In this module

0.1 The Problem with GRC Training

30-45 minutes · Module 0 · Free

Operational Objective

The Training Gap: the GRC industry teaches frameworks and documentation but not how to build a governance program that actually reduces risk. Most courses stop at "audit readiness" — this course starts where they stop.

Deliverable: A self-assessment identifying where your organization's GRC effort currently stops in the failure pipeline — the starting point for everything that follows.

⏱ Estimated completion: 15 minutes

The Problem with GRC Training

The GRC training industry has a pipeline problem. Organizations invest in frameworks, consultants, and certifications — and end up with documentation that does not reduce risk. The pipeline below shows where the value leaks out.

The GRC failure pipeline

Figure 0.1: The GRC failure pipeline. Most organizations stop at Documentation or Audit Readiness. Value leaks at each transition — framework knowledge without risk context, documentation without operational enforcement, audit readiness without continuous monitoring of control effectiveness.

Most GRC training stops at the second stage — documentation. You learn the framework, you produce the documents, and you are told the job is done. This course starts at the bottom of the funnel and works upward: what does actual risk reduction require, and how do you build the governance system that produces it continuously?

Two models of GRC: documentation vs operations

	Documentation Model	Operational Model
Risk register	Produced during implementation, reviewed annually	Updated when risks change — incidents, threats, business changes
Policies	Template-based, approved once, reviewed on calendar	Organization-specific, change-driven, mapped to controls
Compliance evidence	Created retroactively before audits	Produced from operational data as a byproduct of security work
Audit preparation	4-8 week panic before the auditor arrives	Days — evidence is always current
Board reporting	Annual presentation when specifically requested	Defined cadence, decision-oriented, risk trend analysis
Control effectiveness	Assumed if the policy exists	Measured continuously via operational data
Cost of maintenance	Increasing — more documents, more reviews, more effort	Stable — integrated into operational rhythm
Outcome	Certificate on wall. Unknown actual security posture.	Measurable risk reduction. Audit is a non-event.

This course builds the right column.

The implementation gap

Most GRC training teaches frameworks as abstract knowledge — memorise the ISO 27001 control domains, learn the NIST CSF functions, pass the exam. The graduate knows what controls exist but cannot implement them. They know that "access control" is an ISO 27001 Annex A domain but cannot write an access control policy for a specific organization, cannot configure conditional access policies that enforce it, and cannot build the detection rule that alerts when it fails. This course closes the gap by teaching GRC through implementation: every control is demonstrated as a deployable document, a configured setting, or a detection rule — not an exam answer.

The governance artifact produced in this subsection should be reviewed with your organization's stakeholders within one week of creation. Governance documents that sit in SharePoint unreviewed provide zero organizational value. The review cycle — draft, stakeholder feedback, revision, approval, publication — transforms a training exercise into a deployed control. Schedule the review meeting before you finish the module, not after.

Compliance Myth

"A GRC program is successful when it passes the certification audit."

Production reality: Certification proves the documentation was correct at the time of audit. It does not prove the controls are working between audits. The gap between audit evidence and operational reality is where breaches live. Module G1 examines four organizations that passed audits and failed at security.

Every module produces an operational artifact — not a document that describes what should happen, but a governance instrument that connects to real risks, real controls, and real evidence.

The Red Line. The consulting industry sells GRC implementations as projects with deliverables: "We will produce your ISMS documentation, risk register, and Statement of Applicability. Estimated timeline: 12 weeks. Fee: $45,000." The deliverables are real. The governance is not. When the consultant leaves, the organization has a stack of documents that nobody knows how to maintain, a risk register that reflects the consultant's assessment (not the organization's ongoing risk landscape), and policies that describe the consultant's recommended processes (not how the organization actually works). The consultant delivered what they promised. The organization did not get what it needed. This course exists because the gap between "deliverables produced" and "governance operating" is where most GRC programs die.

What this course builds instead

Expand for Deeper Context

By the end of 17 modules, you will have built a GRC program that operates as a system — not a library. The artifacts you produce are not course assignments. They are the working documents of your governance program.

Phase	What you build	Why it matters
Foundations (G0-G2)	Policy framework, hierarchy, mappings	The governance structure everything else hangs on
Risk Management (G3-G5)	Risk methodology, register, treatment plans, KRI dashboards	The engine — every governance decision traces to a risk
Frameworks (G6-G10)	SoA, gap analysis, system description, ROPA, SSP	The compliance layer — evidence that controls satisfy requirements
Operations (G11-G16)	Awareness program, audit program, board reports, operating model	The sustainability layer — what keeps the program running after you build it

Try it yourself: Where does your organization lose value?

Look at the failure pipeline above. Where does your organization's GRC effort currently stop?

Stage	Your organization	Evidence
Framework knowledge	Do you understand which frameworks apply?	Can you list your regulatory obligations?
Documentation	Do policies and risk registers exist?	When were they last updated?
Audit readiness	Can you pass an audit?	How many weeks of preparation does it take?
Actual risk reduction	Do your GRC activities measurably reduce risk?	What metric proves it?

