Skip to main content

Research Repository

Advanced Search

Managing information security risk using integrated governance risk and compliance.

Nicho, Mathew; Khan, Shafaq; Rahman, M.S.M.K.


Mathew Nicho

Shafaq Khan

M.S.M.K. Rahman


This paper aims to demonstrate the building blocks of an IT Governance Risk and Compliance (IT GRC) model as well the phased stages of the optimal integration of IT GRC frameworks, standards and model through a longitudinal study. A qualitative longitudinal single case study methodology through multiple open-ended interviews were conducted over a period of four years (July 2012 to November 2015) in a retail financial institution. Our empirical study contributes to both academic research and practice in IT GRC. First, we identified the various building blocks of IT GRC domain from vertical as well as horizontal perspectives. Second, we methodologically demonstrated the gradual metamorphosis of the evolution of an IT GRC from a single ITG framework to multiple IT GRC building blocks. The journey thus throws light on the gradual staged process of attaining maturity in IT GRC by an organization. The resultant IT GRC model thus, guides managerial actions towards a better understanding of the positioning of IT GRC building blocks in an organization through the understanding of the interaction of vertical and horizontal domains. The results of the paper thus enable practitioners and academics to better understand and evaluate IT GRC implementation for effective governance, reduce risk and ensure compliance in organizations.


NICHO, M., KHAN, S. and RAHMAN, M.S.M.K. 2017. Managing information security risk using integrated governance risk and compliance. In Proceedings of the 2017 International conference on computer and applications (ICCA 2017), 6-7 September 2017, Dubai, UAE. New York: IEEE [online], article number pages 8079741, 56-66. Available from:

Conference Name 2017 International conference on computer and applications (ICCA 2017)
Conference Location Dubai, UAE
Start Date Sep 6, 2017
End Date Sep 7, 2017
Acceptance Date Apr 29, 2017
Online Publication Date Sep 6, 2017
Publication Date Oct 23, 2017
Deposit Date May 18, 2017
Publicly Available Date Sep 6, 2017
Publisher Institute of Electrical and Electronics Engineers (IEEE)
Article Number 8079741
Pages 56-66
ISBN 9781538627525
Keywords IT GRC; IT governance; IT risk management; IT compliance; Risk management; IT GRC model; Integrated IT governance model
Public URL


Downloadable Citations