​​​​​​​Governance, Risk & Compliance (GRC)

Red Piranha’s Governance, Risk & Compliance GRC services provide you with expert knowledge across relevant standards and frameworks, supported by our range of products to ensure you achieve compliance and raise your assurance levels.

Increasing Pressure

Organisations are under increasing pressure to meet a range of information security compliance requirements such as ISO 27001, ISM, NIST, Essential Eight, GDPR, PCI and HIPAA to continue doing business in today’s climate. Chief Information Security Officers (CISOs) who typically look after these compliance requirements are becoming highly sought after, and with that demand comes increasing cost – making them unattainable for many businesses.

How are you going to find someone with all the skills and knowledge, without the liability and expense of additional head count?

The Compliance Journey

Achieving compliance against various standards is a long and demanding process. There is no quick fix - it takes time and requires ongoing support from senior management. It’s important you find a trusted partner to help you along this journey because you’ll need the right people around you to get to the destination. We’re here to help.

Governance, Risk & Compliance (GRC) - The Red Piranha Advantage

Red Piranha’s global team of highly qualified and certified security and compliance experts deliver our extensive range of security services. Coupled with our ISO 27001 certified security operations for the Crystal Eye Platform, you can obtain a solid foundation to meet your compliance requirements and automatically protect, detect, and respond to evolving threats.

Crystal Eye’s machine learning capabilities provide automation of routine tasks such as traffic monitoring and network analysis which allows time to focus on priority tasks that require human intervention such as meeting compliance requirements. Red Piranha is one of only a few security organisations with a fully ISO 27001 certified process to ensure delivery of the highest quality of service, giving you the confidence and peace of mind, you’re partnering with the right team.

We have one of the fastest growing security teams in Australia and Asia-Pacific to ensure we continue developing our world-class technology platform and continue delivering our best-in-class security consulting services. In addition to our global presence, the majority of our security team reside in Australia to be able to provide hands-on capabilities to our Australian customers as well as customers in other regions.

Security Maturity Model - Governance, Risk & Compliance (GRC)

Maturity Modelling is a pragmatic method of evaluating the current state of your cybersecurity posture as measured across the various security aspects that your business needs to address. Governance, Risk & Compliance allows you to clearly communicate your status to various stakeholders and prioritise high risk areas as well as mapping out the next steps in your organisation’s security journey.



Ensure Compliance
Raise Awareness

Avoid Financial Penalties


Can you afford the financial and reputational damage of a security breach?
  • It’s time to get compliant and reduce risk.


Achieving certification is no longer just an obligation - it’s a competitive advantage!
  • It’s time to get the upper hand in your market.


Are your policies and procedures up to date and regularly reviewed?
  • It’s time for the experts to get you compliant.
Security Aspect Initial Developing Defined Managed Optimised
Patch Management and Antivirus Inconsistent Automatic updates, No Reporting Some automation and reporting Documented & consistently applied Measured and Reported. Enforced by endpoint mgmt tools Continuous improvement and innovation
Firewall & Network Segmentation Simple perimeter firewall, ad-hoc desktop firewalls Dedicated firewall appliance and/or DMZ Multiple firewalls and network segmentation Centralised firewall configuration management Continuous improvement and innovation
Identity & Access Management Ad-hoc with no process Domain users & computers, some access restrictions/structure Documented change control processes and JML processes Analysis, visualisation and reporting tools Continuous improvement and innovation
Asset and Configuration Management None Register of assets and deployment documentation Asset discovery and reporting Configuration change mgmt & license mgmt tools Continuous improvement and innovation
Information Classification and Protection None Ad-hoc file/disk encryption, inconsistent visual Structured & unstructured data classification, defined meta-data / templates Discovery, Data Loss Prevention / Rights Management Continuous improvement and innovation
Monitor, Alert and Incident Response None Some logging, inconsistent monitoring Basic SIEM deployed, embryonic continuity plans SIEM tools integrated with most areas. Regular reviews, response and recovery tests Continuous improvement and innovation
Risk Management and Governance None Ad hoc risk assessments, developing security policies Regular risk assessments and migitation planning, ad hoc awareness training Regular policy reviews. Training and compliance tracking Continuous improvement and innovation

1. ScopingGRC Compliance modelling process​

The compliance journey begins by defining the business objectives and setting roles and responsibilities for the business functions that need to be included in the compliance process.

2. Determine regulatory requirements

It’s not easy to know which standards and frameworks are relevant to your organisation. Equifax were fined £500,000 for a GDPR breach after being hacked in 2017, even though the incident occurred with the US parent on US infrastructure. The Information Commissioner’s Office (ICO) in Europe held the UK subsidiary accountable for not protecting their European customers’ data. It’s vital to know which regulations apply to avoid significant penalties and loss of business.

3. Security assessments / Gap analysis

Relevant security assessments need to be undertaken by an external party to gain a solid understanding of you current security posture. A Gap analysis will then benchmark you against your required level of security and identify the areas that need to be addressed. You can’t fix what you can’t see.

ISO 27001GlobalGeneralStandard
Essential EightAustraliaGeneralGuidelines
NISTUSACritical InfrastructureFramework
PCIGlobalPayment processingStandard

ISO 27001

ISO/IEC 27001:2013 is an international standard published by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) to define information security management systems. It is part of the ISO/IEC 27000 family of standards and is often considered the bible of information security standards. ISO certification is becoming more of a requirement to do business with companies who choose to set standards for their partners and suppliers. Certification against ISO 27001 is a demanding process and requires an authorised external auditor. The standard includes the following key steps:

  • Organisational context and stakeholders
  • Information security leadership and high-level support for policy
  • Planning an information security management system; risk assessment; risk treatment
  • Supporting an information security management system
  • Making an information security management system operational
  • Reviewing the system’s performance
  • Corrective action

Red Piranha is one of the few IT security organisations to achieve ISO 27001 certification and our exposure to the process enables us to take you through the process with an intimate understanding of what’s required. Would you trust your ISO certification with someone who isn’t ISO certified themselves?


The Australian Government Information Security Manual (ISM) is published by The Australian Cyber Security Centre, which is part of the Australian Signals Directorate. This standard outlines a cyber security framework for Australian Government departments and can also be applied to private enterprises looking for a risk management framework. It includes a comprehensive set of 22 guidelines covering topics such as security incidents, physical security, personnel security, enterprise mobility and system hardening to name a few.

ACSC Essential Eight   Essential Eight

The Essential Eight is a prioritised list of 8 strategies put together by the Australian Cyber Security Centre to mitigate cyber security incidents to assist organisations in protecting their systems against a range of cyber threats. The strategies can be tailored based on an organisation’s risk profile and the types of threats of greatest concern.

  1. Application control
  2. Patch applications
  3. Configure Microsoft Office macro settings
  4. User application hardening
  5. Restrict administrative privileges
  6. Patch operating systems
  7. Multi-factor authentication
  8. Daily backups

Governance, Risk & Compliance (GRC) - Key Areas of Compliance

Areas of cyber security compliance​


We can help you achieve compliance through our extensive range of services: