From Risk Identification to Actionable Protection
Maple GRC follows a proven methodology based on NIST CSF 2.0 and ISO 27001 to take you from understanding your risks to implementing the right controls and policies.
Context Analysis
Maple GRC automatically understands your organization's context — your assets, software, departments, and data flows — to build a comprehensive risk profile.
Risk Quantification
Using live threat intelligence feeds and statistical modeling, it surfaces the most likely risk scenarios and calculates the financial impact of each one against your organization's capacity.
Controls & Mitigation
For each risk scenario, view the attack techniques used, the controls needed to mitigate and detect them, and the exact configuration steps to implement each control.
Policies & Plans
The platform drafts unique modular policies, generates training content for specific threats, creates incident response plans, and builds business continuity plans — all tailored to your decisions.
See Maple GRC in Action
Watch a complete walkthrough of how Maple GRC guides you through CyberSecure Canada compliance
Holistic Management of Cybersecurity and Privacy
Maple GRC offers a holistic solution for managing cybersecurity and privacy through a continuous, dynamic, adaptive framework. Everything is app-driven and tailored to your organization's unique context—not one-size-fits-all templates.
By breaking silos between governance, risk, and compliance, Maple GRC empowers your organization to manage cybersecurity as a continuous, evolving process that aligns with business objectives while maintaining compliance and protecting privacy.
Cyber Security and Privacy Governance
Strategic oversight and organizational alignment
Cyber Risk Strategy
Develop adaptable strategies to respond to evolving risks and align with business objectives.
Supply Chain Risk Management
Monitor and manage risks across vendor ecosystems and third-party partnerships.
Policy Management
Align organizational policies with compliance requirements dynamically and maintain consistency.
Oversight and Accountability
Ensure stakeholders remain informed and accountable through transparent reporting.
governance
Closing the Business-Cyber Gap
Watch how Maple GRC governance starts with understanding your organization's context
Cyber Identification Features
Proactively assess and understand relevant cyber risks
Risk Scenarios and Assessments
Identify, analyze, and prioritize risks dynamically based on your organization's context.
Threat Intelligence and Vulnerability Management
Stay ahead with real-time threat intelligence feeds and scanner integrations.
Vendor Assessment
Evaluate and manage risks across third-party partnerships and supply chain.
Assets and Risks Identification
Comprehensive discovery and cataloging of organizational assets and associated risks.
identification
Cyber Detection and Protection Features
Identify risks effectively and build strong defenses
Detection Guidelines
Establish adaptive rules for rapid identification of potential threats and anomalies.
Controls Management
Ensure cybersecurity controls dynamically adapt to risk and compliance needs.
Training and Awareness
Develop employee capabilities to maintain operational security and reduce human error.
Protection Controls and Playbooks
Implement and maintain protection controls with predefined playbooks for common scenarios.
detection
Respond and Recover Features
Minimize damage and ensure business resilience
Incident Plans
Establish workflows to respond to incidents promptly and effectively.
Incident Reports
Analyze and document incidents to drive improvement and build organizational knowledge.
Business Continuity Plans
Minimize downtime and recover from disruptions swiftly with comprehensive recovery strategies.
Incident Response Management
Coordinate and manage incident response across all organizational functions.
response
Cyber Security Assessments
Simplify compliance while identifying gaps
Privacy Impact Assessments
Evaluate privacy risks and ensure compliance with data protection laws.
CyberSecure Canada Assessments
Prepare for CyberSecure Canada certification efficiently with guided assessments.
Security Assessments
Conduct detailed security evaluations to identify vulnerabilities and gaps.
CAIQv4 Assessments
Simplify assessments using Cloud Security Alliance's CAIQv4 framework.
assessments
Compliance Reports and Audit Support
Enable audit readiness and demonstrate compliance
ISO 27001 Audit Reports
Simplify ISO 27001 certification with detailed audit support and evidence collection.
CyberSecure Canada Audit Reports
Streamline the CyberSecure Canada certification process with comprehensive reporting.
SOC 2 Audit Reports
Ensure SOC 2 compliance with detailed reporting tools and control mapping.
