Governance, Risk & Compliance

Governance, Risk & Compliance

Align your IT Objectives with your Business Goals

Odyssey’s Governance, Risk & Compliance (GRC) services enable your organization to reliably achieve objectives, address uncertainty and act with integrity towards enhancing corporate performance and accountability. The outcome is the successful alignment of your organization’s IT and business objectives, resulting in the effective management of risk while meeting and validating complex compliance requirements.


Information security governance is referring to the elements required to provide Senior Management assurance that its direction and intent are reflected in the security posture of the organization by utilizing a structured approach to implementing an information security program. Once those elements are in place, Senior Management can be confident that adequate and effective information security will protect the Organization’s vital information assets.

Information Security Strategy

Competency in cybersecurity technology and knowledge of international frameworks and best practices as well as the business nature of the organization is required to define the cybersecurity strategy.

Our competent professionals will determine achievable milestones and deliver an action plan tailored to your organization. The plan constitutes of projects for specific achievement and related budgets to achieve the desired state and security profile.

Diagnose cyber risk exposure with cyber risk assessments and Business Impact Analysis (BIA) for IT to evaluate the potential consequences of compromise.

Our experts will perform a cybersecurity gap analysis between the current and desired cybersecurity posture in order to identify the state of maturity in information security and information technology achieved at each milestone.

Interpret the outcome towards the transformation plan and position cyber security posture against other organizations of the industry. Security posture validation is the assurance to continue cybersecurity efforts.

Security Awareness Training

A pivotal part of ensuring effectiveness of the organization’s cybersecurity program is personnel security awareness, which provides the employees with an insight and solid understanding of security policies, procedures and best practices. Communicate the tone set at the top and provide a common comprehension of what needs to be secured to ensure the organization’s success. Cultivate security awareness throughout the organization instead of limited to a small group of individuals in the IT and Security department.

Security illiterate in an organization makes technology, technological and organizational controls obsolete.

Information Security Policies & IT Procedures

Information Security Policies and IT Procedures are the foundation of cybersecurity, and provide the framework for the overall security management across the organization.

The policies outline security roles and responsibilities, define the scope of information and provide a high-level description of the controls that must be in place to protect the information. To ensure their effectiveness employees should be aware and educated on security policies if these are to ensure the comprehensive understanding required to achieve organization goals.

The IT Procedures consist of step-by-step instructions to assist IT employees in implementing various policies. Whilst policies consist of controls that should be in place, a procedure gets down to specifics, outlining how to implement these controls in steps.

Data Protection Officer as a Service (DPOaaS)

The GDPR allows organizations that do not have the required data protection expertise or knowledge to outsource the role of a Data Protection Officer (DPO). Your DPO will ensure that the organisation processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules.

Information Security Officer as a Service (ISOaaS)

With the growth of organizational maturity, the dependence on information increases for every division and department in an organization.

Employing an ISOaaS can help the organization identify its current cybersecurity posture, evaluate the threat landscape, identify technological and human factor cyber risks, data protection and privacy requirements, regulatory needs and propose solutions and risk mitigation options to drive the organization’s posture to the desired state.

The ISO will employee the necessary tools and carry out the necessary exercises to define the information security strategy and to ensure confidentiality, integrity, availability and resilience.

Cybersecurity ownership through the perspective of an external ISO provides expert and specialised focus, proven competency, clear from internal influence, defeats conflict of interest and delivers true improvement for the organization.

Risk Management

Making sure that any risk associated with organizational activities is identified and addressed in a way that supports the Organization’s business goals. It is about having a comprehensive information security risk management process that rolls into the organization’s enterprise risk management function.

Risk Assessment

The Risk Assessment process takes into consideration identified Threats versus the Vulnerabilities identified in your operating environment, and calculates the Level of the Risk, based on the Value of the Assets (either tangible or intangible), the Likelihood and Probability of the Risk emergence and the Impact, if a Vulnerability is exploited. The Identification process may include Penetration Testing and Vulnerability Scans.

Our experienced Advisory and Technical teams help you to clearly identify your overall Exposure to Threats and decide on a proper Mitigation strategy. We walk your through the Risk Management process, every step of the way. We propose and apply organizational and technical measures, including corrective measures for existing risks, or preventive measures for potential ones, this way empowering you to manage your Cyber Risks.

Business Impact Analysis (BIA) for IT

BIA in the context of IT identifies and maps the relationship between business activities, IT assets, resources and the risks imposed from the disruption of delivering products and services to the customer.

