Security Vision has launched an updated Security Vision SGRC product, which includes the Information Security Management (Governance) section. Together with the long-established sections of SGRC Risk Management, Compliance Management, and Business Continuity Management, the Information Security Management section allows for an integrated approach to information security management, providing the following processes:
- Forming a list of key roles
- Defining the organizational context
- Formation of a cybersecurity strategy
- Definition of information security management processes
- Formation of information security policies and procedures
- Monitoring the implementation of information security tasks and activities
- Improvement of information security management processes and procedures
- Assessment of the current and target information security status
The introductory stage
When starting to develop information security in an organization, it is necessary to form a mission and vision for information security, create a list of key roles and assign employees to them. The product contains the necessary templates for this, with the ability to adjust them taking into account the specifics of a particular organization. Roles will also be highlighted if the employee has not been assigned to them.
Organizational context
The organizational context of an organization is to define the scope of information security, as well as stakeholders, which come in two types:
- Internal (various departments, decision makers)
- External (information security regulators, partners, shareholders)
The requirements of each of the stakeholders, as well as their priority, are subsequently taken into account to assess information security risks.
Cybersecurity strategy
The cybersecurity strategy is the main document defining the direction of information security development in an organization. At this level, the framework that the organization plans to adhere to is selected. The product offers two main frameworks to choose from: NIST CSF 2.0 and ISO 27001. At the same time, it is possible to create your own framework or combine them with existing ones.
The main risk management elements are also defined, which will be used in the future in assessing and processing information security risks.:
- Business risks
- Risk management process
- Risk management methodology
- Risk appetite and risk tolerance
Based on the selected framework, an analysis of the current and target state of information security in the organization is carried out, on the basis of which a strategic plan for further actions is formed. The strategic plan can be flexibly divided into stages depending on the time frame, and at each stage tasks are created for a specific performer. It is convenient to track the progress of tasks and projects on the summary dashboard.

Information security processes and policies
The list of information security processes is automatically generated after selecting the framework. The product provides typical processes with a description of their stages or necessary actions. Also, private information security policies are linked to most processes, which regulate these processes, as well as define procedures for performing necessary actions within specific processes.
For most policies, including the basic information security policy, the product provides templates that will help you quickly generate final documents.
A continuous process of improvement and revision
To maintain the current state of information security, a flexible approach has been developed in which it is possible to set up notification intervals for the need to review, update or improve the main entities, each of which has the roles of the involved employees configured according to the principle of the RASCI matrix.
Reports and dashboards
In addition to the consolidated dashboard, which is convenient for tracking the current state of information security, the product has developed reports on the main components with the ability to use custom templates, which is especially convenient if the organization has accepted reporting forms.