Multi-Standard Compliance
Meet PCI DSS, NIST 800-53/800-218, HIPAA, PIPEDA, and Ontario FSRA requirements.
compliance
Dynamic and Adaptive Cybersecurity
Maple GRC is built to adapt to the unique needs of your organization. It enables stakeholders to achieve an informed sense of assurance, ensuring risks and controls remain in balance. Its dynamic framework integrates cybersecurity and privacy functions, ensuring they work cohesively to protect your data, maintain compliance, and support your business objectives.
Three Layers of Protection for Complete Coverage
Maple GRC addresses every dimension of cybersecurity — from technical configurations to organizational policies to people awareness — ensuring no gap in your defense.
Technical Controls
View configuration steps to check and implement each control. Maple GRC shows the exact settings to verify and apply across your infrastructure.
Organizational Controls
Policies and controls selected from either relevant risk scenarios identified through threat intelligence feeds, or from baseline security standards such as CyberSecure Canada and ISO 27001. Maple GRC automatically drafts modular policies tailored to your organization's decisions.
People Controls
Training content tailored to specific threats modeled against job functions, ensuring every team member knows how to recognize and respond to relevant risks.
See Each Control Layer in Action
Watch demonstrations of how Maple GRC implements technical, organizational, and people controls
Technical Controls
Organizational Controls
People Controls
Incident Response Plans
Because there is always a chance for each technical risk to succeed, Maple GRC provides a dedicated incident response plan for every risk scenario.
Business Continuity Plans
If an entire risk scenario materializes, a comprehensive business continuity plan ensures your organization can recover and maintain operations.
Baseline Standard Policies
For standards that require a specific list of controls regardless of risk posture, Maple GRC drafts policies to meet those baseline requirements.
Quantify Cyber Risk in Financial Terms
Stop guessing about cyber risk. Maple GRC uses real threat intelligence and statistical modeling to show you exactly how much each risk scenario would cost if it materializes — and whether your organization can absorb the impact.
Threat Intelligence
Live feeds of data and cyber threat intelligence compared against your organization's context to surface the most likely attack scenarios.
Financial Impact Modeling
Statistical models calculate the potential cost of each risk scenario and compare it to your organization's financial capacity for informed budgeting.
Attack Technique Mapping
Each risk scenario shows exactly how the attack works, the techniques used, and how it is modeled against your specific software and infrastructure.
Optimum Investment Guidance
Receive data-driven recommendations on the ideal cybersecurity spending to balance risk reduction with cost efficiency.
One Platform, Every Standard You Need
Because Maple GRC is built on NIST CSF 2.0 with ISO 27001 management workflows, all other standards and certifications become a reporting layer and feedback mechanism through internal and external auditing — not a separate implementation effort.
NIST CSF 2.0
Core FrameworkThe app's features are built on the NIST Cybersecurity Framework 2.0, providing a comprehensive approach to identifying, protecting, detecting, responding, and recovering from cyber threats.
ISO 27001
Management WorkflowThe management workflow follows ISO 27001, the international standard for information security management systems (ISMS), ensuring a systematic approach to managing sensitive information.
CyberSecure Canada
CertificationFull support for the CyberSecure Canada certification program, helping Canadian small and medium-sized organizations implement baseline cybersecurity controls.
NIST 800-171
ComplianceMeet the requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems, essential for organizations working with government contracts.
CPCSC
CertificationSupport for The Canadian Program for Cyber Security Certification, the Government of Canada's initiative to strengthen the cyber security posture of its defense supply chain.
SOC 2
ReportingPrepare for SOC 2 compliance with automated control mapping and evidence collection, demonstrating your organization's commitment to security, availability, and confidentiality.
Ontario FSRA
RegulatoryCompliance support for the Financial Services Regulatory Authority of Ontario requirements, ensuring financial service providers meet cybersecurity obligations.
And more standards and certifications are continuously being added as reporting layers.
Fully Self-Service with Intelligent Guidance
Maple GRC is designed to be fully self-service, with video and documentation at each step. When you need help, the AI assistant and live support are always available.
Video Walkthroughs
Step-by-step video guides at every stage of your GRC journey, from initial setup to advanced compliance reporting.
In-App Documentation
Comprehensive documentation embedded at each step, so you always know what to do next without leaving the platform.