Intelligence from BIA is the starting point for multiple purposes including the development of the cyber strategy, understand the impact of change and specific risk or even draw the blueprints for your organizations business continuity, disaster recovery plans and restoration to normal operation. The objective is to determine the overall impact that a disruptive event could have on the confidentiality, integrity and availability of critical assets.

Data Privacy Impact Assessment (DPIA)

The Data Privacy Impact Assessment (DPIA) identifies the Impact on Privacy in the case of a Data Breach, and is inextricably linked to the compliance of the General Data Protection Regulation (EU2016/679 – GDPR), as ordained in Section #3, Article §35 of the Regulation.

The Impact is estimated against the risk to the rights and freedoms of natural persons. Internationally accepted methodologies are implemented to record the Risks, and identify the Impact of a Data Breach, as well as your applied measures and the Legal justification of every potentially vulnerable Process of Privacy Data, as required by the Regulation.

Our certified Executive Data Protection Officers and our highly qualified Consultants provide you with all necessary guidance to compile a comprehensive DPIA and document your compliance to the Regulation.

Should the Report of the DPIA indicate high risks to the personal data that you process, our Advisory and our Solutions teams help you remedy Vulnerabilities and eventually mitigate these risks to maintain a high level of compliance.

IS & IT Maturity Assessment

Information security resilience, in the era of the ever-evolving cyber threat landscape, is an essential part of an extrovert corporate strategy that involves a security-oriented transformation. This is to ensure that critical assets such as brand, reputation, information and infrastructure stay in-line with business, operational efficiency and goals. Understand if the organization requires strengthening of the security culture, which regulations requirements to comply with, enhance controls for greater control over risk or if the organization should benchmark against other sector peers. These all together input to an information security and IT management governance model that guides the organization through the “deep waters” of our time and age.

Incident Response Preparedness

Ensure resiliency by preparing for the successful cyberattacks that will challenge and expose the security posture of the organization. Test organizational preparedness by focusing not only on technology but also on the human factor and the process functions. A cyber-event may lead to an incident and cascade effects may escalate to a disaster.

Incident response preparedness and actively testing response plans and procedures can keep recovery time within tolerable limits and maintain business continuity. Document a plan with the input of all stakeholders and test it for effectiveness in advance for resilience.

Business Continuity and Disaster Recovery

The Business Continuity and Disaster Recovery service refers to a set of products and advisory services, tailored to the specific needs of your organization, that help you maintain an uninterrupted provision of your products and/or service by covering your requirements for continuous Availability.

Disruptive events do and always happen to all organizations, as it is not a question of “if”, but rather a question of “when” a disaster occurs. How organizations manage and maintain their Business Continuity and how capable they are to recover from a Disaster defines their survivability in the long-term. Our Advisory and Technical teams work closely with you to design, develop and implement a complete tailored set of operational Plans and infrastructure designs, which provide you with the ability to continue providing your products or services, even in the event of an Incident that could jeopardize, harm or even prove catastrophic to your organization. Our Incident Management capabilities begin from handling a simple Event and cover you throughout the management of Disaster Recovery. The fact that our solutions are tailormade to your needs provides you with the assurance of an efficient and robust, yet cost-effective survivability.


An Organization’s conformance with regulatory, legal and/or industry requirements for business operations, data privacy and other business practices. Compliance is achieved through identifying the applicable requirements, assessing the state of compliance, assessing the risks and potential costs of non-compliance and prioritizing, funding and initiating any corrective actions.

Payment Card Industry Data Security Standard (PCI DSS)

The way each organization uses card data varies as data can exist in electronic or paper form. Processes and procedures are subject to each organizations culture and business approach. Card data hosting can be direct or via third parties.

The Standard consists of a widely accepted set of policies, procedures and controls intended to optimize the security of card transactions and protect cardholders against misuse of their personal information. Achieving PCI DSS compliance is a rigorous and challenging process. There is need for time, resources and expertise with in depth technological knowledge to understand and implement increased controls around cardholder data to reduce card fraud.

Security of Network and Information Systems Directive (EU2016/1148 – NIS Directive)

OES and DSP organizations have to implement appropriate technical and organisational measures to manage the risks posed towards the security of their network and information systems. They also have to ensure service continuity by introducing and sustaining appropriate measures to prevent and reduce the impact of any cyber incidents. Organizations have to report all security incidents that have a significant impact to the regulatory authorities.

