Sign In
GRC Track

For security practitioners, GRC professionals, and security leaders building governance programs

Aligned to ISO/IEC 27001:2022NIST CSF 2.0NIS2 DirectiveDFARS 252

Practical GRC for Security Professionals

Implement governance, risk, and compliance that protects the business — not just satisfies the auditor.

Build a GRC program from risk assessment through audit readiness. Conduct risk assessments that identify what actually matters, build policy frameworks that practitioners follow, implement ISO 27001, NIST CSF 2.0, SOC 2, and GDPR controls operationally, prepare for and manage audits without panic, and report security risk to leadership in terms that drive decisions.

Start Free — No Account Needed See Full Curriculum + Pricing
Content last updated: May 2026

Text-based · Persistent labs on your own hardware · 2 free modules available now · 36 CPE credits · Content last updated: May 2026

What you'll deploy
GRC program framework with risk registers and policy templates
Risk assessment methodology aligned to ISO 27005 and NIST SP 800-30
Audit evidence management system with control-to-evidence mapping
Compliance monitoring dashboards for ISO 27001, NIST CSF, and SOC 2
Board-level security reporting templates
Vendor risk assessment workflow with scoring criteria
GRC PROGRAM — OPERATIONAL STATUS RISK REGISTER 24 risks tracked Current POLICY FRAMEWORK 12 policies active Review: OK ISO 27001 78/93 controls mapped 84% SOC 2 TYPE II Observation period Day 142 AUDIT FINDINGS 3 open / 12 closed 1 overdue GDPR / PRIVACY ROPA complete Compliant Next board report: 14 days — Top 5 risks, framework status, investment request Full program 5 frameworks 5 certifications 36-42 hours
View Pricing Take End of Course Exam → 40 CPE Credits

What you'll be able to do

Conduct risk assessments that identify what actually matters
Implement ISO 27001, NIST CSF 2.0, SOC 2, and GDPR controls operationally
Prepare for and manage audits without panic
Build policy frameworks that practitioners actually follow
Report security risk to leadership in terms that drive decisions

Operational GRC — not shelfware

Every module produces an artifact you deploy into your security program: a risk register, a policy, a control mapping, an audit procedure. The methodology connects governance decisions to technical controls and operational evidence — KQL queries that prove your controls are working, not just documented.

Who this course is for

Security practitioners building GRC capability. You handle technical security and have been given GRC responsibility. This course teaches the methodology — risk assessment, policy writing, framework implementation, and audit management — from a practitioner perspective.

GRC analysts who want operational depth. You work in governance but want to connect policies to technical controls. This course bridges the gap between compliance documentation and operational security.

Security managers reporting to leadership. You need to communicate risk in business language, justify security investment, and demonstrate compliance. Phase 4 covers board reporting, audit management, and regulatory change.

Anyone with a genuine interest in governance, risk, and compliance. Whatever your background — whether you're transitioning from another domain, early in your career, or exploring a new direction — if the subject interests you and you're willing to put in the work, this course is for you. Backgrounds vary. Motivation is what matters.

KQL-verified governance

62 KQL verification queries across the course. Every control mapping includes a query that proves the control is operating — not just documented. Risk metrics come from real operational data, not self-assessment questionnaires. The GRC function produces evidence that satisfies auditors because it comes from the same systems the SOC monitors.

What this produces

A working GRC program — risk assessments, policy frameworks, ISO 27001 and NIST CSF 2.0 control implementations, audit preparation documentation, and risk reporting templates. The governance infrastructure that survives audit day — the capability that separates compliance documentation work from genuine governance leadership.

What you will be able to do

1. Build a risk-based security program using structured risk assessment methodology — identifying threats, vulnerabilities, and impacts that drive control selection.

2. Map security controls to frameworks including NIST CSF, ISO 27001, CIS Controls, and SOC 2 — understanding the relationships and avoiding redundant work.

3. Write security policies and procedures that are operationally useful — not shelfware.

4. Implement ISO 27001, NIST CSF 2.0, SOC 2, GDPR, and CMMC using a unified control framework that maps across all standards.

5. Conduct internal audits that identify genuine gaps rather than paperwork deficiencies.

6. Translate security risks into business language for executive and board reporting — risk registers, metrics dashboards, and business impact analysis.

Course at a glance

Modules: 17 (G0–G16) across 4 phases

Estimated duration: 25–35 hours (self-paced)

Format: Written content — annotated KQL queries, SVG diagrams, worked artifacts, knowledge checks

Free content: G0–G2 (3 modules) — no account required

Paid content: G3–G16 (14 modules) — Premium or Team subscription

Typical pace: ~5-10 weeks at 5 hrs/week

Built by Ridgeline Cyber

Ridgeline Cyber Defence builds security operations training grounded in practical and operational experience. The team behind this course runs CSOC operations across on-prem, Splunk, and Microsoft 365 security stacks, Cisco and Palo Alto networks, and managed SOC partnerships.

