I admit it. This post is inspired by a post with a similar name by my good friend and occasional debate partner, Richard Chambers: 10 Red Flags Your Internal Audit Function May Be Losing Ground. Have a look if you haven’t already read it. He makes some very good points. Here are his ten red […]| Norman Marks on Governance, Risk Management, and Internal Audit
Before I explain the mantra in the title of this blog post, I want to review some basics. 1. Boards and the CEO measure success based on the achievement of objectives. Some say those objectives are…| Norman Marks on Governance, Risk Management, and Internal Audit
Giving every employee full access to all your IT systems, from databases to dev-ops, is convenient, but also a security nightmare. Unfortunately, that’s exactly what happens with broad access controls; privileges are too generous and not tailored to actual needs. Granular access control gives employees custom access that opens only the specific systems and processes...| Sprinto
Rolling out in September, embedded intelligence that thinks like an analyst, not a script SAN FRANCISCO, CA – August 28, 2025 — While others rebrand automation as AI, ZenGRC today introduced an assistant that actually replaces analyst-level work, transforming weeks of control evaluations and framework mapping into minutes of review. “The market blurred the line […]| ZenGRC
Earlier this week I attended a GRC conference in New York, York, which meant plenty of talk about challenges in cybersecurity, data management, internal control, and (of course) artificial intelligence. One interesting session explored how to manage the risks of third-party AI models within your enterprise. As usual, I took lots of notes, and pass… The post Governing Third-Party AI Risks appeared first on Radical Compliance.| Radical Compliance
A Primer for Security and Business Leaders As cybersecurity becomes a top concern in the boardroom, one message is becoming […]| GuidePoint Security
Crisis Action Management Planning (CAMP) elevates business resilience, and helps teams prepare, respond, and adapt to threats.| GuidePoint Security
Crypto regulation in Europe just got a major upgrade. The Markets in Crypto-Assets Regulation (MiCA) delivers a single EU-wide rulebook for digital assets, and here in the Czech Republic it’s already reshaping how firms operate. I’m going to show you why MiCA matters, how you and your team can secure a Crypto-Asset Service Provider (CASP) […] The post MiCA regulation in the Czech Republic: Licensing, implementation, and what crypto firms need to know first appeared on CyberUpgrade.| CyberUpgrade
If you’re eyeing Denmark as your next crypto frontier, you’ll need to get cozy with the Markets in Crypto-Assets Regulation (MiCA). I’m here to break down how MiCA lands in Denmark, what you must do to snag your Crypto-Asset Service Provider (CASP) licence, and how to dodge any regulatory potholes. By the end, you’ll have […] The post MiCA regulation in Denmark: Licensing, implementation, and what crypto firms need to know first appeared on CyberUpgrade.| CyberUpgrade
Imagine your crypto business blindsided on 30 December 2024—license pending, services on hold. That’s the reality if you don’t crack the Markets in Crypto-Assets Regulation (MiCA) now. I’m Nojus Antanas Bendoraitis, and I’ve guided startups through DORA and GDPR, so let’s break down MiCA’s playbook in Cyprus and get you ready for smooth sailing. Overview […] The post MiCA regulation in Cyprus: Licensing, implementation, and what crypto firms need to know first appeared on Cybe...| CyberUpgrade
Dive into the MiCA Regulation in Croatia, from licensing steps and timelines to critical tips—everything crypto firms need to know to stay compliant.| CyberUpgrade -
I would say that most IT auditors and CAEs are familiar with pre-implementation reviews. These are audit engagements designed to proactively work with management when there are system implementations. They provide assurance, advice, and insight on the effectiveness of the internal controls and security that will exist when the system is live. Pre-implementation reviews are […]| Norman Marks on Governance, Risk Management, and Internal Audit
My thanks and congratulations to Alexander Ruehle for his post this week on LinkedIn: Internal audit has just been audited by internal auditors. Why do I ask whether the profession and the IIA are at a crisis point? Consider that according to the IIA’s own Vision 2035 (and his post): 48% still view Internal Auditors […]| Norman Marks on Governance, Risk Management, and Internal Audit
