SURFaudit: know your information security and privacy

Has your institution organised the security and continuity of its company data, and the privacy of its students and staff? Have your business partners done so? SURFaudit shows you what you should take care of at a minimum for information security and privacy. Determine how your institution is doing and compare with other institutions.

Close-up man achter computer met allerlei documenten erbij

GRC application

With the Governance, Risk and Compliance (GRC) application, institutions can document their information security and privacy maturity and plan the necessary measures. In doing so, this application offers opportunities for a more risk-based approach. The application will be available from December 2023 as part of the SURFaudit service.

What does the GRC application do?

GRC stands for Governance, Risk and Compliance. The primary purpose of the GRC application is to support the quality management process around information security and privacy. The application helps to identify security risks and describe appropriate measures. This gives IBP officers, responsible managers and administrators an up-to-date picture of the institution's information security and privacy maturity so that they can focus on measures to mitigate risks.

One application for the whole sector

By introducing the same GRC application for the entire sector, institutions can more easily (collaborate), learn from each other and thus grow in maturity together. The GRC application is also used to retrieve data for the SURFaudit benchmark.

Suitable for every institution

The GRC application is suitable for any type of institution regardless of size, complexity and level of maturity. This is possible thanks to the three usage scenarios within the application (see paragraph further down this page). Each institution can implement the application according to the scenario that suits its current working methods and context. For example, the GRC application can provide comprehensive information for experienced risk managers and compliance officers of large institutions. But it is also useful for the IBP officer of a smaller institution with less experience.

Starting small

When tendering for the MBO-wide GRC application, we carefully considered the different needs of educational institutions. Smaller schools need basic functionality. Here, the assessment framework is central: for each management objective, maturity is scored and the corresponding documentation is linked as evidence. This minimal set-up is sufficient for benchmarking and participating in a peer review or audit. But the application can do much more. For example, setting out tasks and monitoring the schedule for working on measures. Up to more advanced forms of use, where the institution also defines and manages its own risks and measures.

One package: three scenarios

The GRC application is initially set up to support the three usage scenarios:

  1. Basic use: focused on accounting for maturity.
  2. Extended: managing tasks and limited risk management.
  3. Advance to full risk-based working.

Within these scenarios, institutions can turn more functions on and off themselves. In this way, the GRC application encourages growth from compliance-based working to a more risk-based approach.

You can read more about the three usage scenarios on the SURFaudit wiki. The decision aid for the GRC application helps you determine the right scenario for your entry.