Course Introduction

What this course is

This is a practical governance, risk, and compliance course for security professionals — the operational methodology that turns GRC from a documentation exercise into a functioning capability. Seventeen modules take you from foundations through policy frameworks, risk assessment, five major compliance frameworks, audit management, and GRC leadership.

Governance, risk, and compliance are three words that make most security practitioners reach for the exit. The typical GRC experience involves a consultant handing over a spreadsheet with 400 controls, a policy template pack full of "[insert organization name]" placeholders, and an invoice for $50,000. Six months later, the spreadsheet is out of date, the policies live in a SharePoint folder nobody visits, and the next audit triggers the same panic as the last one.

That model is broken. GRC is not a documentation exercise. It is an operating capability — a system that continuously aligns security controls to business risk, regulatory obligations, and organizational objectives. When it works, it funds security projects, defends budget decisions, satisfies auditors, and gives leadership the information they need to make informed risk decisions. When it doesn't work, security teams spend their lives filling in spreadsheets instead of reducing risk.

This course teaches GRC as operations, not paperwork. Every module produces deployable artifacts — policy documents, risk registers, control matrices, audit evidence packs, and board reports — built for Northgate Engineering and adaptable to your own organization. The artifacts are designed for use, not for a consultant's deliverable folder.

What this course teaches

Seventeen modules across four phases. G0 and G1 are free — no account required.

Phase 1 — Foundations (G0, G1). You are here now. G0 establishes the course structure, prerequisites, and learning methodology. G1 addresses what GRC actually is and why it fails — the operational model vs. the documentation model, the three failure modes (compliance theatre, risk register theatre, audit-driven security), and the assessment that measures where your organization's GRC function stands today.

Phase 2 — Policy, Risk, and Controls (G2–G5). Four modules building the core GRC machinery. Building the policy framework — the hierarchy (policy → standard → procedure → guideline), writing policies that people actually read, the approval lifecycle, and the policy exception process (G2). Risk assessment methodology — threat identification, likelihood and impact scoring, risk appetite, quantitative vs. qualitative methods, and the risk register that drives every decision (G3). Risk treatment and controls — the four treatment options (mitigate, transfer, accept, avoid), control selection, control mapping to frameworks, and the Statement of Applicability (G4). Risk monitoring and reporting — risk dashboard design, KRI tracking, risk reporting cadence, and communicating risk in business language (G5).

Phase 3 — Framework Implementation (G6–G10). Five modules covering the major compliance frameworks practitioners encounter. ISO 27001 — implementing an ISMS from scoping through certification, with the clause-by-clause walkthrough and the Annex A control selection methodology (G6). NIST Cybersecurity Framework 2.0 — the five functions, implementation tiers, profiles, and the gap analysis methodology (G7). SOC 2 — Trust Service Criteria, the Type I vs. Type II distinction, evidence preparation, and the audit lifecycle (G8). GDPR and privacy regulation — data protection principles, DPIA methodology, breach notification, and the operational privacy program (G9). CMMC — the maturity levels, practice requirements, assessment methodology, and the defense contractor compliance pathway (G10).

Phase 4 — Governance Operations (G11–G16). Six modules building the operational capability that makes GRC sustainable. Security awareness — changing behavior, not ticking boxes: phishing simulation, metrics that measure behavior change, and the business case for awareness investment (G11). Audit management — from panic to process: audit preparation lifecycle, evidence management, finding remediation, and the operational rhythm that eliminates audit surprises (G12). GRC leadership — board reporting, CISO communication, risk committee management, and the executive engagement that turns GRC from a cost center into a strategic function (G13). Regulatory change management — monitoring, assessing, and implementing regulatory changes without disrupting operations (G14). Building and operating the GRC function — team structure, tool selection, integration with security operations, and the maturity model (G15). Sector-specific governance and emerging requirements — NIS2, DORA, AI regulation, and sector-specific compliance considerations (G16).

You can study the course linearly (G0 → G16) or selectively once Phase 1 is complete. Phase 2 is sequential — policy framework (G2) before risk assessment (G3) before controls (G4). Phase 3 modules are independent — pick the frameworks relevant to your organization. Phase 4 requires Phase 2 concepts but not Phase 3.

Who this course is for

Anyone who manages, implements, or reports on governance, risk, and compliance — whether that's your primary role or something added to your existing security responsibilities.