Companies across the world are changing. Some are changing in response to changes in the economy, while others are changing in response to changes in technology. The point is that they are changing. That is not a surprise as we are hearing about layoffs and changes in direction all the time. For example: SAN FRANCISCO, […]| Norman Marks on Governance, Risk Management, and Internal Audit
I am going to look into my AI-enabled crystal ball and imagine the world of the future (the not-too-distant future) decision-maker. Then I will look again to see what the risk practitioner and the …| Norman Marks on Governance, Risk Management, and Internal Audit
Get expert strategies to navigate the top risks for operations teams so you can prevent disruptions, maintain trust, and sustain business continuity.| Resolver
Learn how an efficient, resilient, and agile strategy can build a strong business case for modernizing and adding GRC benefits to your organization.| Resolver
Explore common misconceptions & limitations of risk and compliance software, plus the game-changing truths for efficient compliance management.| Resolver
Take a closer look at inherent vs. residual risk assessments to understand their value in your risk management processes and risk mitigation strategies.| Resolver
Learn how to foster integrity and accountability across your employees & leadership to build a strong compliance culture that prevents costly fines.| Resolver
Ever been caught off guard by an auditor asking for a log you didn’t know existed? SOC 2 Type 2 is the compliance framework that ensures your controls aren’t just well designed—they actually work month after month. In this article, I’ll share why continuous assurance beats a one-time snapshot, unpack the trust services criteria, walk […] The post What is the SOC 2 Type 2 first appeared on CyberUpgrade.| CyberUpgrade
I once heard someone liken compliance audits to planning a heist in a blockbuster movie—meticulous planning, airtight controls, and no loose ends. Except in our world, the police aren’t on your tail; your prospects and clients are, and they want proof that you’ve locked down the vault. In this article, I’ll unpack what a SOC2 […] The post What is the SOC2 Type 1 first appeared on CyberUpgrade.| CyberUpgrade
Running a SOC 2 program without understanding its core controls is like setting sail without a compass—you’ll drift aimlessly and end up off course. In this deep dive, I’ll unpack the nine Common Criteria (CC1–CC9) that anchor every SOC 2 security report. You’ll see what each control demands, why it matters in real-world terms, and […] The post SOC 2 security controls list: what you need to know first appeared on CyberUpgrade.| CyberUpgrade
Picture your inbox at 6 AM flooded with frantic messages because your cloud service stumbled at 3 AM—and your CEO’s coffee hasn’t kicked in yet. That’s the kind of nightmare SOC 2 is designed to prevent. In this deep dive, I’ll guide you through the five Trust Services Criteria—Security, Availability, Processing Integrity, Confidentiality, and Privacy—showing […] The post SOC 2 Trust Services Criteria list, principles and categories first appeared on CyberUpgrade.| CyberUpgrade
Ever felt like pursuing SOC 2 compliance as a small business is like trying to train your cat to fetch—ambitious, expensive, and possibly futile? I’ve been there. You know SOC 2 is a powerful trust signal for enterprise customers, but the sticker shock can make your wallet run for cover. In this article, I’ll share […] The post SOC 2 for small business: achieving compliance on a budget first appeared on CyberUpgrade.| CyberUpgrade
Imagine trying to tame a fire-breathing dragon with a water pistol—that’s how it feels to jump into SOC 2 compliance without a plan. I’ve seen startups buckle under mountains of policies and evidence, believing SOC 2 is a bureaucratic roadblock. In reality, it’s a launchpad: a way to prove you protect customer data, win enterprise […] The post SOC 2 for startups: Tips to simplify the compliance process first appeared on CyberUpgrade.| CyberUpgrade
I still remember sitting in a boardroom when a prospect asked, “Can you prove your security controls actually work?” With no polished report in hand, it felt like I’d shown up to a duel armed with a butter knife. SOC 2 compliance is the audit weapon you want at your side. In this deep dive, […] The post Who needs SOC 2 compliance and why is it important? first appeared on CyberUpgrade.| CyberUpgrade
Compliance often feels like a never-ending paperwork treadmill, but SOC 2’s trust principles are more like high-voltage power lines ensuring your systems—and reputation—stay charged and error‑free. In this article, I’ll unpack each principle through playful analogies, real‑world scenarios, and insider pro tips so you can build controls that impress auditors and reassure customers—without falling asleep at […] The post Understanding the 5 SOC 2 trust principles first appeared...| CyberUpgrade
