eramba - Design Compliance and Security, LLC

About eramba

eramba (and no, I’m not forgetting to capitalize their name) is an open IT GRC (Governance Risk and Compliance) tool that is designed by individuals who have built and maintained compliance programs spanning multiple sets of disparate requirements. It is designed to allow you to “do” things once (a control or policy review) and apply them to your many requirements (compliance requirements or risks) to increase the efficiency of your GRC efforts.

Design Compliance and Security has been part of eramba’s partner program since 2018 and has implemented and maintained many eramba instances for its customers. We’ve been using eramba for over a decade, are active within its community forums and provided extensive feedback to the team.

eramba Overview

eramba comes in two main flavors – Community and Enterprise. Both Community and Enterprise can be self-hosted or cloud hosted by the eramba team. The Community Edition is available for free for self hosting and is a fully function GRC platform, however, it lacks in the realm of customization, reporting, alerts and add on features. The Enterprise edition contains all features and functionality of the platform, and depending on the value of the US Dollar compared to the Euro, a license can be had for under $3,000 per year for self hosting. There are no limitations on the number of users or quantity of objects used within the system for either edition.

eramba Strengths

eramba really starts to shine once you have two sets of “problems” in the form of compliance frameworks. For example, if you must be compliant with both SOC 2 and ISO 27001, eramba makes it easy to map all of your controls to both sets of requirements (as there’s a significant amount of overlap). This leads to you needing to focus on the execution of your controls and eramba takes care of reporting on your compliance against the framework once everything is mapped together.

This can be both a strength and a weakness in the form of customization. The level of customization available (specifically in the Enterprise edition) makes it so you can tailor the software’s behavior in a near infinite number of ways. The ability to add custom fields, set custom alerts and statuses and reporting makes it so we can usually show people 3 different ways they can do whatever it is they want to do.

Ability to integrate with other systems is also useful. There’s an API which will allow you to send/receive data and the ability to call webhooks from your notifications to trigger things to happen across the rest of your tech stack. There’s also the ability to use SAML for user authentication included as standard functionality – we’ve hooked it up to EntraID and Okta with our clients rather easily. While there’s not a ton of “out of the box, click button receive bacon” type integrations, it’s flexible enough to handle most any system.

eramba Weaknesses

We tend to shy away from the use of eramba for our clients that only have one compliance standard to adhere to (unless, perhaps, it’s ISO 27001, which eramba was originally built for). When using it for a single standard, you end up missing out on the efficiencies of reusing your policies and controls – a set of calendar reminders can end up being just as effective in that case.

The pace of new features and updates is slow and deliberate. The eramba team is not a venture capital fueled shop with a new release every day – they work on their own schedule and make updates that they feel are best for all of the users of the platform, even if at times, the users vocally disagree with them over in their forums. This could also be a strength as the deliberate pace of change has lead to us as users having a stable experience over the years.

Ease (or Difficulty) of eramba Implementation

We typically describe implementing eramba as easy, so long as you have a well thought out GRC program (where you have defined risks, controls and compliance objectives). The concept that is vital to understand is the “problems” versus “solutions” principle. In short, things that you have to do (to mitigate risk or to meet a compliance requirement) is a “problem” while things that you do (implement controls, define policy) are “solutions”. The goal with a good GRC program (and how eramba is structured) is to craft your solutions so that they address multiple problems. If you approach it by defining your problems should also be your solutions, implementing any GRC tool will be like playing a game of 52 card pickup where you are both the dealer and the player.

Our eramba Services

We offer a variety of services related to the eramba platform, including:

Assisting with the installation of your instance
Providing onboarding workshops that supplement the eramba training documentation and videos by using information from your GRC program to begin populating your instance
Providing advisory services to either implement your first GRC program or improve the one you have

We will work with you and your instance of eramba to improve and fortify your governance program with control monitoring, reporting, and considerations to any changes in your regulatory environment. This will not only free up time for your team to focus on business needs, it will also ensure that your program is managed and maintained in a clear and concise UI to better be able to satisfy regulatory requirements. We can also implement eramba to assist with our Compliance Program Management services.

Below is a quick introduction to the eramba platform that will help give a better understanding of the system and its offerings.

If this system looks like something that could improve your governance program, drop us a note in the form below and we’ll get back to you as soon as possible.