Simplified and Integrated IT Compliance with MetricStream and AWS

4 min read


How can I automate IT compliance management when I have a mix of manual, custom, on-premises, and cloud controls? How can I get a single view of my IT compliance status and risks? Can I create a single repository of my compliance evidence across my multiple IT infrastructures and environments? 

These questions often come up in our conversations with CISOs, IT Risk/Compliance Directors, IT auditors, and compliance officers from across industries. 

Organizations today use resources, services, and applications across on-premises and multi-cloud environments, which necessitate efficient assessment, monitoring, and reporting of controls across these domains to mitigate risk and ensure compliance. That, however, is easier said than done, for many reasons. 

With varied controls across different environments, tracking and reporting on the status and risks arising from each are bucketed into their own respective methods/processes. As an example, cloud controls are viewed only in the cloud account dashboard, network/application controls in the respective software solution, and custom controls may be viewed in excel sheets. 

As a result, control testing and assessment are often a manual exercise as many organizations rely on offline, fragmented systems and processes. More often than not, companies customize some controls to better align them to their unique requirements, which further impedes automated testing and evidence collection. The result is an inconsistent, siloed control testing and assessment process – wherein an organization has different workflows and systems for manual, automated, custom, on-premises, and cloud controls – and no single source of truth. 

Collating data from all these disjointed systems and mapping them against industry standards and frameworks, such as PCI DSS, HIPAA, NIST CSF, ISO 27001, SOC2, and others, can be exceptionally challenging. Resource and budget crunch adds to the challenges of the IT risk and compliance managers. 

What organizations need is a one-stop solution that automates control testing and evidence collection against compliance requirements for all enterprise-wide controls and provides consolidated reports. 

With CyberGRC’s integration with Amazon Web Services (AWS) Audit Manager, we, at MetricStream, are taking a step in that direction. 

The MetricStream CyberGRC and AWS Audit Manager Integration

Through MetricStream’s partnership with AWS, we now offer our customers a complete and integrated solution for managing and testing organization-wide controls through the integration of MetricStream CyberGRC and AWS Audit Manager

AWS Audit Manager continuously audits AWS Cloud product/service usage and streamlines the assessment of risk and compliance with regulations and industry standards. It automates evidence collection to assess the operational effectiveness of an organization’s internal controls framework (policies, procedures, and controls).

Read more about how the solution works: AWS Audit Manager now supports first third-party GRC integration

One of the key benefits lies in the single source of truth the integration provides for all org-wide controls. The solution’s single repository provides comprehensive visibility into controls, test results, and evidence for all controls – custom, application-specific, and multiple infrastructure controls (multi-cloud and on-premises) – all in one place. No more switching between multiple dashboards and spending time consolidating reports.Simplifying-Complexity-to-Bring-You_-a-Single-View-of-IT-Risk-and-Compliance_

Most important, the control testing results and evidence on pass/fail are tied to relevant standards and frameworks. At one quick glance, the solution provides insights into the number of active assessments created and executed, control testing results by area of compliance – which controls are compliant and which are non-compliant along with JSON evidence for each, the number of controls and accounts in scope for each of the assessments, the specific resources on which the controls were executed, and much more.

Prasad Sabbineni, co-CEO, MetricStream, discusses the benefits in detail in the article: CyberGRC Just Got More Powerful with AWS Audit Manager

This integration is live now and can be accessed directly by customers using CyberGRC and AWS Audit Manager. We have also worked closely with AWS to ensure the integration process is quick and simple. 

The MetricStream CyberGRC and AWS Audit Manager integration enables you to: 

  • Accelerate decision-making by consolidating access to org-wide controls, test results, and evidence 
  • Save time and costs with automated control testing, evidence gathering, and reports 
  • Obtain a consolidated view of the entire Cyber GRC program with accurate and insightful reports 
  • Improve IT and cyber risk and compliance posture with timely and comprehensive insights 

To learn more about the MetricStream CyberGRC and AWS Audit Manager integration, request a personalized demo today!

Anil Kumar MetricStream

Anilkumar GK Senior Director & Head of CyberGRC Product Management, MetricStream

Anilkumar GK leads cyber risk product management for MetricStream, the leader in Governance, Risk and Compliance (GRC) software. As Senior Director, Anil is responsible for product strategy, requirements, product planning and delivery to meet the needs of clients. Anilkumar has been at MetricStream for more than a decade and has nearly 20 years of experience in GRC implementation, product management, supply chain and business consulting, spanning product development, planning, design, delivery and quality assurance. His areas of expertise include Internal Audit, Risk Management, Compliance (including SOX and IT Compliance) Issue Management and Cyber/IT Risk.

Anilkumar is currently leading MetricStream’s cyber risk and compliance product efforts, including user experience optimization, quantification, use of security frameworks and more. He lives in Plano, TX and holds a Bachelors of Engineering in Mechanical Engineering.

Agnishwar Banerjee

Agnishwar Banerjee Product Marketing, MetricStream

People call me AB and I am part of the CyberGRC Product Marketing team at MetricStream, where I handle the messaging, product go-to-market plans, and analyse market trends. Having witnessed the transition from offline to online firsthand (80’s child), for most of my life, I have been an avid enthusiast in the domain of technology and cyber security including personal cybersecurity. Over the last 10 years, I have been involved in developing and marketing risk-focused, SaaS products. I have a good mix of right brain and left brain and love reading, learning new things and am generally a big believer in the power of looking inward, effective processes and people.