Close Sidebar
COPYRIGHT © PROFESSIONAL EVALUATION AND CERTIFICATION BOARD 2021 ALL RIGHTS RESERVED
Now Reading
GRC in the Age of Complexity: Integrating ISO Standards Across Business Functions
Search for content, post, videos
Search for content, post, videos

GRC in the Age of Complexity: Integrating ISO Standards Across Business Functions

June 18, 2025

ISO standards provide organizations with a framework — a set of common procedures, processes, and structures — that allow them to properly manage its risks and better achieve its goals.

Organizations may want to serve their customers better, produce high-quality products, deliver returns for their investors, or maintain timely operations. However, certain events may occur that will make it more difficult to achieve these objectives. These potential obstacles are referred to as risk events — events that could make it more difficult to achieve what organizations seek to accomplish.

To ensure that these events are less likely to occur — and that their impact is less harmful — organizations should implement appropriate controls. These controls help organizations stay on track to meet their objectives by responding to the risks that could derail their plans.

The Standards to Know

Different ISO standards can guide organizations toward their objectives. Being certified against an ISO standard is a good marketing tool. It shows your clients that your processes follow solid practices and helps satisfy investors, insurance companies, and regulators by showing that your practices are sufficiently advanced.

Here are some key ISO standards that every GRC professional should know:

  • ISO 9001 Quality Management Systems – Helps improve an organization’s response to events that may lead to customer dissatisfaction with the quality of the products or services they received.
  • ISO 27001 Information Security Management Systems – Helps protect against cybersecurity threats and other risks to the organization’s information and helps ensure the privacy of client and employee data.
  • ISO 31000 Risk Management Systems – Outlines what an organization should have in place to effectively identify, assess, and manage the risks it faces.
  • ISO 42001 Artificial Intelligence Management Systems – Helps an organization manage and oversee the risks from its use and implementation of artificial intelligence.
  • ISO 22301 Business Continuity Management Systems – Aids an organization in its preparation for significant events that could disrupt the ability of the organization to continue its operations.
  • ISO 14001 Environmental Management Systems – Provides a framework for organizations to address and reduce their environmental impacts effectively.

Lines of Accountability for an Integrated Approach

Taking an integrated approach to ISO standards means that functions across the organization have a part to play in the implementation, management, or oversight of these standards.

Risk management, for instance, is not solely the responsibility of a dedicated function. Instead, it should be a shared effort across the organization, where various actors contribute to identifying, assessing, responding to, and communicating about risks.

In this example, the sales staff will act as the First Line of Accountability (in the OCEG Lines of Accountability Model) and help directly manage the risks they face. This might be as simple as reducing “reputational risk” by ensuring that service delivery is as good as it can be.

A Compliance function, acting as the Second Line of Accountability, seeks to ensure that the risks from sales to customers are properly dealt with. For example, it may verify that the sales function complies with the laws and regulations it must follow. As such, it provides oversight of the risks managed by the First Line of Accountability.

Internal Audit, as the Third Line of Accountability, provides an independent and objective review of the first two lines. Executive Management and the Board of Directors — acting as the Fourth and Fifth Lines of Accountability — offer additional guidance and oversight across all organizational operations.

Following the ISO Management Standards

ISO management frameworks can guide organizations through the steps needed to improve their response to risks.

Understanding the Context

An ISO management standard begins by ensuring that those setting the objectives understand the organization’s operating context, as well as its internal strengths and weaknesses.

By identifying stakeholders, those with influence over or interest in the organization, leaders can develop targeted strategies to engage and meet their expectations effectively. For example, the Board of Directors, which typically holds high power and high interest, should be kept well-informed and actively engaged. Suppliers, who may have a high interest but lower power, should, at minimum be kept updated on critical developments that could affect them.

Getting Leadership on Board and the Right Structures in Place

The ISO management standard will then require that leadership is on board. If senior management does not actively support the implementation of an ISO standard, it is unlikely to succeed. This support is shown through communication, access rights, and review permissions, but particularly through staffing and financial resources.

