0.3 Course Structure and Module Map

Course Structure and Module Map

How the course is organized

The course contains 17 modules across four phases. Phases build on each other — the risk management methodology from Phase 2 feeds directly into the framework implementations in Phase 3, and the governance capabilities from Phase 4 depend on having the foundations and risk management program in place.

Phase 1

— Foundations (Modules G0-G2)

These three modules establish the conceptual foundations that every subsequent module builds on. If you skip them, the framework-specific modules will feel disconnected from practical reality.

Module G0: Course Introduction (this module) What this course builds, who it is for, the full module map, prerequisites, and learning methodology.

Module G1: What GRC Actually Is — and Why It Fails The governance-risk-compliance triad as an operating system, not a documentation exercise. Why GRC programs fail: the compliance trap, the documentation trap, the tool trap, and the audit-driven trap. What a working GRC program looks like versus theater. The organizational positioning of GRC — where it sits, who it reports to, why reporting lines matter. The relationship between GRC and security operations, engineering, architecture, and leadership. Regulatory drivers: why organizations do GRC (legal obligation, customer requirement, insurance requirement, competitive advantage, risk reduction).

Module G2: Building the Policy Framework Policy as executable governance — not shelf-ware. The policy hierarchy: governing policies, standards, procedures, guidelines. Writing policies that people actually follow: clear language, specific requirements, measurable compliance criteria, defined exceptions processes. The policy lifecycle: drafting, review, approval, communication, implementation, monitoring, review, retirement. Version control and change management for policy documents. Mapping policies to the controls that enforce them and the regulations they satisfy. The minimum viable policy set for different organization sizes.

Phase 2 — Risk Management (Modules G3-G5) — PAID

Risk management is the engine of the GRC program. Without a functioning risk management capability, compliance becomes checkbox exercise and governance becomes bureaucracy. These three modules build the complete risk management lifecycle.

Module G3: Risk Assessment Methodology Building a risk assessment methodology that works for your organization. Risk identification: asset-based, threat-based, scenario-based, and control-based approaches. Risk analysis: qualitative, semi-quantitative, and quantitative methods. Likelihood and impact scales calibrated to your organization. Risk evaluation: risk matrices, heat maps, and their limitations. Risk appetite and tolerance: defining what your organization will accept. Building and maintaining the risk register. Risk ownership and accountability.

Module G4: Risk Treatment and Controls The four treatment options: mitigate, transfer, accept, avoid. Selecting controls: effectiveness, cost, feasibility, side effects. Control types: preventive, detective, corrective, compensating. Mapping controls to risks and to compliance requirements. Control implementation: from policy to technical configuration. The Statement of Applicability as a living document. Residual risk assessment: does the treatment reduce the risk to an acceptable level?

Module G5: Risk Monitoring and Reporting Continuous risk monitoring versus periodic assessment. Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) for security controls. Risk reporting to different audiences: operational teams, management, board, regulators. The risk dashboard: what to show, what to hide, how to avoid misleading stakeholders. Risk escalation: when a risk exceeds tolerance. Integrating risk monitoring with security operations — using SOC data to validate risk assessments. Quarterly risk review process.

Phase 3 — Framework Implementation (Modules G6-G10) — PAID

Each module in this phase provides a complete implementation walkthrough for a specific framework or regulation. You do not need to complete all five — choose the frameworks relevant to your organization. However, Module G6 (ISO 27001) is recommended for all learners because ISO 27001 provides the most comprehensive information security management system structure, and the implementation methodology transfers to every other framework.

Module G6: ISO 27001 — Implementing an Information Security Management System The complete ISO 27001:2022 implementation from context of the organization through certification audit. Clause-by-clause walkthrough with practical implementation guidance. The Statement of Applicability: every Annex A control with implementation evidence requirements. Management commitment, resource allocation, competence requirements. Internal audit program design. Management review. Certification body selection and audit preparation. The 90-day fast-track implementation for organizations under pressure. Common nonconformities and how to avoid them. Surveillance audit preparation and continual improvement.