Security practitioner building GRC capability. You handle technical security — detection rules, incident response, endpoint hardening — and you've been given GRC responsibility. You need the methodology: risk assessment, policy writing, framework implementation, and audit management, taught from a practitioner perspective rather than a consultant's framework.

GRC analyst who wants operational depth. You work in governance but want to connect policies to technical controls. You can write a policy but you can't verify whether the control it requires is actually implemented. This course bridges the gap between compliance documentation and operational security — every control discussion includes the technical implementation.

Security manager reporting to leadership. You need to communicate risk in business language, justify security investment with quantified risk reduction, and demonstrate compliance progress to the board. Phase 4 covers the reporting, communication, and executive engagement that turns GRC data into leadership decisions.

IT administrator responsible for compliance evidence. You're the person who has to produce evidence during audits — configuration screenshots, access reviews, change records. You want to understand the compliance frameworks well enough to prepare evidence proactively rather than scrambling when the auditor arrives. G12 (audit management) is the core module for you.

Anyone with a genuine interest in GRC. Whatever your background — transitioning from another domain, early in your career, or expanding your skill set — if the subject interests you and you're willing to put in the work, this course is for you.

Prerequisites

One required. GRC is the most accessible course on the platform — it requires operational knowledge, not technical depth.

General IT and security awareness. You should understand what firewalls, access controls, encryption, and vulnerability management are — conceptually, not at the configuration level. You should know what a security incident is and what "compliance" means in general terms. If you've worked in IT or security for six months, you have enough context.

Nothing else is required. No KQL, no forensics, no programming, no prior GRC experience. This course teaches GRC methodology from first principles. Technical security knowledge makes the control discussions richer, but the course is designed for learners who come from either a technical or a business background.

Lab setup

No technical lab required. GRC is a document-based discipline. The course produces policies, risk registers, control matrices, and reports — not detection rules or forensic findings.

Template pack (downloadable). Every module includes downloadable templates adapted from the Northgate Engineering environment: policy templates, risk register workbooks, control mapping spreadsheets, audit evidence trackers, and board report templates. Adapt them to your own organization.

Optional: M365 environment. Some modules reference Defender XDR and Sentinel configurations as evidence of technical controls. If you have an M365 tenant (production or developer), you can verify control implementations directly. Not required — the course includes screenshots and worked examples.

How the course is structured

Every module from G2 onward follows the same pattern.

Objective header. The GRC problem the subsection solves, the artifact it produces, and the time estimate.

Diagram. Every subsection has an SVG diagram — the process flow, the framework structure, the risk matrix, or the reporting hierarchy.

Worked examples. Complete artifacts built for Northgate Engineering — the actual policy text, the populated risk register row, the control mapping entry, the board report section. Not theory about what a policy should contain — the policy itself.

Decision Point. GRC judgment calls — accept the risk or mitigate, implement the control or document the exception, report the finding or negotiate the timeline.

Try-it. Build the artifact yourself. Four components: Setup (the scenario), Task (produce the document), Expected Result (what a good output looks like), and Debugging Branch (common mistakes).

Compliance Myth. GRC misconceptions — "compliance equals security," "ISO 27001 requires specific tools," "risk registers are updated annually."

Artifact footer. The operational artifact — a policy template, a risk register entry, a control mapping row, a board report template.

Module completion pattern. Each module has content subsections (eight to fourteen), an interactive exercise, a module summary, and a Check My Knowledge subsection with scenario-based questions.

Time per phase

The course is self-paced. No cohorts, no deadlines, no streaks.

Phase 1 (G0, G1): One evening. G0 is orientation (30–45 minutes). G1 is the GRC operating model and failure mode assessment (2–3 hours).

Phase 2 (G2–G5): Two to three weeks at five to eight hours per week. Four modules building the core machinery. G3 (risk assessment) is the longest module.

Phase 3 (G6–G10): Four to five weeks. Five framework modules. Complete only the frameworks relevant to your organization — most learners do two or three, not all five.

Phase 4 (G11–G16): Three to four weeks. Six modules building the operational capability. G12 (audit management) and G13 (GRC leadership) are the most valuable for immediate application.

Full course at five to eight hours per week: ten to sixteen weeks if completing all framework modules, seven to ten weeks if selecting two or three frameworks. This course rewards application — adapt the templates to your own organization as you progress.

Start here

Complete this module (G0) before starting G1. The course architecture and operational GRC philosophy established here frame every subsequent module. G1 then establishes the assessment framework — scoring your current GRC function against the five operational maturity levels — that drives the rest of the course.