Senior management have to demonstrate the mandated activity and compliance with due diligence and a responsible culture. This is a benefit for each organization as this improves image and reputation and strengthens the organization’s position across the European Union industry boarders.

General Data Protection Regulation (EU2016/679 – GDPR)

The intention and purpose of the regulation is to strengthen and unify data protection for all individuals within the European Union (EU) while giving citizens better control over their personal data.

Mandatory for all organizations processing European citizen personal data, the GDPR binds public and private organizations significantly increasing their compliance obligations with respect to privacy.

GDPR is a lengthy and multifaceted regulation comprised of 173 recitals that provide additional details and insight into the purpose and functions of the 99 articles of the law.

Implementation requires great effort and focus and should not need to develop in-house expertise, as compliance entails an ongoing assessment of the current, future or new organizational activities.

Information Security (ISO:27001)

Regardless of their information security maturity, organizations pursue independent assurance over their current security practices. ISO/IEC 27001 certification has become a normal prerequisite from customers that need true commitment to safely operate and manage the cyber and information risks.

To implement a successful Information Security Management System (ISMS) requires understanding the organization and identifying the best way to apply the ISO/IEC 27001 standard. This is a demanding and challenging process requiring both time and human resources.

Industry regulators recommend and reference the ISO/IEC 27001 standard as it clearly relates and applies to all industries and organizations with the standard’s broad coverage, flexibility and most importantly a business-led approach.

Odyssey experience in advisory and implementation of the ISO/IEC 27001 spans over ten years in a variety of industries and organizations.

Data Privacy (ISO:27701)

The Data Privacy (ISO:27701) helps you achieve the ISO:27701 certification by baselining Privacy Information security measures and standardizing the requirements of Section #2, Article §32 of ISO 27701, for organizational and technical measures to achieve Confidentiality, Integrity and Availability.

ISO:27701 was conceptualized for the application of the General Data Protection Regulation (EU2016/679 – GDPR). This certifiable International Standard specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS), in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization. It is applicable to all types and sizes of organizations, including public and private companies, government entities and non-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS. It specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing. Regardless of the formal Certification of your organization, under the provisions and requirements of this Standard, it remains the main tool to maintain a structured and standardized compliance to the GDPR.

Our certified Executive Data Protection Officers and our highly qualified Consultants provide you with all necessary guidance to achieve full compliance with the Regulation and you may be Certified, if you wish, under the provisions and requirements of this Standard.

Business Continuity (ISO:22301)

The Business Continuity (ISO:22301) helps you achieve the ISO:22301 certification by specifying the requirements to implement, maintain and improve a management system to Protect against, Reduce the likelihood of, Prepare for, Respond to and Recover from disruptive events, when they arise. By these means, we prepare you to be able to manage Incidents or even Disasters, and recover back to your business required activities.

Regardless of the context of your organization, the requirements specified by the Standard are intended to be applicable to all organizations, or parts thereof, regardless of type, size and nature of the organization. The extent of application of these requirements depends on your organization’s obligations, operating environment and complexity. Our experienced Advisory team identifies your needs and guides you through the process of achieving a robust Business Continuity Management Systems that allows you to safely continue your operations after an event that would otherwise lead to disaster. Working hand in hand with our experts, you may be Certified, if you wish, under the provisions and requirements of this Standard.

IT Services (ISO:20000-1)

IT Services (ISO:20000-1) help you achieve the ISO:20000-1 certification for establishing, implementing, maintaining and continually improving a Service Management System (SMS), that supports the management of the service lifecycle, including the planning, design, transition, delivery and improvement of services. Such an SMS meets the agreed requirements and delivers value to customers, users and the organization delivering the services.

The adoption of an SMS is a strategic decision for your organization and is influenced by your organization’s objectives, the governing body, other parties involved in the service lifecycle and the need for effective and resilient services. The implementation and operation of an SMS provides ongoing visibility, control of services and continual improvement, leading to greater effectiveness and efficiency, while improving its services. The requirements specified in this International Standard align with commonly used good practices and improvement methodologies.

Your organization can use a combination of generally accepted frameworks and our experienced Advisors can guide you through this process of how to meet the requirements specified in this Standard, while supporting you to avoid misperceptions and harvest all the benefits.

Related Resources




Our advisors are standing by to address any of your enquires. Request a callback now.