AI Chat Assistant
Ask the Maple AI Assistant any question about your GRC program — from policy governance to risk assessments and compliance next steps.
Live Chat Support
When you need human expertise, connect with a live support agent directly within the platform for personalized guidance.
Flat, Transparent Pricing
Same platform, same features, same services for every organization. Pay only for the staff in scope. 25% discount for charities and non-profits.
Base price for up to 10 staff users
Plus
Example pricing for different organization sizes:
10 staff
Minimum
$150/mo
25 staff
Small organization
$172.5/mo
50 staff
Medium organization
$225/mo
100 staff
Growing organization
$300/mo
Every Organization Gets Full Platform Access
Powering Cyber Risk Management Across Canada
Maple GRC is trusted by Community Futures Development Corporations, Indigenous Financial Institutions, healthcare providers, and technology companies across Canada to manage their cyber risks and achieve compliance certifications.
50%+
of Ontario CFDCs use Maple GRC to obtain and maintain CyberSecure Canada certification
How Our Customers Use Maple GRC
Achieve CyberSecure Canada Certification
Community Futures Development Corporations across Ontario use Maple GRC to systematically implement controls and evidence collection required for CyberSecure Canada certification, reducing audit time by up to 60%.
Quantify and Communicate Cyber Risk
Organizations use Maple GRC to translate technical risk into financial impact, helping leadership understand cyber risk in business terms and make informed budgeting decisions.
Automate Policy and Control Management
From technical controls to organizational policies and training content, Maple GRC automates the entire control lifecycle, reducing manual effort and ensuring consistency.
Support Multiple Compliance Frameworks
Built on NIST CSF 2.0 with ISO 27001 workflows, Maple GRC supports SOC 2, CyberSecure Canada, NIST 800-171, CPCSC, Ontario FSRA, and more as reporting layers.
Built for Your Organization
Whether you're managing community development, patient care, software services, or critical infrastructure, Maple GRC helps you manage cyber risks and achieve compliance.
Community Development Corps
CFDCs and Indigenous Financial Institutions support local economic growth and financial inclusion, relying on secure operations and compliance to protect their mission. More than 50% of Ontario CFDCs use Maple GRC to achieve and maintain CyberSecure Canada certification.
Key Roles
- • Executive leadership establishes cybersecurity programs and ensures compliance
- • IT teams implement and maintain controls
- • All staff access policies and complete training
Key Benefits
- ✓ Achieve and maintain CyberSecure Canada certification
- ✓ Manage cyber risks to financial systems
- ✓ Protect sensitive business and financial data
- ✓ Reduce audit time by up to 60%
- ✓ Build trust with clients and regulators
Family Health Teams
Family Health Teams support patients and communities by delivering coordinated primary care. They rely on secure operations and regulatory compliance to safeguard trust and continuity of care while managing sensitive patient data.
Key Roles
- • Executive Directors and Board members establish cybersecurity programs
- • IT teams implement and monitor technical controls
- • Clinical and administrative staff access policies and complete training
Key Benefits
- ✓ Strengthen cybersecurity posture
- ✓ Align with CyberSecure Canada and PHIPA requirements
- ✓ Manage cyber risks to patient data
- ✓ Protect sensitive health information
- ✓ Reduce human error and improve resilience
SaaS & Hybrid Software Providers
Software providers manage customer data and must demonstrate strong security posture to their clients. Achieve ISO 27001, CyberSecure Canada, and SOC 2 certifications to build customer trust and win enterprise deals.
Key Roles
- • Security and compliance teams establish governance frameworks
- • Engineering teams implement technical controls
- • All staff understand security policies and responsibilities
Key Benefits
- ✓ Achieve ISO 27001 certification
- ✓ Achieve CyberSecure Canada certification
- ✓ Achieve SOC 2 compliance
- ✓ Build customer trust and confidence
- ✓ Win enterprise deals with compliance requirements
IT Service Providers
IT providers supporting critical infrastructure must demonstrate strong cybersecurity credentials. Achieve CyberSecure Canada certification to qualify for critical infrastructure contracts and government work.