Experience spans detection engineering, incident response, and DFIR investigation across on-prem, M365, and Linux environments — including leading cyber incident response engagements, deploying security controls and managing Governance, Risk and Compliance operations.

The investigation scenarios in this course are grounded in that operational work. The techniques, decision points, and mistakes are drawn from real investigations, sanitized and adapted for training.

What this course does NOT cover

Deliberate scope boundaries. If any of these is your primary need, the sibling course is the better fit.

Technical requirements

M365 environment: Access to a Microsoft 365 tenant for the KQL-based verification queries. An M365 Developer Tenant (free from developer.microsoft.com) is sufficient.

No specialized tools required. The GRC methodology is framework-agnostic. KQL queries run in the Sentinel or Defender XDR advanced hunting portal.

How to get the most from this course

Recommended pace: 1–2 modules per week, 25–35 hours total.

Phases 1–2 are sequential. They build the risk and policy foundation. Phase 3 framework modules can be prioritized based on which frameworks your organization needs first.

Build the artifacts as you go. Each module produces a document or process. By course completion, you have a functioning GRC program — not just knowledge of how one should work.

Support and community

Questions about course content: training@ridgelinecyber.com

Billing and account management: Self-service via your account page or training@ridgelinecyber.com

LinkedIn: Follow Ridgeline Cyber for operational security content and course updates

X: @RidgelineCyber

Course Syllabus

Four phases. G0–G2 are free — no account required.

Free Phase 1 — Foundations

G0
Course Introduction — The operational GRC philosophy, who this course is for, full 17-module curriculum map, prerequisites, learning methodology, and certification alignment (CISM, CRISC, CGRC, ISO 27001 LI, CDPSE).
 G1
What GRC Actually Is — and Why It Fails — The governance-risk-compliance triad as an operating system. Four failure modes with detailed case studies. Organizational positioning: authority, access, independence. Six key stakeholder relationships. Five regulatory drivers. GRC maturity levels.

Phase 2 — Policy, Risk, and Controls

G2
Building the Policy Framework — Policy hierarchy (tree diagram), seven enforceability attributes, fishbone analysis of policy failure, the minimum viable policy set (pyramid), policy lifecycle (feedback loop), and mapping policies to controls and compliance requirements (mind map). Three artifacts: hierarchy classification, policy set assessment, policy-to-control mapping.
 G3
Risk Assessment Methodology — Risk vocabulary and the anchoring problem. Four identification methods (asset, threat, scenario, control-gap). Calibrated 5-level scoring scales with probability and financial ranges. Risk matrix with ALE calculations. Risk appetite statement with tolerance thresholds and acceptance authority. The populated risk register (15-column model, 10-row worked example). Six KQL queries producing risk evidence from operational data.
 G4
Risk Treatment and Controls — Four treatment options (decision tree), control selection methodology (5 criteria), Statement of Applicability (15-row worked example with cross-framework mapping), treatment plans with ALE-based ROI, and KQL queries verifying control effectiveness.
 G5
Risk Monitoring and Reporting — 12-metric KRI/KPI catalog with calibrated thresholds. Dual dashboards (operational and executive). Board risk report template (5 sections, 2 pages). Escalation matrix. Quarterly risk review process. Six KQL queries producing dashboard-ready GRC metrics from SOC data. Complete 18-query KQL GRC library.

Phase 3 — Framework Implementation

G6
ISO 27001 — Implementing an Information Security Management System — PDCA cycle architecture. Clause-by-clause implementation (Clauses 4-10) with your existing G2-G5 artifacts as inputs. Statement of Applicability with 93 Annex A controls. Certification timeline and audit preparation. Management review. Surveillance and continual improvement.
 G7
NIST Cybersecurity Framework 2.0 — Six functions with the new Govern function mapped to G1-G5 artifacts. Framework profiles for gap analysis with worked current/target profiles. Implementation tiers for maturity communication. Cross-mapping CSF 2.0 ↔ ISO 27001 for dual-framework efficiency.
 G8
SOC 2 — Trust Service Criteria — Type I vs Type II with practical path. System description with worked example. TSC-to-control mapping using existing SoA. Evidence collection calendar for the observation period. CPA firm selection and engagement management. SOC 2 as a revenue-enabling sales asset with ROI measurement.
 G9
GDPR and Privacy Regulation — Seven principles mapped to technical controls. Lawful basis decision tree. Complete ROPA with worked example. DPIA process with worked security monitoring assessment. Data subject rights implementation with M365 extraction procedures. 72-hour breach notification with worked timeline. International transfer mechanisms and DPO assessment.
 G10
CMMC — Cybersecurity Maturity Model Certification — Three CMMC 2.0 levels with level determination. CUI identification, marking, data flow mapping. SP 800-171 cross-mapping to existing ISO/CSF controls. System Security Plan with worked implementation descriptions. POA&M and SPRS scoring. C3PAO assessment preparation. CUI enclave scoping for small contractors.

