Open, evidence-based governance & security standards

Open standards for measurable digital risk.

IGS-C is a neutral, non-profit consortium that develops and maintains open standards for governance, security and digital risk. We help organisations and regulators move from checklists to evidence-based risk reduction.

Explore the standards Join as a member

What we standardise

The core IGS-C standard is the GCR-M – Governance & Cyber-Risk Reference Model. Regional and sector profiles (for example, the OSPCRM Pan-African profile edited by PASC) build on top of GCR-M.

A common risk language (context, impact, likelihood, kill-chain impact);
Governance and documentation expectations;
Metrics to show real risk reduction over time;
Integration into ITSM, SOC and DevSecOps.

About IGS-C

IGS-C provides a global, vendor-neutral backbone for digital governance and cyber-risk. Regional bodies such as the Pan-African Standards Council (PASC) maintain their own profiles on top of our core model.

Mission

We advance open, evidence-based standards for governance, security and digital risk so that:

organisations can translate technical noise into a clear risk story;
regulators and auditors can move beyond checklists;
regional bodies can express their priorities through profiles instead of reinventing models.

Scope

IGS-C focuses on standards that:

cover governance, risk and security of digital systems and data;
are compatible with ISO 27001/27005, NIST CSF, ISO 31000, GDPR, NIS2, DORA and others;
are implementation-agnostic and usable with any technology stack;
can be validated by independent audit and metrics.

Regional relationship

IGS-C is a global backbone, not a replacement for regional initiatives.

PASC is a founding regional member and editor of the OSPCRM Pan-African profile;
future regional councils (Latin America, Asia, Caribbean, etc.) can register profiles on GCR-M;
this preserves regional sovereignty while maintaining a single technical language.

Standards & Profiles

One core standard, multiple regional and sector profiles. All open, all compatible with existing frameworks.

Core standard

GCR-M – Governance & Cyber-Risk Reference Model

GCR-M defines the risk language, governance expectations, metrics and operational integration points. It is designed to sit on top of ISO/NIST/GDPR/DORA rather than replace them.

Contextual and pathway-aware risk model;
Kill-chain and structural-control emphasis;
Ground-truth metrics (e.g. false-negative rate, precision);
Integration into ITSM, SOC and DevSecOps workflows.

View GCR-M v1.3 online · Download GCR-M v1.3 (PDF)
Mapping: GCR-M → ISO 27001/27005 & NIST CSF (PDF)

Regional profile

OSPCRM – Pan-African Sovereign Risk Profile

Edited by the Pan-African Standards Council (PASC), OSPCRM is a GCR-M-compatible profile for African financial and critical services, emphasising sovereignty, structural kill-chain control and contextual risk.

Aligned with AU/Malabo, regional DP laws and banking rules;
Compatible with GCR-M and IGS-C conformance;
Maintained independently by PASC, recognised by IGS-C.

View OSPCRM on PASC (opens in new tab)
Mapping: OSPCRM ↔ GCR-M & major regulations (PDF)

Profiles roadmap

Future regional & sector profiles

IGS-C welcomes regional standard bodies and sector alliances to develop their own profiles:

Latin American financial profile;
Asian critical-infrastructure profile;
Global cloud services profile;
Other sectors aligned with local law and practice.

Profile proposal & approval process (PDF)

Governance & Structure

Auditors and regulators need to know who decides and how. IGS-C governance is designed for transparency, balance and neutrality.

Organisational structure

General Assembly – all members; approves standards, profiles and policies;
Steering Committee – strategic oversight, conflict resolution;
Technical Committees – draft and maintain GCR-M and profiles;
Advisory Council – regulators, academics, civil-society observers.

Download Charter & Bylaws (PDF)

Decision-making

Public consultations for major changes and new standards;
Documented voting rules and quorums in each committee;
Change logs and meeting summaries published in the library;
Appeal and clarification mechanisms for members and observers.

Technical Committee Rules of Procedure (PDF)
GCR-M change log (PDF)

Independence & conflicts

Mandatory disclosure of affiliations and potential conflicts;
Editors cannot unilaterally approve their own profiles;
Regional and vendor interests balanced within committees;
Written conflict-of-interest policy available below.