Ever tried herding cats through a car wash? That’s a bit like preparing for a SOC 2 audit—chaotic controls on a slippery ride. I’ve seen teams scramble to gather evidence at the last minute, only to realize they forgot key policies. In this article, I’ll walk you through realistic timelines for SOC 2 Type 1 […] The post How long does an SOC 2 audit take? first appeared on CyberUpgrade.| CyberUpgrade
I’ve guided countless teams through SOC 2 audits, and one thing’s clear: an undefined scope is like running a marathon in flip-flops—painful and inefficient. In this deep dive, I’ll show you exactly which systems, data flows, personnel, and third-party services belong in your SOC 2 scope. We’ll pinpoint the Trust Services Criteria (TSC) that matter, […] The post What does SOC 2 scope include for your business? first appeared on CyberUpgrade.| CyberUpgrade
Ever feel like you’re trying to navigate a minefield blindfolded? That’s what managing compliance without a clear framework can feel like. I’ve seen teams spin their wheels chasing endless questionnaires, only to miss the big picture. In this guide, I’ll walk you through the seven high‑level steps of SOC 2 attestation—without the hype or the […] The post SOC 2 attestation process: a step-by-step guide first appeared on CyberUpgrade.| CyberUpgrade
Picture your CEO brandishing a freshly minted SOC 2 report like a championship trophy—only for a prospect to glance at the date and sigh, “Sorry, this is last year’s model.” In cybersecurity, recency equals credibility. Today, I’ll dissect why SOC 2 reports are treated like a one-year subscription, walk you through the nuances of Type […] The post What Is the validity period of a SOC 2 report? first appeared on CyberUpgrade.| CyberUpgrade
Discover MiCA regulation in the Netherlands: licensing, implementation phases, and critical insights for crypto firms to navigate compliance effectively.| CyberUpgrade -
Many years ago, my friend Ed Hill, a Managing Director with Protiviti at the time, coined the expression “there is no such thing as IT risk. There is only business risk.” Yet, people still talk about quantifying cyber risk in a silo. They talk about “risk to information assets” instead of risk to the achievement […]| Norman Marks on Governance, Risk Management, and Internal Audit
One of my audit committee members once told me that when he thinks of a model internal auditor, he thinks of me. I wasn’t sure how to take that! I know he meant it as a compliment, but while my business card might say that I was in charge of the internal audit function, that […]| Norman Marks on Governance, Risk Management, and Internal Audit
I recently discovered how some people are projecting that AI will transform the work of corporate counsel. Yes, there are several on how it will transform the work of the law firms, but I am concer…| Norman Marks on Governance, Risk Management, and Internal Audit
Master SOC 2 background checks in 2025—build a compliant screening program, meet audit expectations, and choose the right vendor with confidence.| CyberUpgrade -
Business Impact Analysis (BIA) enables organizations to evolve their business resilience strategies in response to emerging threats. Here’s why!| GuidePoint Security
When I started writing this post, Microsoft Word offered to help. Its AI asked what I wanted to write about and then developed a draft that had some excellent content. It wasn’t what I wanted to write, but I am going to steal some excellent parts starting with: Ask the average person about internal auditors, […]| Norman Marks on Governance, Risk Management, and Internal Audit
Politicians in the US (at least on one side of the aisle) love to talk about “waste, fraud, and abuse”. How big is it? Google AI tells us: Estimates of the financial impact of waste, fraud, and abu…| Norman Marks on Governance, Risk Management, and Internal Audit
Learn to build a clear, up-to-date DORA Register of Information to map your ICT service providers, ensuring compliance and operational visibility.| CyberUpgrade -
CyberUpgrade launched the DORA Registry Tool to tedious spreadsheets with a single, guided platform. Learn how this tool can improve your compliance process.| CyberUpgrade -
Explore Norway’s ISO 27001 overlays—Digital Security Act, sector statutes, NA accreditation—and how one ISMS simplifies audits, tenders and resilience.| CyberUpgrade -
Discover Slovakia’s ISO 27001 overlays—SNAS accreditation, Cyber-Security Act, sector rules—and how one ISMS streamlines audits, tenders and resilience.| CyberUpgrade -
