One GRC platform for risk, compliance, controls, audit & reporting

CRISAM® is a method-based governance, risk and compliance solution that brings every GRC discipline onto one platform — built on the process model of ISO 31000. Map a control once, evidence it across many standards, and report from a single source of truth.

Book a demo

Customers

Trusted by 500+ worldwide organizations

Definition

What is the CRISAM® GRC platform?

CRISAM® (Corporate Risk Application Method) is a method-based GRC standard solution that combines a variety of governance, risk and compliance application areas — integrated risk management, IT and information security management, internal control system, data protection and compliance management — on one platform. It is built on the process model of ISO 31000 and is available as SaaS or on-premise.

One platform across five solution areas: Risk & Resilience, Compliance, Controls & Security, Audit & Assurance and Reporting
Multi-compliance mapping — answer a control once, evidence it across many standards
Supports UK obligations (UK GDPR, NCSC CAF, FCA/PRA operational resilience, Provision 29, DORA, IIA Global Internal Audit Standards) via the built-in management systems and mapping

Explore the platform

4 areas, one method

Every CRISAM® module shares methods, data model and a reporting engine — so risk, compliance, controls, audit and reporting reinforce each other instead of living in silos.

01 · Solution

Risk & Resilience

Connect enterprise risk, operational resilience, BCM and project risk in a structured GRC environment.

Explore → 02 · Solution

Compliance, Controls & Security

Manage compliance, policies, internal controls, ISMS and data protection with clearer ownership and evidence.

Explore → 03 · Solution

Audit & Assurance

Support audit planning, control testing and evidence management across the Three Lines of Defence.

Explore → 04 · Solution

Reporting

Board-, auditor- and regulator-ready dashboards and reporting from a single source of truth.

Explore →

Integrated Risk Management

Configurable standard software for enterprise-wide risk; reporting for IDW PS 340 (n.F.) is included out of the box.

Information Security Management (ISMS)

A true ISMS: it assesses risk as deviation from a referenced “state of the art” and by business relevance — making risk the steering instrument for IT.

Business Continuity Management

Build a tailored BCM methodically to ISO 22301 and BSI 200-4, with interdisciplinary data and meaningful reporting.

Project Risk Management

Surface organisational, financial, steering and management risks across the project lifecycle before they materialise.

Supply Chain Security Monitoring

Detect current threats and cyber risks across your supply chain in real time — the recurring top business risk.

DORA — Digital Operational Resilience

Operational resilience for financial entities. Sits in Resilience but is regulation-driven — also relevant to Compliance.

Risk & Resilience

Compliance Management

Automate critical compliance processes to ensure adherence to regulations and reduce risk.

Data Protection Management

Stand up an effective DSMS with included processes, policies, workflows and reports for every maturity stage.

Tax Compliance Management System

Document the principles and measures that secure tax obligations and prevent breaches of tax law.

Legal Register

Maintain a legal register, assess relevance and process impact, and report on regulatory changes and their significance.

ESG

Manage sustainability goals and minimise ESG risk on one intuitive platform. Strong overlap with CSRD reporting.

Conflicts of Interest Software

Streamline COI reviews and approvals — replace Excel and manual processes with a modern compliance workflow.

Approvals & Disclosures Workflow

Design anti-bribery, fraud, sanctions and conflict-of-interest programmes with automated approval workflows.

Legal Hold Software

Preserve relevant information during pending or anticipated litigation; protect critical data through the hold process.

CRISAM® Compliance powered by Deloitte

Compliance content and applications delivered in partnership with Deloitte.

Compliance, Controls & Security

Internal Control System & Audit Management

Demonstrate the appropriateness and effectiveness of your ICS per IDW PS 982, supporting the Three Lines of Defence model.

Global Internal Audit Standards

Run internal audit aligned to the IIA Global Internal Audit Standards.

Audit & Assurance

Reporting

Defensible Board Intelligence

Turn one data model into transparent, audit-ready output for every audience — from information-security officers to executive management and external auditors.

Dashboards & audit-ready reports
Configurable dashboards and prefabricated, audit-ready reports make all recorded data, results and analyses available transparently for different recipient groups.
Multi-compliance reporting
Answer a control requirement once and evidence it across several standards; generate compliance reports in a few clicks.
Board reports ready in 3 clicks
Translate risk into the language of the board, weighing security spend against quantified risk with the Return on Security Invest model.

CRISAM® compared

CRISAM® vs. point tools vs. spreadsheets

Capability	CRISAM®	Point GRC tools	Spreadsheets & docs
All GRC disciplines on one platform	✓ Integrated	● Partly	✗ Siloed
Multi-compliance mapping (control answered once)	✓ Automatic	✗ No	✗ No
Method-based on ISO 31000 (CRISAM® method)	✓ Yes	✗ No	✗ No
ISMS, ICS, BCM, ESG, tax & more in one model	✓ Yes	● Some	✗ Manual
Audit-ready reports & dashboards	✓ Built in	● Effortful	✗ Days of work
Return on Security Invest / analysis suite	✓ Built in	✗ No	✗ No
Standard software, no programming	✓ Yes	● Partly	—
SaaS & on-premise	✓ Both	● Usually SaaS only	—

Categories shown rather than named products. ✓ Yes · ● Partly · ✗ No.

FAQs

Your questions about CRISAM®

Roughly 17 application areas, grouped into four solution pillars: Risk & Resilience; Compliance, Controls & Security; Audit & Assurance; and Reporting.

Modules can be adopted individually and integrate into one GRC operating model as needs grow — CRISAM® is a configurable standard solution.

CRISAM® supports a comprehensive range of international standards, regulatory requirements, industry-specific frameworks, and best-practice methodologies across risk management, business continuity, information security, compliance, governance, and resilience management.

Risk Management & Governance

ISO 31000
IDW PS 340 (n.F.)
IDW PS 981 / 982 / 983
Three Lines of Defence Model
IIA Global Internal Audit Standards
COBIT

Business Continuity & Resilience

ISO 22301 (BCM)
BSI Standard 200-4
EN 50600
Pandemic Preparedness & Response

Information Security & Cybersecurity

ISO/IEC 27001
ISO/IEC 27002
ISO/IEC 27005
ISO/IEC 27019
ISO/IEC 27034
ISO/IEC 27701
ISO 27799
ISO 29151
BSI IT-Grundschutz Compendium
NIS-G / NIS2
IT-Sicherheitsgesetz (IT Security Act)
PCI DSS

Data Protection & Compliance

GDPR (EU-DSGVO)
Legal IT Compliance
ISAE 3402

Financial Services & Regulatory Compliance

DORA
EBA ICT Guidelines

Critical Infrastructure & Industry-Specific Frameworks

B3S Energy
B3S Healthcare
B3S Statutory Health Insurance (GKV/PV)
BDEW Whitepaper 2.0

Automotive Industry

VDA ISA
TISAX®

IT Service Management

ISO/IEC 20000
ITIL®

Through its flexible framework-based approach, CRISAM® can be adapted to additional standards, regulations, and industry-specific requirements, enabling organisations to manage governance, risk, compliance, security, resilience, and audit activities within a single integrated platform.

The Reporting pillar turns GRC data into board-, auditor- and regulator-ready evidence across every module — making compliance defensible, not just documented.

No risk – stay in touch

See the CRISAM® GRC platform in action

A live demo with a CRISAM® GRC specialist, tailored to your compliance obligations and existing tooling.