As mentioned earlier, these tools are complex and vary widely--one size does not fit all. Some are strong on policy management, others excel in their support for integration with other tools and systems. One tool may have the richest content library of controls, compliance mappings, threat information, and so on, while another may be notable for its flexibility and extensibility.

"The first question you should ask," says Gartner's Proctor, "is what audience--executives, internal auditor regulators--are you trying to serve? It stuns me how many companies just don't think of this."

Here are some criteria for determining your corporate IT GRC needs and what you should look for to meet them:

Assess your programs for managing policy, , audit, compliance, and risk. Then determine which of these are your highest priorities and match them against each tool's capabilities. "You want to understand the complexity and burden on your business to see how to make it more efficient through the software you buy," says Rasmussen. "Take an inventory of what are you trying to do today. What assessments are out there, what risk areas, compliance areas?"