Phase 4 — Governance Operations

G11
Security Awareness — Changing Behavior, Not Ticking Boxes — Why completion rates measure compliance, not security. Four intervention types from passive to experiential. Phishing simulation with difficulty progression and report-rate focus. Role-based training for finance, IT, developers, executives. Security champions network. Three-layer measurement framework connecting activities to behavior to business impact.
 G12
Audit Management — From Panic to Process — Annual audit calendar across ISO, SOC 2, and CMMC. Internal audit program with risk-based rotation. Fieldwork technique with worked findings and interview questions. External audit management playbook. Seven-stage finding lifecycle with root cause analysis. Multi-audit evidence reuse and questionnaire response library.
 G13
GRC Leadership — Reporting, Communication, and Board Engagement — Translating security risk into business language. Five-section quarterly board report that drives decisions in 15 minutes. Governance committee structures. Three-framework security budget justification. Communicating breaches, audit failures, and risk acceptances using the Facts-Impact-Actions-Ask framework. Worked templates for every scenario.
 G14
Regulatory Change Management — Three-tier monitoring hierarchy for regulatory sources. Four-stage impact assessment with worked NIS2 example. Integration methodology that absorbs regulations into the existing SoA. Horizon scanning: NIS2, DORA, EU AI Act, UK Cyber Security and Resilience Bill, SEC cybersecurity rules.
 G15
Building and Operating the GRC Function — Centralized, federated, and hybrid organizational models with RACI. GRC analyst staffing, skills matrix, and career path. Tooling evaluation from spreadsheets to enterprise platforms. Five-cadence operating model (daily through annual). GRC maturity assessment across five capability domains.
 G16
Sector-Specific Governance and Emerging Requirements — Financial services overlay (FCA, PRA, DORA operational resilience). Healthcare (NHS DSPT, HIPAA) and critical infrastructure (NCSC CAF) mappings. Corporate governance intersections with cyber accountability. Cyber insurance underwriter requirements and premium optimization. ESG cyber risk and AI governance roadmap.

What you get that you will not find elsewhere

This is not a compliance checklist course. Compliance checklists tell you what to document. This course teaches GRC as an operating system — how to build the governance framework, risk methodology, and compliance evidence pipeline that makes security operations defensible to regulators, auditors, and leadership.

Operational GRC. Every control, every risk assessment, and every compliance artifact is built for a working security operation — not a paper exercise.

Integrated with technical security. GRC is not separate from detection engineering, incident response, or security architecture. This course shows how governance drives technical decisions and how technical evidence satisfies compliance requirements.

Where this course fits

Every other Ridgeline course produces technical artifacts — detection rules, investigation findings, security configurations. This course teaches how to govern those artifacts, measure their effectiveness, and demonstrate compliance.

Recommended learning path: GRC can be taken at any point. It complements every technical course.

The outcome

You start with compliance as a checkbox exercise. You finish with governance as an operating system.

A working governance framework — risk methodology, control mapping, evidence pipeline.

Compliance evidence that auditors accept — generated from real security operations, not fabricated documentation.

Board-ready reporting — risk posture, control effectiveness, and compliance status in business terms.

Prerequisites

Required: 1+ years in IT, security, or a role with compliance responsibilities. Basic understanding of security concepts — you should know what a firewall does, what encryption is, and what a security incident looks like.

Recommended: Familiarity with at least one compliance framework (ISO 27001, NIST, SOC 2, GDPR). Experience writing or reviewing security policies.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may use scripts, queries, detection rules, templates, and frameworks from this course in your professional work. You may not redistribute course content, share account credentials, or republish course materials.

Fictional environment: All scenarios use the fictional Northgate Engineering environment. Any resemblance to real organizations, incidents, or individuals is coincidental.

No legal advice: Compliance and regulatory content in this course is educational, not legal advice. Consult qualified legal counsel for obligations in your jurisdiction.

Version and changelog

Current version: 1.0  |  Last updated: 2026

2026 — v1.0: Complete course. All 17 modules (G0–G16) active across 4 phases. 62 KQL verification queries. Five frameworks: ISO 27001, NIST CSF 2.0, SOC 2, GDPR, CMMC.

This course is actively maintained. Content is updated as the security landscape evolves.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
1scenario
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.