← All docsDocs
Getting Started
SecureSlate GRC Implementation Guide
This guide gives your team a clear path to implement GRC in SecureSlate and complete an audit in 90 days.
It is designed for cross-functional teams across security, IT, compliance, and operations.
GRC Terms Used in This Guide
| Term | What it means |
|---|---|
| GRC | Governance, Risk, and Compliance program covering policies, controls, risks, and evidence. |
| Controls | Required security/compliance activities your team must operate. |
| Frameworks | Standards such as SOC 2, ISO 27001, HIPAA, or GDPR. |
| Risk Register | List of identified risks, owners, severity, and treatment decisions. |
| Treatment Plan | Action plan to mitigate, transfer, accept, or avoid a risk. |
| Evidence | Files, logs, screenshots, and records proving controls are operating. |
| Policy Owner | Person responsible for policy review, approval, and updates. |
| Control Owner | Person responsible for implementing and maintaining a control. |
| Employee Groups | User groupings used for onboarding and offboarding requirements. |
| Checklists | Assigned policy/security tasks employees must complete. |
90-Day Delivery Plan (Audit Completed by Month 3)
| Timeframe | Focus | Outcome |
|---|---|---|
| Weeks 1-4 | Onboarding and planning | Stakeholders aligned, scope finalized, implementation plan approved |
| Months 1-3 | Program import and setup | Controls, policies, risks, and evidence workflows fully running |
| Months 2-3 | Internal assurance and audit prep | Gaps remediated, evidence complete, team audit-ready |
| By end of Month 3 | Internal/external audit execution | Audit performed and completed |
Stage 1: Onboarding (Weeks 1-4)
Goal: Align stakeholders, define success, and build your project plan.
Key activities
- Run kickoff with internal stakeholders
- Identify decision-makers and implementation owners across security, IT, compliance, HR, and operations
- Confirm scoping approach (frameworks, entities, systems, and in-scope users)
- Review existing program elements: controls, policies, risks, and auditor selection
- Finalize your SecureSlate implementation plan with owners and target dates
- Configure platform basics (user roles and permissions)
Stage 2: Program Import and Setup (Months 1-3)
Goal: Build and centralize your full GRC program in SecureSlate.
Key activities
- Integrations: Connect identity, cloud, source control, and ticketing systems
- Controls and Frameworks: Configure frameworks, map controls, and validate test mappings
- Policies: Import/draft policies, assign owners, complete approvals, and map policies to controls
- Risks: Import your risk register and define treatment plans with owners
- Vulnerabilities: Track open vulnerabilities and remediation status
- Personnel Onboarding: Assign checklist tasks by Employee Group for in-scope users
- Access Reviews: Complete your first access review cycle for critical systems
- Vendors: Add third-party vendors and upload due diligence evidence
Milestone: You have a centralized GRC foundation and clear visibility into your current security posture.
Stage 3: Internal Assurance and Audit Prep (Months 2-3)
Goal: Finalize readiness so the audit can be completed within 3 months.
Key activities
- Assign and confirm test/document owners
- Remediate failing tests and document accepted exceptions
- Upload missing manual evidence
- Finalize risk treatments and approvals
- Confirm personnel checklist completion
- Run an internal readiness review with stakeholders
- Share readiness status and reports with leadership
Milestone: Your team is ready to begin and finish audit activities.
Stage 4: Navigating Internal and External Audits (Complete by Month 3)
Your GRC program should prove security posture, not just track tasks. Use this stage to execute the audit efficiently and close it by the end of month 3.
Preparing for your audit
- Assign document and test owners
- Ensure each policy, test, and evidence task has a clear owner.
- Remediate failing tests early
- Prioritize high-impact failures first and track remediation dates.
- Upload manual evidence in auditor-ready format
- Use clear files (PDFs, screenshots, signed documents) where automation is unavailable.
- Complete risk and vulnerability actions
- Ensure risks have ownership, treatment decisions, and current status.
- Finalize personnel tasks
- Confirm required employee onboarding/offboarding tasks are complete.
Collaborating with your auditor
- Confirm auditor scope and timelines
- Align framework scope, evidence windows, and review milestones.
- Share evidence request expectations
- Map auditor requests to controls and existing evidence locations.
- Provide appropriate access
- Grant only the access required for audit review.
During the audit
- Track open evidence requests daily
- Assign owners for in-progress audit items
- Monitor completion status and unblock issues quickly
Post-audit follow-up
- Review audit feedback and close action items
- Archive final audit artifacts for future cycles
- Start planning ongoing monitoring for the next audit period