Sign In
GRC Track

For security practitioners, GRC professionals, and security leaders building governance programmes

Practical GRC for Security Professionals

Governance is an operating system, not a documentation exercise.

17 modules that build a complete GRC programme — risk management, policy frameworks, framework implementation, audit management, and board reporting. Every module produces governance artefacts you deploy in your organisation. Not templates with "[insert company name]" placeholders. Not compliance theatre. Operational governance that reduces risk and satisfies auditors.

Start Free — No Account Needed View Pricing
GRC PROGRAMME — OPERATIONAL STATUSRISK REGISTER24 risks trackedCurrentPOLICY FRAMEWORK12 policies activeReview: OKISO 2700178/93 controls mapped84%SOC 2 TYPE IIObservation periodDay 142AUDIT FINDINGS3 open / 12 closed1 overdueGDPR / PRIVACYROPA completeCompliantNext board report: 14 days — Top 5 risks, framework status, investment request17 modules5 frameworks5 certifications36-42 hours

Overview

Most GRC programmes fail because they are built as documentation exercises rather than operating systems. A consultant produces a stack of policies, the organisation passes the audit, and twelve months later the documentation is out of date, the risk register reflects last year's landscape, and the next audit triggers the same panic.

This course builds a GRC programme that runs continuously. Risk management that adapts when risks change — not once a year before the board meeting. Policies that reference the specific technical controls that enforce them. Compliance evidence produced from operational data rather than annual documentation sprints. Audit preparation that is a routine checkpoint, not an existential threat.

17 modules across four phases. The free modules (G0-G2) establish the foundations — the operational GRC philosophy, the policy framework, and the conceptual model. The paid modules build the risk management programme (G3-G5), implement specific frameworks (G6-G10), and construct the governance operations that sustain the programme over time (G11-G16).

Audience profile

Security practitioners moving into GRC. You understand technical controls — firewalls, detection rules, identity management, SIEM. You need to learn the governance disciplines without losing your technical edge. This course teaches GRC through the lens of technical security.

GRC professionals going deeper. You know the frameworks. You need practical implementation knowledge — how controls work technically, how to verify they are operating effectively, and how to produce evidence that auditors accept.

Security leaders building a GRC function. You need a structured approach from zero to audit-ready without a six-figure consulting engagement. The course provides the complete implementation roadmap.

Certification alignment: CISM, CRISC, CGRC (ISC2), ISO 27001 Lead Implementer, CDPSE. The curriculum covers the knowledge domains — the certifications are a side effect.

Course syllabus

17 modules across four phases. Phases 1-2 are sequential. In Phase 3, select the frameworks your organisation needs. In Phase 4, prioritise based on your immediate requirements.

Phase 1 — Foundations (Modules G0-G2, FREE): The operational GRC philosophy, who this course is for, the complete module map, the policy framework as executable governance.

Phase 2 — Risk Management (Modules G3-G5): Risk assessment methodology, risk treatment and controls mapping, risk monitoring, KRIs, and board-level risk reporting.

Phase 3 — Framework Implementation (Modules G6-G10): Complete implementation walkthroughs for ISO 27001, NIST CSF 2.0, SOC 2, GDPR/privacy, and CMMC. Select the frameworks relevant to your organisation.

Phase 4 — Governance Operations (Modules G11-G16): Security awareness programmes, audit management, board reporting, regulatory change management, building the GRC function, and sector-specific governance.

Completion deliverables: Risk register, policy framework, Statement of Applicability, compliance gap analysis, audit programme, board reporting pack, GRC operating model — all built for your organisation during the exercises.

Course modules

17 modules across four phases. Free modules require no account. Paid modules are included in the Premium subscription.