Key Roles
- • Leadership establishes security and compliance strategy
- • Technical teams implement and maintain controls
- • All staff follow security protocols and best practices
Key Benefits
- ✓ Achieve CyberSecure Canada certification
- ✓ Qualify for critical infrastructure contracts
- ✓ Meet government security requirements
- ✓ Demonstrate security maturity to clients
- ✓ Expand service offerings to regulated sectors
Why Organizations Choose Maple GRC
Simple & User-Friendly
Like QuickBooks or Xero, Maple GRC is designed for users to implement themselves. No consultants needed. Just sign up and start managing your cyber risks.
Role-Based Access & Training
Every staff member gets role-specific policies, training content, and incident response guidance tailored to their responsibilities.
Understand Your Cyber Risks
See exactly how much each cyber risk would cost if it materializes. Make informed decisions about where to invest in controls and compliance.
Move at Your Own Pace
Self-service with video guides, in-app documentation, AI chat support, and optional live support. You control the timeline.
Research-Driven Cyber Risk Management
Maple GRC was developed to address the complex challenges organizations face in managing cybersecurity in today's dynamic digital environments.
Our Story
Maple GRC serves as a practical demonstration of the Continuous, Dynamic, and Adaptive (CDA) Cybersecurity Management Framework, a research-driven framework created to continuously balance cyber risks with appropriate controls.
This framework addresses key issues such as fragmented security controls, evolving threats, and the challenge of maintaining compliance with changing regulations—problems that traditional static approaches fail to solve.
Our aim is to enable organizations to move beyond static, one-size-fits-all cyber security management to a more fluid, responsive, and scalable strategy that evolves with the organization's needs and external threats.
Purpose
Maple GRC's purpose is to enable organizations to govern and manage cyber security risks more effectively by integrating continuous, dynamic, and adaptive processes into their governance, risk management, and compliance (GRC) efforts.
By ensuring real-time alignment between cyber security strategies and organizational needs, the platform addresses both operational security risks and compliance demands.
Mission
To enable organizations' stakeholders establish and maintain an informed sense of assurance that their relevant cyber risks and controls are in balance.
Vision
A world where cyber security is an integrated, continuously evolving aspect of every organization's operations, leveraging scientific research to ensure adaptive responses to emerging threats.
Core Values
Research-Based Solutions
Our platform is grounded in rigorous academic research, developed as part of a doctoral research project. Every function within Maple GRC is designed to solve real-world cyber security management problems identified in research.
Adaptive Risk Management
We focus on helping organizations manage cyber security risks by adapting to both internal changes and external threats, ensuring security measures grow alongside the organization.
Transparency and Integrity
Maple GRC provides a clear, research-driven path to cyber security management, ensuring that security measures are both practical and aligned with organizational goals.
Research Foundation: MapleGRC is based on an innovative framework introduced in a doctoral dissertation by Yehia Ahmed at the University of Colorado Colorado Springs. This research has been published in November 2024. For more information, contact us.
Experienced Leaders Driving Innovation
Our team combines decades of experience in cloud engineering, cybersecurity, product development, and business leadership.
Dr. Yehia (Ian) A.
Founder
Ian has 20 years of experience building and scaling technology organizations. He previously founded sustainable ventures, including a Cloud Value Added Reseller and an Accredited ISO Certification Body. Having witnessed the cyber challenges of thousands of customers firsthand, he was inspired to find new solutions through his doctoral research.
Credentials: Doctoral Degree in Cyber Security Management, Master's in Innovation Management, B.S. Electronics Engineering
Omar Khorshid
CTO
Omar has a decade of experience in Google Cloud engineering, data, AI, and architecture. This background provides him with firsthand expertise in scalable engineering, privacy by design, and site reliability (SRE) principles. At MapleGRC, he applies this deep technical experience to build and lead the technology team.
Credentials: PMP (Project Management Professional), Certified Google Cloud Architect, B.S. Electronics and Communication Engineering
Ala Morsy
Product Head
Ala has years of experience as a security engineer, assessing and managing IT environments for organizations of all sizes. This role gave her direct insight into countless data and security tools and the challenges users face. At MapleGRC, she channels this customer-centric experience to lead the product team.
