The client, a global Casino and Resort company operating in the B2C vacation and leisure industry, engaged Myna to assist in the alignment, enhancement, and renovation of its current risk and controls tracking practices. The goal was to align in accordance with the in-scope ISO 27001 2022 framework and support a smooth transition of off-line practices onto OneTrust.
The client, had previously engaged a consulting firm to implement the OneTrust GRC module to support its risk management objectives, however, the implementation failed to deliver value. Additionally, internal teams lacked familiarity with Onetrust’s IT Security Risk Management (ITSRM) and Compliance Automation (CompAuto) modules. They were uncertain about the best route forward as they emphasized their current challenges in tracking current risks and controls across multiple jurisdictions and several business units.
Additionally, their existing method of assessing risk by asset type, threat, and vulnerability did not align well within OneTrust’s control-based framework.
OUR SOLUTION:
While risk tracking and scoring were important, Myna prioritized configuring the program from a control-based perspective. Through deeper discussions, we identified the client’s main challenge was the inability to automate task distribution related to controls across business units, and limited visibility into control relations with risks, evidence tasks, and other controls.
Myna focused on reviewing the client’s organizational structure and control layout which led to introducing a new approach for identifying risk at the control level. We divided the client’s jurisdictions and business units and created custom controls aligned with the ISO 27001 framework. Myna created approximately 1,200 controls and 600 evidence tasks across 4 jurisdictions and successfully duplicated these efforts from OneTrust UAT to their production environment.
Our team took a coordinated approach by managing the bulk import and updates to ensure accurate date migration into OneTrust, while simultaneously, working with the client to develop a tailored risk questionnaire to update risk scores and applicable controls. We configured automation rules to reopen risks annually for assessment and setup the Compliance Automation module to streamline evidence task distribution, ultimately enhancing operational efficiency and supporting a sustainable risk management program.
Program Outcomes
In the final stages of the engagement, the client achieved:
- Automated ability to address updates to company risks and controls, reducing manual effort and ensuring data accuracy.
- Enhanced visibility into the history of changes to risks and controls, supporting effective governance and decision-making.
- Clear tracking of both risk and control owner progress in fulfilling necessary tasks aligned to the company’s risk management processes.
- Improved audit readiness with simple, consolidated reporting on all risks, controls, and related data.
- Increased trust in the solution and partnership, built through weekly working sessions and close collaboration, enabling Myna to take greater ownership of design decisions.
- Effective guidance through OneTrust feature challenges, supported by Myna’s consistent expertise and ability to maintain client confidence throughout the engagement.
