Information Security, Privacy and GRC

Information Security, Privacy and GRC

Governance, Risk Management and Compliance (GRC) are three pillars that work together to ensure that an organization meets its goals. Today and in the future it is all about information. Law and regulations like the European General Data Protection Regulation (GDPR) - in the Netherlands the AVG - are hot issues. The result is that information security is becoming increasingly important. Security incidents can lead to reputational damage, financial loss and even bring business continuity in serious danger. To organize information, there are general (external) standards or standards developed that could or should apply to all organizations, such as ISO27001, ISO27002, ISO28000, NEN7510 and there are industry-specific standards.

Request more information about Information Security MexonInControl for Privacy

What is Information Security?

Information security is the set of preventive, detective, repressive and corrective measures as well as procedures and processes that ensure the availability, and integrity of all forms of information within an organization or a company, with the aim of ensuring the security of information and information and to limit any impact of security incidents to an acceptable, predetermined level. (Source: Wikipedia)

Increasingly stringent legislation as the General Data Protection Regulation (“GDPR"), Telecommunications Act and Sarbanes-Oxley, require that organizations have to demonstrate more often and explain to what extent they meet a certain external information security standard and whether they are ' in control '.

A multitude of (mandatory) Assessments like a Data Protection Impact Assessment (DPIA), a PIA (Privacy Impact Assessment) and various other assessments also provide an increasing flow of information that also requires overview and insight. Here the MexonInControl Research Portal is a helpfull solution.

The audit burden faced by having or developing, within large organizations, and correctly interpreting and applying an external standard on the internal organization in a given situation (relevance) ensures security managers face major challenges.

Information Security Management System

The complexity of the Control and measures system associated with a standard is not to be underestimated. And the 'comply-or-explain-out' regime is strict. It is therefore recommended to establish and maintain a so-called Information Security Management System or ISMS. An ISMS is the establishment and maintenance (improvement cycle) of the complete set of measures, processes and procedures in the context of information security. This complete set is the way / method how the organization handles information.

The core of the ISMS is the Plan-Do-Check-Act cycle (PDCA cycle). "Plan implements the policies and scope in respect of the ISMS, 'Do' gives meaning to the implementation of the ISMS, 'Check' represents the monitoring of the ISMS and 'Act gives substance to maintaining and improving the ISMS.

The ISMS itself is not a guarantee of 100% safety but is a management system that helps organizations to be or to get 'in control' of their information.


Many organizations and external advisers, in connection with information, primarily focus on identifying risks, performing gap analyzes, capturing and publishing processes, procedures, measures, status determination, reporting, auditing, et cetera. Considerably less attention is paid to the initiation, allocation and control of actions, activities and resources that are needed to resolve a security incident or implement a measure and maintain it.

Typically these operational processes are managed from existing IT Service Management (ITSM) tools. However, the connection with the information in the GRC and / or ISMS tooling is lacking in most cases. Another problem is that the ITSM database generally includes only data about IT assets, such as applications and hardware and is not common that it also includes data on non IT assets, which are also part of the information chain. As a result, security officials often are forced to own one's own information system, mostly Excel spreadsheets, to still get good and quick insight into e.g. the current status of and consistency between the relevant standards, controls, measures, actions, activities, assets and resources.

Another challenge is that the applicable standards may change in itself, because the external standards can be closely related to each other / derived from one another. An adaptation of one standard may lead to an adjustment in the other standard, thus enabling issues an organization potentially has with other measures, actions and activities. These so-called cross-tables are a major headache for security officials.

Our solution: MexonInControl

Our MexonInControl ISMS software is developed for responsible employees, usually the Chief Information Security Officer (CISO) or Data Protection Officer (DPO), to assist in monitoring and reporting on the status of the established controls and measures.

Through a cyclic process (plan/do/check/act) a risk assessment, measuring progress and assessing of the status of an action is controlled. This leads to an understanding of the status of the process to achieve compliance and maintain, as well as insight into maturity and/or operation of measures (design, implementation and operation).

MexonInControl provides an organization a process approach for managing information security. This leads to better control and reduced audit burdens. For this MexonInControl offers a powerful workflow engine.

MexonInControl allows existing IT management processes to remain intact and can use relevant data through smart integration with existing ITSM tools for analysis and reporting. This includes information on the application landscape, the status of antivirus measures for example, the progress of IT projects or changes.

MexonInControl helps to achieve an information security standard, to remain compliant with the standard and fully and demonstrably 'in control' of the information. Moreover, the maintenance of the standard itself is also simplified.

MexonInControl can be applied to all general and industry-specific standards in the field of information, including: ISO27001, ISO27002, ISO28000, NEN 7510, BIG, IBI, BIWA, etcetera.

Despite all the efforts to protect private information of individuals and partner organizations there will occur incidents. MexonInControl is developed to register incidents in the category that should be reported to the CISO or DPO and handled through predefined responses and possible escalation procedures. These incidents will also often be reported to, for example a Privacy Authority at national level.

The benefits of MexonInControl:

  • Predefined and customizable set of controls and measures;
  • Basic understanding of status and maturity of the controls, including the measurement of the design, implementation and operation of the measures for a control;
  • Predefined and customizable workflows and activity planning for ad hoc and repetitive actions and activities;
  • Unambiguous understanding of the relationship between risk, measures, actions, activities, resources (including capacity, ICT assets, etc.);
  • Flexible dashboards and reporting for quick overviews and minimal audit burden;
  • Easy uploading of cross tables and updating the standard, controls and measures;
  • One user-friendly integrated application for all information processes;
  • Smart integration with ITSM tooling for current information receivers for analysis and reporting;
  • Facilitate internal and external escalation;
  • A tool that prepares and optimizes assistance in audits and cooperation with those involved in the security chain;
  • Integration with the MexonInControl research portal
  • And more…

Do you want to know what MexonInControl can do for you? Please contact us by mail of by phone +31 33 432 17 00.