Governance can be broadly defined as putting into place the organizational structures and processes needed to ensure that business and technical strategies and objectives can be achieved. In the previous chapter, we described how to secure the IIoT architecture to mitigate risk associated with cybersecurity threats. Here, we'll describe how architectural planning for governance and risk avoidance in Industrial Internet projects can lead to compliance with worldwide, domestic, and industry regulations. The assessing of governance, risk, and compliance is sometimes referred to as GRC.

We will take a broader view of GRC here beyond standards and certifications. In addition to securing the infrastructure and data, we will also touch on data governance that will help assure data validity and maintain the integrity of the project's goals.

We will begin the chapter by discussing the fundamentals of GRC. We'll then consider some of the international certifications that should be understood. Then, we'll describe data sovereignty considerations and some of the government and public institution compliance regulations. Finally, we'll look at compliance certifications that are unique to specific industries and some of the complexities in determining which guidelines might apply. Then, we'll explore GRC in our supply chain optimization example.

The chapter is divided into the following major sections:

• Assessing governance, risk, and compliance
• International compliance certifications
• International consortia and emerging standards
• Government and public institution compliance
• Industry compliance certifications
• Which guidelines apply
• GRC in the supply chain optimization example

When you complete this chapter, you should understand the fundamentals of GRC. You should also gain an understanding of the scope of compliance requirements that could be relevant for your project.