The system checks for the existence of applicable controls in each environment using an ample knowledge database that is constantly updated and based on the GRC Metaframework methodology, which uses the inventory -> analysis -> evaluation -> treatment approach to help manage risk and compliance issues.
The figure below shows this GRC Metaframework, the flow that the system is based on:
The GRC Metaframework methodology complies with the guidelines described in ISO 31000, ISO/IEC 27002, ISO/IEC 27001, ISO/IEC 27005, ISO 15999, and ISO Guide 73 – Risk Management – Vocabulary – Guidelines for use in standards.
Understanding this cycle and its phases (inventory, analysis, treatment, and evaluation) is crucial for the correct and efficient use of the system. In chapters 5 (Risk) and 6 (Compliance), you will be able to learn how to create projects based on this methodology for managing risks and evaluating compliance.