Phase 1 — Foundations (Modules G0-G2) — FREE
G0
Course Introduction — The operational GRC philosophy, who this course is for, full 17-module curriculum map, prerequisites, learning methodology, and certification alignment (CISM, CRISC, CGRC, ISO 27001 LI, CDPSE).
G1
What GRC Actually Is — and Why It Fails — The governance-risk-compliance triad as an operating system. Four failure modes with detailed case studies. Organisational positioning: authority, access, independence. Six key stakeholder relationships. Five regulatory drivers. GRC maturity levels.
G2
Building the Policy Framework — Policy as executable governance. Policy hierarchy, lifecycle management, version control. Writing policies people follow. Mapping policies to controls and regulations. The minimum viable policy set. Coming Soon
G3
Risk Assessment Methodology — Risk identification, analysis, and evaluation. Qualitative, semi-quantitative, and quantitative methods. Building and maintaining the risk register. Risk appetite and tolerance. Risk ownership. Coming Soon
G4
Risk Treatment and Controls — Mitigate, transfer, accept, avoid. Control selection and mapping. The Statement of Applicability as a living document. Residual risk assessment. Coming Soon
G5
Risk Monitoring and Reporting — KRIs and KPIs. Risk dashboards. Board-level risk reporting. Risk escalation. Integrating risk monitoring with SOC data. Quarterly review process. Coming Soon
G6
ISO 27001 — Implementing an ISMS — Clause-by-clause implementation. Statement of Applicability. Internal audit programme. Management review. Certification audit preparation. 90-day fast-track path. Coming Soon
G7
NIST Cybersecurity Framework 2.0 — The new Govern function. Framework profiles. Implementation tiers. Cross-mapping with ISO 27001. CSF 2.0 for organisations that need structure without certification. Coming Soon
G8
SOC 2 — Trust Service Criteria — Type I vs Type II. System description. Control activities. Evidence collection. Working with your CPA firm. SOC 2 as a sales enabler. Coming Soon
G9
GDPR and Privacy Regulation — UK GDPR, DPA 2018. Lawful bases. ROPA. DPIAs. Data subject rights implementation. Breach notification. International transfers. Privacy by design. Coming Soon
G10
CMMC — Cybersecurity Maturity Model — CMMC 2.0 levels. NIST SP 800-171 requirements. CUI handling. SSP and POA&M. Self-assessment vs third-party assessment. Scoping to minimise burden. Coming Soon
G11
Security Awareness — Changing Behaviour — Why traditional training fails. Designing programmes that change behaviour. Phishing simulation data analysis. Role-based training. Security champions. Coming Soon
G12
Audit Management — Internal audit programme design. Managing external audits. Finding lifecycle. Continuous auditing. Managing multiple concurrent audits. Coming Soon
G13
GRC Leadership and Board Reporting — Translating security risk into business risk. Board presentations. Committee structures. Budget justification. Communicating bad news. Coming Soon
G14
Regulatory Change Management — Monitoring, assessing, and responding to regulatory change. NIS2, DORA, EU AI Act, SEC rules, UK Cyber Security and Resilience Bill. Coming Soon
G15
Building the GRC Function — Organisational design. Staffing and skills. GRC tooling evaluation. The GRC operating model. Maturity assessment. Coming Soon
G16
Sector-Specific Governance — Financial services (FCA, PRA, DORA). Healthcare (NHS DSPT, HIPAA). Critical infrastructure (NIS2, CAF). Cyber insurance requirements. ESG and cyber risk. Coming Soon

How to approach this course

Recommended path

Complete Phases 1 and 2 in order — the foundations and risk management methodology are prerequisites for everything else. In Phase 3, choose the frameworks your organisation requires. Most learners should start with G6 (ISO 27001) because the ISMS structure provides a comprehensive management framework that transfers to every other standard.

In Phase 4, prioritise based on your immediate needs. If an audit is imminent, start with G12. If you need leadership buy-in, start with G13. If you are building the function from scratch, start with G15.

How it connects to other courses

M365 Security Operations builds the technical controls. This course maps those controls to governance frameworks, builds the risk context that justifies them, and produces the compliance evidence that proves they work.

Claude for Security Professionals Module C6 covers AI-assisted compliance work. This course provides the governance methodology that makes those AI outputs accurate and useful.

SOC Operations builds operational processes that are, in governance terms, control activities. This course makes that mapping explicit.

Start with the free modules

Three free modules — no account required. Read the operational GRC philosophy, assess the depth, and decide if this is how you want to build your governance programme.

Start Module G0 View Pricing