If this is you …
We have found that clients of all sizes struggle to balance cyber-risk investment, organizational change friction and ability to demonstrate results.
After many years of helping clients with a wide range of governance, risk and compliance matters, we see very few clients doing well. Often, they:
- know they have a cyber-risk problem, but can’t necessarily define its nature or size
- believe that formal GRC frameworks like ISO27001 are too “heavy” for their organization to adopt
- have made a variety of technology investments in infosec, but these are disconnected from wider organizational context (e.g. people and process)
- cannot easily demonstrate that their investments have translated to meaningful reductions in business risk
All of this means they remain exposed, and searching for a practical path forward.
Then we can help
Our hybrid solution delivers the benefits of integration and automation, empowers business driven prioritization, on a flexible platform that supports NIST CSF and other GRC frameworks.
To be valuable and viable we believe that a contemporary GRC solution needs to:
- favour a practical approach, guidance and support more so than compliance
- enable the business to identify and prioritise risk reductions in an order that makes sense in their earlier stages
- reduce the amount of time and effort required to progress toward a GRC objective by use of integration and automation rather than human effort
- emphasise continuous monitoring rather than periodic compliance audits
We call it NIST CSF Track Support. And we’ve chosen to deliver it with Drata, the market leader in risk and compliance automation.
So, what’s included?
Our offering brings together the elements you need to deliver business-cyber risk reduction.
Every customer starts in a different place – they have a history of making decisions and investments across different elements for different reasons.
We start the NIST CSF Support process with a Baseline Assessment which helps us to understand what is in place and what is not. This also captures a business view of what is important in terms of measurable improvement priorities.
The Improvement Plan then assists a customer to resource, schedule and progress improvements towards a specific set of goals.
NIST CSF does not include a formal audit or certification process. However customers that implement a substantial amount of NIST CSF requirements are well positioned to look at other paths that do require audit and certification (eg ISO 27001). The Improvement Plan allows a customer to determine if and when this is a sensible objective, and the platform and process we use naturally extends into that stage if it is warranted.
gwi.digital’s solution is based on Drata’s GRC automation platform, the NIST CSF standard, and combined with a flexible services bundle.
Together, these deliver you the changes you need to measurably reduce your business-cyber risk, and demonstrate that both inside and out.
Our offering includes:
- full Drata product licensing (MSSP tenancy, setup, NIST CSF framework, framework/policy/template library, continuous compliance automation via SaaS integration, employee engagement and education, risk management)
- trained, qualified and local AU-NZ support for Drata, with the backing of APAC and global vendor support teams
- Drata platform initial setup and configuration, working with your business and technology stakeholders to collate and integrate the necessary documentation and data
- an NIST CSF Baseline Assessment including controls status, maturity level, risk assessment and register
- an NIST CSF Track Improvement Plan which lays out the logic for business-risk driven prioritization and progression
- ad hoc support and advice
- monthly reviews to document and ensure progression
- a Quarterly Executive Summary suitable for a governance function (eg ELT)
Meaningfully reduce your business-cyber risk. Contact us for more.