In this module

0.2 Who This Course Is For

30-45 minutes · Module 0 · Free

Operational Objective

The Entry Point Problem: GRC training assumes you are either a complete beginner or an experienced GRC professional. Security practitioners, IT managers, and compliance professionals each enter with different knowledge gaps.

Deliverable: Your learner path identification — which of the three paths matches your background, and what specific knowledge the course adds to what you already know.

⏱ Estimated completion: 10 minutes

Who This Course Is For

Three paths into GRC

Each path enters

Figure 0.2: Three learner journeys through the GRC course. Security practitioners add governance skills. GRC professionals add technical depth. IT managers and leaders build the complete program. All paths produce the same artifacts through the same curriculum.

with a different gap and exits with a different credential trajectory. The curriculum is the same — the difference is what you already know and what you need to learn.

Security practitioners know how to deploy MFA, write detection rules, and investigate incidents. They do not know which ISO 27001 control their detection rule satisfies, how to write a risk assessment that justifies the budget for the detection rule, or how to present the rule's effectiveness to a board in language that gets investment approved. The course fills the governance gap.

GRC professionals know the frameworks, the clauses, the audit process. They do not know what "control A.8.16 is operating effectively" looks like in a SIEM dashboard, how to verify MFA enforcement from sign-in logs, or what questions to ask the SOC manager to determine whether the monitoring control is actually working. The course fills the technical gap.

IT managers and security leaders need both — plus the organizational design, budget justification, and implementation roadmap to build a GRC function from zero. The course provides the complete build sequence.

Try it yourself: Which path are you on?

Statement	Yes	No
I can configure a conditional access policy in Entra ID
I can explain which ISO 27001 control that policy satisfies
I have written or maintained a risk register
I can verify a control's effectiveness using operational data
I have prepared for or managed an external audit
I can present a risk report to a board or risk committee
I have built or designed a GRC program from scratch

Reveal: Interpreting your answers

Mostly yes to technical questions (1, 4), mostly no to governance (2, 3, 5, 6): You are on the Security Practitioner path. Your technical foundation is strong. The course adds the governance framework that turns your technical work into auditable, reportable, fundable capability.

Mostly yes to governance questions (2, 3, 5, 6), mostly no to technical (1, 4): You are on the GRC Professional path. Your framework knowledge is strong. The course adds the technical depth that makes your governance work credible and verifiable.

Mostly no across the board: You are on the IT Manager / Leader path. The course builds both skills from foundations. Start with G0-G2 and progress sequentially.

Mostly yes across the board: You are already operating at a mature level. Use the course to validate your approach, fill specific gaps, and build artifacts that formalize what you may currently do informally.

What this course is not

If you want...	This is not the right course	Try instead
To pass CISM/CRISC with minimum effort	Brain dumps and practice exams exist for that	Certification study guides
A ZIP file of generic policy templates	Template packs are available for $50-$200	Document template marketplaces
Training on a specific GRC platform	Vendors offer product training	ServiceNow / Drata / Vanta docs
Academic risk theory (Monte Carlo, Bayesian)	This course teaches practical risk management	Academic risk management textbooks
A course that replaces the M365 Security Operations course	This course covers governance, not technical SOC skills	M365 Security Operations

This course produces a working GRC program. If you want documents, buy templates. If you want a governance capability, build it here.

The bridging role

This course targets the professional who sits between technical security and business governance — or who needs to occupy both roles. In organizations under 500 employees, the security manager IS the GRC function. They write the policies, configure the controls, manage the risk register, and report to the board. They need GRC knowledge AND technical implementation skills in a single course. In larger organizations, GRC professionals need enough technical depth to evaluate whether controls are actually implemented (not just documented) and enough governance depth to translate technical findings into board-level risk language. Both audiences are underserved by existing training — technical courses skip governance, governance courses skip implementation.

The governance artifact produced in this subsection should be reviewed with your organization's stakeholders within one week of creation. Governance documents that sit in SharePoint unreviewed provide zero organizational value. The review cycle — draft, stakeholder feedback, revision, approval, publication — transforms a training exercise into a deployed control. Schedule the review meeting before you finish the module, not after.

The three practitioner profiles

The security manager wearing the GRC hat. You manage firewalls, endpoints, and user accounts. Now someone has added "compliance" to your job description. You need governance frameworks that you can implement yourself — not frameworks that require a dedicated compliance team you do not have. This course gives you deployable documents: policies you can publish, risk assessments you can present to leadership, and compliance evidence you can produce for auditors.