Conflict-of-Interest Policy (PDF)

Membership & Partners

Membership is open to organisations: regulators, regional bodies, institutions, vendors, auditors and civil-society groups.

Category	Who it is for	Typical role
Regional / Founding Members	Continental or regional standards bodies (e.g., PASC).	Maintain regional profiles, represent local regulatory and industry priorities.
Regulators & Public Authorities	Central banks, DPAs, sector regulators.	Observer or active member; contribute supervisory perspective and legal alignment.
Corporate Members	Financial institutions, critical-infrastructure operators, large enterprises.	Adopt standards, bring operational feedback, participate in technical committees.
Auditors & Certification Bodies	Independent assurance firms, security and risk assessors.	Define and deliver conformance assessments, help refine criteria.
Academic & Civil Society	Universities, research centres, NGOs and advocacy groups.	Provide research, critique and user-centric perspectives.

For details on fees and rights per category, see the IGS-C Membership Guide (PDF).

Conformance & Accreditation

Conformance is about demonstrating that a risk model is applied as intended, not about buying a logo.

Organisational conformance levels

Level 1 – Aligned: organisation uses GCR-M as a reference and can show internal mapping to existing frameworks and laws.
Level 2 – Independently assessed: a recognised assessor has reviewed governance, model documentation, metrics and operations.
Level 3 – Certified: organisation or product has passed a formal certification programme, with periodic surveillance and public listing.

Conformance & Certification Criteria (PDF)

Recognised assessors

IGS-C does not sell audits. Independent firms and public bodies may be accredited as IGS-C Recognised Assessors if they demonstrate:

expertise in ISO/NIST/GDPR-style frameworks;
formal training on GCR-M and relevant profiles (e.g., OSPCRM);
independence, ethics and quality controls.

Assessor Accreditation Programme (PDF)
Public list of recognised assessors can be verified below.

Use of names and marks

The expressions “IGS-C GCR-M Compatible”, “Conformant with GCR-M” and similar phrases are controlled compatibility claims.

They may only be used after a recognised assessment;
Misuse may lead to public revocation and communication to regulators;
Details appear in the Legal & IP section below.

Resources & Library

Public materials for implementers, auditors and regulators. All documents will remain openly accessible.

Standards & mappings

Guides & case studies

Governance artefacts

Verify IGS-C Status

Use this tool to verify the status of organisations, profiles or assessors in the IGS-C registry. Only exact matches on registered names will return detailed results.

Only exact matches on full registered names are accepted. IF you cannot find a provider that claims to be certified, please contact us for further verifications.

Contact & Secretariat

For membership, technical questions or media enquiries, use the form below or contact the secretariat by email.

Contact form

Secretariat details

International Governance & Security Consortium (IGS-C)
Secretariat – contact

Email: contact@igs-c.global

IGS-C is incorporated as a non-profit consortium operating from Luxembourg.

Legal & Intellectual Property

Standards are open. Names and compatibility claims are controlled. This balance protects users while keeping the ecosystem free and transparent.

Standard licence

Unless otherwise stated, the GCR-M standard and its documentation are licensed under Creative Commons Attribution–ShareAlike 4.0 International (CC BY-SA 4.0).

You may copy, distribute and adapt the specification, including for commercial use;
You must give appropriate credit to IGS-C as the original source;
You must indicate if changes were made;
You must distribute derivative specifications under the same CC BY-SA 4.0 licence.

View CC BY-SA 4.0 summary

Trademarks

“IGS-C”, “Governance & Cyber-Risk Reference Model”, “GCR-M” and related logos are trademarks or service marks of the International Governance & Security Consortium.

You may refer to IGS-C and GCR-M descriptively (e.g. “implements GCR-M”);
You may not present yourself as the editor, owner or certifying body without written permission;
Use of marks in marketing must be accurate and not misleading.

IGS-C Trademark & Brand Usage Policy (PDF)

Compatibility & regional IP

Claims such as “IGS-C GCR-M Compatible” or “Conformant with GCR-M” are reserved for products, services and programmes that meet IGS-C conformance criteria.

Regional profiles such as OSPCRM remain under the IP policies of their maintainers (e.g. PASC);
IGS-C recognises, but does not own, regional content;
Misuse of compatibility claims may lead to public clarification or revocation.

Compatibility & Conformance Claims Policy (PDF)