Credentials: Security Engineering background, Customer-centric product leadership
Advisory Board
Samir ElBahaie
Angel Investor, Ex-Googler
Dr. Thomas Martin Key
Cyber Fellow, Professor
University of Colorado Colorado Springs
Dr. Matthew Metzger
Professor of Innovation and Entrepreneurship
University of Colorado Colorado Springs
Meet Our Associations
Maple GRC is an active affiliate and sponsor of relevant non-vendor organizations that help us enhance product and service offerings to our clients. Explore our affiliations below.
In-Sec-M
Canadian Cybersecurity Cluster
In-Sec-M, the Canadian cybersecurity cluster, promotes Canadian expertise globally and supports compliance through programs like the SME Cyber Security Support Program and MaLoi25, offering services that strengthen the ecosystem, including innovation and market development. MapleGRC is proud to be a member of this dynamic network that unites a wide range of cybersecurity stakeholders.
Learn More
Community Futures Ontario
Supporting Rural Entrepreneurs Since 1985
Community Futures Ontario (CF Ontario) has been empowering rural entrepreneurs since 1985 by offering business counseling, loans, and strategic planning through its network of 60 Community Futures Development Corporations (CFDCs). MapleGRC is proud to be a member of CF Ontario, supporting the growth and development of small businesses in Ontario's rural communities.
Learn More
Canadian Cyber Threat Exchange
Collaborative Cyber Threat Intelligence
The CCTX enables members to collaborate on reducing financial, operational, and reputational risk through access to timely, relevant, and actionable cyber threat information. MapleGRC is a member of CCTX, helping organizations stay informed about emerging threats and vulnerabilities.
Learn MoreWhy These Partnerships Matter
Ecosystem Strength
By partnering with leading industry organizations, we strengthen the broader cybersecurity ecosystem and contribute to advancing Canadian expertise globally.
Enhanced Offerings
Our affiliations enable us to incorporate the latest threat intelligence, compliance standards, and industry best practices directly into Maple GRC.
Client Success
Through these partnerships, our clients gain access to collaborative networks, threat information, and resources that strengthen their cybersecurity posture.
Frequently Asked Questions
Everything you need to know about Maple GRC's cyber security and privacy governance, risk, and compliance platform.
Maple GRC's features are based on NIST CSF 2.0 with management workflow based on ISO 27001. It currently supports CyberSecure Canada, NIST 800-171, The Canadian Program for Cyber Security Certification (CPCSC), ISO 27001, Ontario FSRA, SOC 2, and more. Because of this unique approach, all other standards as well as certifications are a reporting layer and feedback mechanism through internal and external auditing.
Maple GRC automatically understands your organization's context, then compares it with a database and live feeds of data and cyber threat intelligence to surface the most likely risk scenarios. It shows exactly how each risk scenario works out and how it is modeled on your organization's software. Then, it runs a statistical model to show how much this scenario would cost if it materializes and compares that to your organization's financial capacity, supporting decisions on cyber budgeting.
Pricing is based on staff count: up to 10 people at $150/month, up to 50 staff at $300/month, up to 200 people at $600/month, and up to 500 people at $900/month. Each plan includes an implementation pack (4, 32, or 64 hours). A 25% discount is available for charities and non-profit organizations.
Yes, Maple GRC is fully self-service with video and documentation at each step. There is also an AI chat assistant that users can ask questions for guidance on next steps, and there is an option for live chat support if needed.
Maple GRC covers three types of controls: Technical controls with specific configuration steps to check and implement; Organizational controls with automatically drafted modular policies based on your risk decisions; and People controls including training content for specific threats modeled against job functions.
Yes. Because there is always a chance for each technical risk to succeed, Maple GRC provides an incident response plan for each risk scenario. If the entire risk materializes, there is also a comprehensive business continuity plan to ensure your organization can recover and maintain operations.
Absolutely. Maple GRC can be scoped to the entire organization or a specific department, such as the development department, if that is where you want to focus data protection. Pricing is based on the staff count within your chosen scope.
Maple GRC drafts unique modular policies based on your organization's decisions to mitigate specific risk scenarios. It also drafts policies for baseline standards that your organization might choose — standards that have a specific list of controls that must be implemented regardless of risk posture and decision.