Reveal: What most organizations find

Most organizations stop at Documentation or Audit Readiness. They have policies and a risk register (Documentation stage), and they can pass an audit with preparation (Audit Readiness stage). But they cannot point to a specific metric that demonstrates their GRC program reduces risk. The MFA enforcement rate is not tracked. The phishing simulation results are not correlated to the risk register. Incident data does not feed back into risk assessments. The program produces documents and passes audits but does not measurably improve the organization's security posture.

If your organization reaches "Actual risk reduction" — congratulations, you are in the minority. Use this course to validate and strengthen your approach. If you stop at an earlier stage, the course modules are structured to close the specific gap: G3-G5 connect documentation to risk (closing the Documentation→Audit gap), and G5+G11-G16 connect audit readiness to measurable risk reduction (closing the Audit→Risk Reduction gap).

Certification alignment

The curriculum maps to five industry certifications. The mapping is a reference for learners pursuing credentials — not the course identity.

Certification	What it validates	Primary modules	Typical candidate
CISM	Security management and governance	G1-G5, G11-G16	Security managers, aspiring CISOs
CRISC	Risk identification, assessment, response	G3-G5, G13	Risk management professionals
CGRC (ISC2)	GRC program management	G1-G5, G11-G12	Dedicated GRC professionals
ISO 27001 LI	ISMS implementation and maintenance	G6 + G1-G5, G12	Implementation project leads
CDPSE	Privacy engineering and data protection	G9 + G2-G4	Privacy and data protection professionals

Ridgeline GRC philosophy. Governance is not documentation. It is the operating system that connects security controls to business risk, regulatory obligations, and executive decision-making. If your GRC program is creating work without reducing risk, the program is the problem. This course builds the program that works.

Detection depth: NE-specific implementation

This detection rule addresses a technique that directly threatens NE's operational environment. The implementation accounts for NE's specific infrastructure characteristics:

Telemetry source: The primary data table for this detection ingests approximately 0.5-3.2 GB/day depending on the activity volume. At NE's scale (810 users, 865 devices, 42 servers), the event volume generates a stable baseline that statistical detection methods (percentile analysis from DE9.4) can reliably characterize. Deviations from this baseline represent either environmental changes (new applications, infrastructure modifications) or attacker activity.

Expand for Deeper Context

Threshold calibration: The threshold was selected using the percentile method: P99 of 30-day historical data establishes the upper bound of normal activity. The production threshold is set at 1.5x P99 to provide margin above normal fluctuation while maintaining detection sensitivity for attack patterns that typically generate 5-50x normal volume.

False positive profile: The primary FP sources for this detection include: IT administrative activity (legitimate but anomalous-looking operations), automated tools and scripts (scheduled tasks, monitoring agents), and business events (quarterly reporting, annual audits, project deadlines). Each FP source is addressed through the watchlist architecture (DE9.6) — Corporate IPs (WL1), Service Accounts (WL2), IT Admin Accounts (WL3), and Known Applications (WL4) provide systematic exclusion without reducing the rule's detection scope below acceptable levels.

Attack chain integration: This detection maps to one or more of the 6 NE attack chains (CHAIN-HARVEST, CHAIN-MESH, CHAIN-ENDPOINT, CHAIN-FACTORY, CHAIN-PRIVILEGE, CHAIN-DRIFT). When this rule fires, the SOC analyst correlates with adjacent-phase alerts to determine whether the activity is isolated or part of a multi-phase attack. The correlation query from this module's cross-technique subsection provides the KQL pattern for this analysis.

Response procedure: On alert, the analyst: (1) checks the entity against the watchlists — is this a known benign source? (2) checks for correlated alerts from adjacent kill chain phases within 60 minutes, (3) classifies as TP/FP/BTP using the DE9.5 decision tree, and (4) escalates to Rachel if the alert correlates with other phases (potential active attack chain).

Decision point

NE's security awareness completion rate is 94%. The remaining 6% have not completed despite 3 reminders. Is 94% good enough?

Depends on WHO is in the 6%. If finance team members, IT admins, or executive assistants are non-completers, the risk is disproportionate. Analyse by role. Escalate high-risk non-completers to line managers. 94% is a metric; the risk profile of the 6% is the insight.

NE's GRC quarterly report shows green across all frameworks. The same quarter had 3 Severity 2 incidents. The board asks: 'If we are compliant, why are we attacked?'

Compliance means no attacks — question the SOC's detection capability.

Compliance confirms controls are in place. The incidents were detected and contained BECAUSE the controls worked. A better report: 'Controls detected and contained 3 incidents including a BEC attempt intercepted before loss — demonstrating compliance produces security outcomes.' Compliance is not immunity; it is capability.

Compliance is just paperwork with no security relationship.

Any incident should change compliance status to amber.

You know what GRC actually is.

G0 oriented you to the discipline. G1 made the case that governance is an operating system, not a documentation exercise — the shift from "we wrote the policy" to "the policy operates every day." Now you build the operating system.

15 operational modules — policy framework, risk management, compliance operations, audit management, vendor risk, data governance, and sector-specific governance
External audit management playbook — the protocol for making audits a structured event instead of a firefight
Policy framework templates — every policy your organisation actually needs, with the structure that survives audit and operates in practice
Risk register operations — how to make the risk register a decision-making instrument instead of a spreadsheet
Sector governance (G16) — the specific compliance obligations for financial services, healthcare, public sector, and manufacturing

Unlock the full course with Premium See Full Syllabus

← Previous Next →