunk
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nicolas Mayer
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Raimundas Matulevičius
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nicolas Mayer .

Editor information

Editors and Affiliations

  1. University of the Balearic Islands, Palma, Spain

    Antonia Mas

  2. University of the Balearic Islands, Palma, Baleares, Spain

    Antoni Mesquida

  3. Dublin University, Dublin, Ireland

    Rory V. O'Connor

  4. Software Quality Institute, Griffith University, Brisbane, Queensland, Australia

    Terry Rout

  5. Impronova AB, Askim, Sweden

    Alec Dorling

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Vunk, M., Mayer, N., Matulevičius, R. (2017). A Framework for Assessing Organisational IT Governance, Risk and Compliance. In: Mas, A., Mesquida, A., O'Connor, R., Rout, T., Dorling, A. (eds) Software Process Improvement and Capability Determination. SPICE 2017. Communications in Computer and Information Science, vol 770. Springer, Cham. https://doi.org/10.1007/978-3-319-67383-7_25

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-67383-7_25

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-67382-0

  • Online ISBN: 978-3-319-67383-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation