Closed

Governance, Risk and Compliance (GRC) system

Tender ID: 597633

Tender Details

Organisation:
Australian Communications and Media Authority (ACMA)
Tender #:
RFI-03468  
Status:
Closed
Publish Date:
16 October 2025
Closing Date:
30 October 2025
Closing Time:
11:59 PM (Australia/ACT)

Tender Description

Managing security governance, risk, and compliance (GRC) within enterprises presents challenges due to increased complexity and resource requirements. This is particularly the case with IT system security risk because of continuously evolving compliance requirements, the number and complexity of IT systems, and their interdependencies. Additionally, security risk and compliance activities are often distributed among multiple stakeholders, which can result in varying approaches, dispersed knowledge, duplicated efforts, and oversight gaps.

This fragmentation affects the ability to maintain an up-to-date understanding of the organisation's risk profile, compliance status, and necessary actions. This subsequently limits the organisation's capacity to identify, assess, and address risks proactively.

This initiative seeks to improve enterprise security governance and assurance by implementing a GRC platform in conjunction with relevant policies, processes, and procedures. The solution aims to deliver ongoing compliance monitoring and risk assessment, encourage consistent and effective management of compliance information, and centralise the tracking of risks and outstanding actions. The initial scope will cover information and cybersecurity, with plans to extend capabilities to other areas as development progresses.

The users and their needs

As a system implementer, I want to:

  • Understand the current security compliance requirements for my system
  • Understand the compliance status, inherent risks, and shared responsibilities for components upon which I am dependent on for the security of my system
  • Capture the intended approach for complying with applicable security controls
  • Reference existing control treatments for components upon which I am dependent
  • Capture outstanding control treatment actions, milestones, and associated risks.

As a system maintainer, I want to:

  • Understand changes to security compliance requirements for the systems I maintain
  • Capture the intended approach for complying with changed or new to security controls
  • Capture outstanding control treatment actions, milestones, and associated risks
  • Capture the outcome of regularly occurring assurance activities
  • Capture any risks that arise through operational activities.

As a system owner, I want to:

  • Understand the current risks inherent in my system
  • Collate and present the information needed to seek authorisation to operate my system in accordance with the 6-step risk management process defined in the ISM
  • Keep a record of the authorisation to operate my system and any associated conditions
  • Collate and present the information needed to provide the authorising officer with annual updates on my system’s security posture and associated risk.

As an IT security risk manager, I want to:

  • Centrally store, disseminate, and maintain security control baselines, catalogues, and other regulatory requirements
  • Identify systems impacted by changes to security control baselines so that system owners, managers and maintainers can be proactively notified
  • Centrally report on risks at the enterprise and system levels
  • Track progress towards remediation of identified risks.

As a security risk executive, I want to:

  • Understand security risks at the enterprise and system levels
  • Review applications to authorise systems for operation in accordance with the 6-step risk management process defined in the ISM and provide a record of my decisions.

As an IT Security auditor, I want to:

  • Understand the intended approach for complying with applicable security controls
  • Describe the efficacy of implemented controls, the method used to test, when it was tested, and recommendations for effective treatment
  • Capture human-readable security assessment report.

Work already done:

Technical/business constraints:

SaaS products are preferred and must have a current IRAP assessment at the PROTECTED level.

Industry briefing:

Response format

  • References
  • Relevant case study

Key dates/ milestones:

We are seeking to implement the GRC system within this financial year.

Location

Western Australia   :   Gascoyne   :   Goldfields/Esperance   :   Great Southern   :   Kimberley   :   Mid West   :   Peel   :   Perth Metropolitan   :   Pilbara   :   South West   :   Wheatbelt  
New South Wales   :   Central West   :   Far North Coast   :   Far West   :   Hunter   :   Illawarra   :   Mid North Coast   :   Murray   :   New England   :   Orana   :   Riverina   :   Southern Highlands   :   Sydney  
Queensland   :   Cairns & Far North Queensland   :   Gladstone   :   Mackay Whitsunday Region   :   Mount Isa & North West Region   :   Rockhampton   :   South East Queensland   :   South West & Darling Downs   :   The Central West   :   Townsville   :   Wide Bay Burnett  
Victoria   :   Barwon South West   :   Gippsland   :   Grampians   :   Hume   :   Loddon Mallee   :   Melbourne  
South Australia   :   Adelaide   :   Eyre & Western   :   Far North   :   Fleurieu & Kangaroo Island   :   Limestone Coast   :   Murray & Mallee   :   York & Mid North  
Northern Territory   :   Barkly   :   Big Rivers   :   Central Australia   :   East Arnhem   :   Greater Darwin   :   Top End  
Australian Capital Territory  
Tasmania  

Category

Information & Communication Technology   :   Software & Application Development Services   :   Software Purchasing & Leasing Supply   :   Software Support & Maintenance Services