Here is how to use the OCEG GRC Capability Model in terms of implementations. This answers a question I received about how OCEG and UCF (Unified Compliance Framework) work together.

This video provides and answer to a question I received on this topic.

To learn more about GRC come check out our courses below:

GRC Professional Training (9 CPEs)
pass the exam in ONE WEEK! Learn all the tips and tricks to pass on your first try!

GRC Auditing: (5 CPEs)

This video answers a question I received on this video:


Please excuse error since done by a computer

00:00:01.319 –> 00:00:11.790
Jason Mefford: Hi everybody this is Jason Mefford I received a question on one of the previous videos that I’ve done. So I thought I’d go through and read the question and then

00:00:12.269 –> 00:00:21.300
Jason Mefford: Have this video help to explain and provide the answer, because I’m guessing. Some of you may have this same question.

00:00:22.290 –> 00:00:32.430
Jason Mefford: So the question came in from Vinod Andani and they say, how do you consider outside capability model in terms of implementations

00:00:33.120 –> 00:00:51.780
Jason Mefford: Does this guide on how to set up eg RC or integrated risk management or defined standard controls, where you see after the unified compliance framework also considers this as part of unification of controls on compliance requirements.

00:00:52.980 –> 00:01:07.290
Jason Mefford: If I were to design eGRC is this one of the authority documents slash standards guidelines in addition to nest ISO etc totally confused on usage of post sec

00:01:07.950 –> 00:01:14.070
Jason Mefford: Okay, so let me go through and just kind of explain here because there’s a couple of things going on.

00:01:14.940 –> 00:01:26.940
Jason Mefford: So the first one is to make sure that you’re clear on the difference between mandatory and voluntary requirements. So when you’re talking about compliance.

00:01:27.450 –> 00:01:38.550
Jason Mefford: We used to refer to something as being a mandatory compliance, so that would be things like laws and regulations, those things that your organization has to follow.

00:01:39.270 –> 00:01:50.400
Jason Mefford: Voluntary are other documents, your organization chooses to follow. So, for example, an ISO standard is usually not required.

00:01:50.910 –> 00:01:59.100
Jason Mefford: The O sag framework is usually not required. So both of those would be considered voluntary.

00:01:59.880 –> 00:02:07.650
Jason Mefford: versus, you know, maybe like a privacy law in your country would be considered something to be mandatory.

00:02:08.430 –> 00:02:16.980
Jason Mefford: So first off, like I said, you have to remember and keep straight. The difference between mandated or mandatory and voluntary. OK.

00:02:17.640 –> 00:02:23.880
Jason Mefford: Now the second thing, there was there was a reference in here to UCF for the unified compliance framework.

00:02:24.510 –> 00:02:35.850
Jason Mefford: So what what UCF does is, it is a tool that allows you to select different documents and I’m going to use the term authority documents.

00:02:36.660 –> 00:02:43.710
Jason Mefford: So an authority document could be a mandated compliance requirement or it could be voluntary.

00:02:44.130 –> 00:02:52.410
Jason Mefford: But it’s a document that you, it’s an authority document that you are choosing to comply with either because it’s mandatory or voluntary.

00:02:53.100 –> 00:03:06.330
Jason Mefford: Now what UCF does is they take the language from each of those authority documents and they map them back to the little same list of common controls.

00:03:06.840 –> 00:03:19.470
Jason Mefford: So, for example, a lot of the ISO documents, one that the nog also referred to as nest and oh sag. Those are all documents in the UCF.

00:03:20.160 –> 00:03:32.280
Jason Mefford: Framework that you can select so what you decide to say okay if I need to follow NIST I add that to my list. If I need to follow ISO standards and I’ll, I’ll add those to it.

00:03:32.730 –> 00:03:43.740
Jason Mefford: If I want to follow the same framework. You can also add that to it. Now what the UCF tool does is it takes all of those different mandates are things that you are asked to do

00:03:44.220 –> 00:03:58.320
Jason Mefford: And it maps them back to the same list of common controls and so you can use that tool as a way to help you kind of D duplicate and figure out exactly what it is that you need to do.

00:03:58.830 –> 00:04:15.570
Jason Mefford: Because every time that you add a new authority document. It doesn’t mean that you have to do, maybe 300 new things. There may only be 50 new things that you have to do because you’re already doing 250 of them. So like I said,

00:04:16.590 –> 00:04:28.710
Jason Mefford: To start with, you know, there’s a difference between mandated and voluntary and then this is that’s a little overview of what the UCF framework does for organizations.

00:04:29.280 –> 00:04:40.350
Jason Mefford: So you need to decide which authority documents you want to comply with. And so the question was about the OH segue framework. And so this is the Osage GR C capability model.

00:04:40.830 –> 00:04:50.730
Jason Mefford: And this is one of the frameworks that I helped to develop. Now, you also need to think about the G the ER and the C and G RC.

00:04:52.140 –> 00:05:00.660
Jason Mefford: The OSI model is intended for you to help you in developing an integrated GR C capability.

00:05:01.110 –> 00:05:09.600
Jason Mefford: And what that means is that the different silos or functions or departments or whatever you call them in your organization are working together.

00:05:10.110 –> 00:05:19.770
Jason Mefford: So that that framework or I’ll use that word framework or model for them has different components and elements that you need to include

00:05:20.430 –> 00:05:36.330
Jason Mefford: To kind of have a complete picture 4G RC. So if you for example, compare oh sags model to an ISO standard, you may notice that the OH sag model is more broad

00:05:36.720 –> 00:05:51.090
Jason Mefford: Because it’s trying to be for the whole of GR C, not for a particular thing like ISO 27,001 only relates to is Ms or information security management systems. Okay.

00:05:52.200 –> 00:06:04.890
Jason Mefford: So you’ll notice that the OSI model would bring in more things than just ISO 27,001 by itself. So there’s those the the list of components.

00:06:05.520 –> 00:06:17.850
Jason Mefford: And elements that you need to have in place and in the OSI model, there is also what are called implementation or design considerations when you are designing controls.

00:06:18.630 –> 00:06:33.570
Jason Mefford: So if you want to use the OSI model as one of the authority documents and you’re using UCF, you would select that in your list of authority documents that you want to comply with

00:06:34.140 –> 00:06:44.580
Jason Mefford: Now what it’ll do is all of those actions and controls will be mapped back to that same list of common controls that the UCF has okay

00:06:46.590 –> 00:06:59.310
Jason Mefford: So hopefully that helps in trying to answer this, you know, the, the, the question about around eg RC, I guess, let me focus. Let me touch on that before I sign off here to

00:06:59.940 –> 00:07:14.280
Jason Mefford: Eg RC usually is relating to kind of the it component to it. So the GR C software that you are using. Now if if you’re if you also want to follow the

00:07:14.880 –> 00:07:22.920
Jason Mefford: Guidelines and yes I would suggest that you include that in or consider that with some of those other things that you’re looking at.

00:07:23.370 –> 00:07:32.610
Jason Mefford: It’s not required. It’s a voluntary thing that your organization can choose to follow. Just like Nestor ISO, or some of these other voluntary things

00:07:33.300 –> 00:07:43.380
Jason Mefford: But it is another option for you to be able to do that. So hopefully that helps if there’s other questions about it, please leave a comment below and I’ll get it answered for you.

Leave a comment