Policies formally express the guidance that management and the board wish to communicate, while procedures outline how to perform tasks and processes correctly. They should be updated for changes and aligned with the other policies and procedures across the organization.

A critical and often overlooked point is how important reporting lines and the internal organization of an entity can be. Setting in place the right lines of reporting and appropriate committees will allow the Second and Third Line of Accountability functions (e.g., Risk Management, Compliance, Quality Control, and Internal Audit) to be sufficiently independent so that the members of those functions can report on what they see in an objective manner. It can be difficult to highlight operational shortcomings under a superior’s oversight, which is why establishing the right structures ensures that oversight functions can operate independently and effectively.

Planning the Management System

Leadership should define what they want to achieve from the management system they are implementing. This involves setting clear guidelines and criteria, such as what ethical principles to follow and what the key priorities for the organization are.

This guidance, along with a clear understanding of the management system’s objectives, provides the foundation for an initial assessment of the risks that could affect the system and its goals. Each risk should be assessed based on its likelihood of occurring and the potential impact it could have. If a risk is considered significant and lacks an appropriate existing response, then it should be recorded in the organization’s risk inventory. A plan should be developed to address these significant residual risks.

Supporting Operations

Without appropriate resources, no management system can be a success. Management must ensure that adequate staff, financial resources, IT, infrastructure, tooling, and other types of resources are made available.

Before operations begin, the organizers should review the list of interested parties identified earlier and decide what information each one needs to receive.

Ongoing Operations

As the management system is implemented, it should be updated to reflect any changes in risks or in the environment. The risk assessment should result in a comprehensive set of controls designed to help operations achieve their objectives. These are sometimes set out in a Statement of Applicability, found, for instance, in ISO/IEC 27001 and ISO/IEC 42001 in Annex A.

While this section may be brief in the standard itself, it represents a big part of daily operations for the teams involved. Management systems often fail when risk assessments are not regularly updated to reflect changing conditions.

Evaluating the Whole Management System

This step ensures that the entire management system is working as intended.

On an ongoing basis, operations are monitored by the First and Second Line of Accountability functions. Management oversees the system and, when needed, requests adjustments. Internal audit provides an independent and objective overview of the entire system, usually on a more periodic basis. Its methods are structured and formal, and its findings are reported at a high level within the organization and to the Board of Directors.

Improvement and Non-Conformance

To get certified and be able to show that the organization follows a standard, it must be reviewed by ISO inspectors. They will verify compliance with each element of the chosen standards.

If they note a discrepancy that represents a significant risk, then they will issue a non-conformance. A minor non-conformance is a relatively small breach of the ISO standard, which should be addressed when possible. A major non-conformance is a more severe breach, which will block the certification before the issue is resolved. An ISO inspector may also suggest other improvements to the operations of the organization without these being breaches of the ISO standard.

A review will be performed by the ISO inspector over a 3-year cycle, after which a full recertification is required.

Conclusion

It is not always easy for the Board of Directors, management, or operational leaders to know whether the right structures and processes are in place. ISO standards are a way of getting a level of confidence over this. Organizations that seek to be efficient and effective in the pursuit of their objectives would do well to seek the standards’ guidance.

Adrian Resag

Adrian Resag – OCEG Academic Director and GRC Leader Adrian is a leading expert in internal audit, governance, risk, and compliance (GRC), focusing especially on information security and compliance related to artificial intelligence governance and ISO standards. He is the Academic Director of OCEG, the organization that pioneered and developed the concept of GRC. He has a strong background in leading international teams at major companies, which he brings into the educational courses he teaches. Since 2005, Adrian has been teaching at various universities and professional institutions, both in-person and online. He is also the author of various educational materials, including certifications and training courses on risk management, GRC, audit, assurance, compliance and ethics, and artificial intelligence.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts