Learn how we empower organizations with innovative GRC solutions, expert insights, and dedicated support to achieve sustainable success.
Governance, risk, and compliance, collectively known as GRC, form the structural backbone of every well-governed organisation. Yet for most UK businesses, GRC maturity is invisible: there is no external measure, no independent score, and no recognised benchmark against which progress can be verified. GRC Index was established to change that.
GRCI operates as a fully independent authority. Unlike consultancies that assess the same organisations they advise — or software vendors whose assessments exist primarily to sell platform licences — GRC Index maintains strict independence from the organisations it evaluates. This separation is fundamental to the credibility of every GRC Index Score issued.
The result is a benchmarking framework that UK organisations, boards, and regulators can trust: objective, evidence-based, and conducted against internationally recognised GRC standards, including the frameworks referenced in the UK Corporate Governance Code, DORA, NIS2, and FCA Operational Resilience requirements.
GRC Index was founded on a single conviction: that governance, risk, and compliance maturity should be measurable, comparable, and improvable — not left to subjective self-assessment or internal reporting that lacks independent verification.
Our mission is to give UK organisations an independent, authoritative measure of their GRC maturity and to equip the professionals responsible for GRC with the knowledge and credentials they need to continuously raise that standard.
In practice, this means two interconnected services: independent GRC benchmarking and assessment — producing the GRC Index Score — and accredited GRC training through our education programmes, covering the full range of frameworks UK organisations rely on: SOC 2, ISAE 3402, ISAE 3000, SOC 1, ISO 27001, GRC Essentials, and advanced DORA and NIS2 compliance.
Together, these services create a continuous improvement loop: assess your current GRC maturity, identify gaps, train your team, and demonstrate improved performance with an independently verified GRC Index Score.
GRC Index provides two core services to UK organisations: independent GRC assessment and benchmarking, and accredited GRC training. These services address the full lifecycle of GRC maturity — from initial assessment through professional development and verified improvement.
Independent evaluation of your organisation's GRC maturity across five domains: Governance, Risk Management, Compliance, Resilience, and Data Security. Each assessment is conducted against internationally recognised standards including COSO, ISO 27001, SOC 2, and ISAE frameworks. Output: a quantified GRC Index Score benchmarked against industry peers.
CPD-certified training courses covering the full range of GRC frameworks relevant to UK organisations. Courses include: GRC Essentials, ISAE 3402, SOC 1 (SSAE 18), SOC 2, ISAE 3000 (including CSRD/ESG assurance), ISO 27001, and GRC Advanced (DORA and NIS2). Available online with certificates awarded on completion.
GRC Index assessments are conducted by independent expert reviewers. Organisations complete a detailed questionnaire aligned to recognised GRC standards, submit supporting evidence — policies, procedures, audit outputs, controls documentation — and receive a structured assessment report alongside their GRC Index Score. The score is benchmarked against a growing dataset of UK organisations across financial services, professional services, technology, healthcare, and public sector.
The GRC Index Score is GRC Index's proprietary maturity benchmark — a quantified, independently verified measure of an organisation's governance, risk, and compliance practices. Unlike internal risk assessments or self-reported compliance checklists, the GRC Index Score is externally validated and benchmarked against industry peers.
What Is Evaluated
After completing the GRC Index assessment process, organisations receive: a detailed domain-level assessment report, a GRC Index Score benchmarked against sector peers, specific recommendations for improvement, and an independently verified score they can share with boards, regulators, clients, and supply chain partners.
According to McKinsey's governance research, 42% of organisations report that their GRC systems require significant improvement — yet fewer than one in five have external benchmarking to validate the current state. The GRC Index Score addresses this gap with an independent, reproducible measure that can be tracked across assessment cycles.
63–66 Hatton Garden, London, EC1N 8LE, United Kingdom
GRC Index is the UK's independent benchmarking and certification body for governance, risk, and compliance (GRC). Organisations complete a structured GRC assessment based on recognised international standards including COSO, ISO, SOC 2, and ISAE frameworks. Each organisation receives a GRC Score — a quantified measure of GRC maturity benchmarked against industry peers across the UK.
GRC stands for Governance, Risk, and Compliance. Governance defines how an organisation is directed and controlled. Risk management identifies and mitigates threats to objectives. Compliance ensures adherence to applicable laws, regulations, and internal policies. Together, GRC provides a unified framework for managing organisational accountability, resilience, and trust.
Yes. GRC Index operates as a fully independent benchmarking authority with no commercial relationship to the organisations it assesses. This independence ensures all GRC assessments and Index Scores are objective and impartial — distinguishing GRCI from consultancies or software vendors that simultaneously sell implementation services and conduct assessments.
The GRC Index Score is calculated by evaluating an organisation's practices across five domains: Governance, Risk Management, Compliance, Resilience, and Data Security. Organisations complete a detailed questionnaire tied to recognised standards, submit supporting evidence, and receive a score analysed by both proprietary algorithms and independent expert reviewers, benchmarked against industry peers.
GRC Index offers CPD-certified online training in: GRC Essentials, ISAE 3402, SOC 1 (SSAE 18), SOC 2, ISAE 3000 (including CSRD/ESG assurance), ISO 27001, and GRC Advanced covering DORA and NIS2 compliance. All courses are UK-focused, practitioner-level, and available online with CPD certificates awarded on completion.
GRC Index training is designed for compliance managers, risk officers, internal auditors, IT governance professionals, data protection officers (DPOs), CISOs, finance directors, and board-level executives. Training spans foundation through advanced levels, covering frameworks relevant to UK-regulated sectors including financial services, professional services, healthcare, and technology.
GRC Index is headquartered at 63–66 Hatton Garden, London, EC1N 8LE, United Kingdom. As a London-based GRC authority, GRCI serves organisations across the UK and internationally, delivering independent GRC assessments and accredited training in governance, risk, and compliance frameworks including DORA, NIS2, ISO 27001, SOC 2, and ISAE standards.
© 2025 GRC Index. All rights reserved.