Discover Ireland’s ISO 27001 overlays—INAB accreditation, NIS rules, sector baselines—and how one ISMS secures audits, tenders, funding and cyber resilience.| CyberUpgrade -
Explore Croatia’s ISO 27001 overlays—HAA accreditation, NIS laws and sector checklists—and learn how one ISMS simplifies audits, tenders and cyber resilience.| CyberUpgrade -
Explore Lithuania's ISO 27001 landscape—LA-accredited certificates, NIS-2 duties, sector add-ons—and see how one ISMS streamlines audits, tenders and risk.| CyberUpgrade -
Learn Slovenia’s ISO 27001 overlays, from SA-accredited certificates to ZInfV-1 and ZEKom-2 rules, and how one ISMS streamlines audits, KPIs and tenders.| CyberUpgrade -
Discover Latvia’s ISO 27001 twists—cyber-law KPIs, data localisation, bilingual docs—and how one ISMS streamlines audits, tenders and insurance costs.| CyberUpgrade -
Explore Liechtenstein’s ISO 27001 requirements, sector overlays and compliance tactics, and see how one ISMS boosts audits, tenders and resilience.| CyberUpgrade -
Discover how Hungarian firms integrate ISO 27001 with NIS 2, NAH accreditation, and sector mandates to build automated ISMS for compliance and resilience.| CyberUpgrade -
I am all in favor of being resilient. Gemini Ai tells us: Resilience is the ability to adapt to and recover from adversity, trauma, tragedy, threats, or significant sources of stress. One of my res…| Norman Marks on Governance, Risk Management, and Internal Audit
A few years ago, the IIA published an Internal Audit Assessment Tool for audit committees. I think it is one of their best products. The guide suggests asking these big-questions first. (I have hig…| Norman Marks on Governance, Risk Management, and Internal Audit
Discover how centralized issue management enhances risk oversight, improves compliance, and streamlines corrective actions in ERM.| Resolver
Discover the key elements of building a risk-aware culture in your organization and learn how they contribute to long-term success.| Resolver
4 actionable ways to help leaders create & maintain a better security & compliance culture on your internal team through to your entire organization.| Resolver
From Complexity To Compliance When managing hundreds of global vendors and navigating their ISO 27001 certification became overwhelming, Bazaarvoice sought a better way. By implementing ZenGRC at the beginning of 2024, they simplified their audit workflows and compliance documentation management while maintaining their customized GRC practices. About Bazaarvoice What began as a simple ratings and […]| ZenGRC
Richard Chambers and I go back many decades, first as colleagues and then as friends, and we have great mutual respect. While we often appear to disagree, that is more often than not in our choice …| Norman Marks on Governance, Risk Management, and Internal Audit
Now is a great time for MSPs to build a "Compliance as a Service" offering. Help clients navigate complex regulations and assist with audits, certifications and cyber insurance for competitive advantage and continued success. The post Compliance as a Service: The New MSP Growth Driver appeared first on CYRISMA Cyber Risk Management Platform.| CYRISMA Cyber Risk Management Platform
Now is a great time for MSPs to build a "Compliance as a Service" offering. Help clients navigate complex regulations and assist with audits, certifications and cyber insurance for competitive advantage and continued success. The post Compliance as a Service: The New MSP Growth Driver appeared first on CYRISMA Cyber Risk Management Platform.| CYRISMA Cyber Risk Management Platform
Threat actors target supply chain vulnerabilities to breach your operations. Learn how to conduct a supply chain cybersecurity risk assessment to stop them.| Onspring
A recent article by Carol Williams of Strategic Decision Solutions carried this title and had some wisdom to share. For example, she said: Enterprise risk assessment can be defined as: “the practic…| Norman Marks on Governance, Risk Management, and Internal Audit
Learn about software bill of materials (SBOM) in the context of governance, risk and compliance (GRC) and how to implement it in your organization.| Onspring
What is governance, risk and compliance, and why is it important for organizational management? Learn about this integrated aspect of business operations.| Onspring
Cybersecurity spending trends and their impact on businesses| Help Net Security
Learn how to identify and mitigate operational risks with proven frameworks. Improve your risk posture with Sprinto's ORM guide.| Sprinto
The CYRISMA GRC and Compliance Assessment module is expanding! Track controls, generate reports, collaborate with other departments| CYRISMA Cyber Risk Management Platform