The GRC professional needing technical depth. You understand ISO 27001 controls at the framework level but cannot verify whether the controls are technically implemented. When a control says "multi-factor authentication shall be enforced for all administrative access," you need to know how to verify that conditional access policies enforce this in Entra ID — not just that a policy document says it is done. This course bridges the gap between governance documentation and technical verification.

Compliance Myth: "Risk registers prevent incidents"

The myth: Risk registers prevent incidents

The reality: Risk registers document known risks and accepted treatments. They do not prevent incidents — controls prevent incidents. A risk register with 200 entries and no implemented controls provides zero protection. A risk register with 20 entries and all controls implemented, tested, and monitored provides substantial protection. The register is a management tool. The controls are the security.

Detection depth: NE-specific implementation

This detection rule addresses a technique that directly threatens NE's operational environment. The implementation accounts for NE's specific infrastructure characteristics:

Telemetry source: The primary data table for this detection ingests approximately 0.5-3.2 GB/day depending on the activity volume. At NE's scale (810 users, 865 devices, 42 servers), the event volume generates a stable baseline that statistical detection methods (percentile analysis from DE9.4) can reliably characterize. Deviations from this baseline represent either environmental changes (new applications, infrastructure modifications) or attacker activity.

Expand for Deeper Context

Threshold calibration: The threshold was selected using the percentile method: P99 of 30-day historical data establishes the upper bound of normal activity. The production threshold is set at 1.5x P99 to provide margin above normal fluctuation while maintaining detection sensitivity for attack patterns that typically generate 5-50x normal volume.

False positive profile: The primary FP sources for this detection include: IT administrative activity (legitimate but anomalous-looking operations), automated tools and scripts (scheduled tasks, monitoring agents), and business events (quarterly reporting, annual audits, project deadlines). Each FP source is addressed through the watchlist architecture (DE9.6) — Corporate IPs (WL1), Service Accounts (WL2), IT Admin Accounts (WL3), and Known Applications (WL4) provide systematic exclusion without reducing the rule's detection scope below acceptable levels.

Attack chain integration: This detection maps to one or more of the 6 NE attack chains (CHAIN-HARVEST, CHAIN-MESH, CHAIN-ENDPOINT, CHAIN-FACTORY, CHAIN-PRIVILEGE, CHAIN-DRIFT). When this rule fires, the SOC analyst correlates with adjacent-phase alerts to determine whether the activity is isolated or part of a multi-phase attack. The correlation query from this module's cross-technique subsection provides the KQL pattern for this analysis.

Response procedure: On alert, the analyst: (1) checks the entity against the watchlists — is this a known benign source? (2) checks for correlated alerts from adjacent kill chain phases within 60 minutes, (3) classifies as TP/FP/BTP using the DE9.5 decision tree, and (4) escalates to Rachel if the alert correlates with other phases (potential active attack chain).

Decision point

NE's GRC program produces quarterly reports showing green status. The SOC handled 3 incidents the same quarter. The board asks: 'If we are compliant, why are we attacked?'

Compliance confirms controls are in place. Security outcomes depend on whether controls are effective. The incidents were detected and contained BECAUSE the controls worked. A more accurate report: 'Controls detected and contained 3 incidents including a BEC attempt intercepted before financial loss — demonstrating compliance is producing security outcomes.'

NE's GRC quarterly report shows green across all frameworks. The same quarter had 3 Severity 2 incidents. The board asks: 'If we are compliant, why are we attacked?'

Compliance means no attacks — question the SOC's detection capability.

Compliance confirms controls are in place. The incidents were detected and contained BECAUSE the controls worked. A better report: 'Controls detected and contained 3 incidents including a BEC attempt intercepted before loss — demonstrating compliance produces security outcomes.' Compliance is not immunity; it is capability.

Compliance is just paperwork with no security relationship.

Any incident should change compliance status to amber.

You know what GRC actually is.

G0 oriented you to the discipline. G1 made the case that governance is an operating system, not a documentation exercise — the shift from "we wrote the policy" to "the policy operates every day." Now you build the operating system.

15 operational modules — policy framework, risk management, compliance operations, audit management, vendor risk, data governance, and sector-specific governance
External audit management playbook — the protocol for making audits a structured event instead of a firefight
Policy framework templates — every policy your organisation actually needs, with the structure that survives audit and operates in practice
Risk register operations — how to make the risk register a decision-making instrument instead of a spreadsheet
Sector governance (G16) — the specific compliance obligations for financial services, healthcare, public sector, and manufacturing

Unlock the full course with Premium See Full Syllabus

← Previous Next →