Module G7: NIST Cybersecurity Framework 2.0 The NIST CSF 2.0 structure: Govern, Identify, Protect, Detect, Respond, Recover. The Govern function — new in CSF 2.0 — and why it changes the framework fundamentally. Framework profiles: current state, target state, and the gap analysis between them. Implementation tiers: how to assess and communicate your maturity level. Mapping CSF 2.0 to your existing controls. Using CSF 2.0 alongside ISO 27001 — the cross-mapping and where they diverge. CSF 2.0 for organizations that need a framework but do not need certification.

Module G8: SOC 2 — Trust Service Criteria Implementation SOC 2 Type I versus Type II: what each requires and when you need which. The five Trust Service Categories: Security, Availability, Processing Integrity, Confidentiality, Privacy. Building the system description. Defining control activities for each relevant criterion. Evidence collection: what auditors expect, what "sufficient appropriate evidence" means in practice. The observation period for Type II: planning and maintaining controls consistency. Working with your auditor: selecting a CPA firm, managing the engagement, responding to findings. SOC 2 as a sales enabler: how the report gets used by customers.

Module G9: GDPR and Privacy Regulation Data protection as a governance discipline, not a legal exercise. UK GDPR and the Data Protection Act 2018. The six lawful bases for processing. Data protection principles and how they translate into technical controls. The Records of Processing Activities (ROPA). Data Protection Impact Assessments (DPIAs): when they are required, how to conduct them. Data subject rights: technical implementation of access, rectification, erasure, portability. Data breach notification: the 72-hour requirement, what qualifies as a breach, the notification process. International data transfers post-Schrems II. The Data Protection Officer: when you need one, what the role requires. Privacy by design and by default: practical implementation patterns.

Module G10: CMMC — Cybersecurity Maturity Model Certification CMMC 2.0 structure: Level 1 (foundational), Level 2 (advanced), Level 3 (expert). The relationship between CMMC and NIST SP 800-171. The 110 security requirements of NIST SP 800-171 and how to implement them. Controlled Unclassified Information (CUI): identification, marking, handling. The System Security Plan (SSP) and Plan of Action and Milestones (POA&M). Self-assessment for Level 1, third-party assessment for Level 2, government assessment for Level 3. The CMMC assessment process: what assessors look for. Practical implementation for small and mid-size defense contractors. Scoping: minimizing the assessment boundary to reduce compliance burden.

Phase 4 — Governance Operations (Modules G11-G16) — PAID

These modules build the supporting capabilities that sustain the GRC program over time. Without these, the frameworks you implemented in Phase 3 decay within twelve months.

Module G11: Security Awareness — Changing Behavior, Not Ticking Boxes Why traditional security awareness training fails: completion rates measure compliance, not behavior change. Designing an awareness program that changes how people work. Phishing simulation: what the data actually tells you (and what it does not). Role-based training: developers, finance, executives, IT administrators. Measuring effectiveness: behavioral metrics, incident correlation, reporting culture. Security champions programs. Building a security culture that sustains itself without annual mandatory training.

Module G12: Audit Management — From Panic to Process Internal audit: designing the audit program, selecting auditors, audit planning, conducting audits, reporting findings. Managing external audits: preparation, evidence packaging, auditor management, finding response. Audit finding lifecycle: identification, classification, root cause analysis, corrective action, verification, closure. The audit schedule: how to plan audits across multiple frameworks without auditor fatigue. Continuous auditing and monitoring: using automated tools to reduce audit burden. Managing multiple concurrent audits.

Module G13: GRC Leadership — Reporting, Communication, and Board Engagement Translating security risk into business risk. Board reporting: what boards want to know, what they do not understand, how to present risk without creating panic or complacency. The CISO-board relationship. Committee structures: risk committee, audit committee, information security steering committee. Budgeting for security: building the business case, demonstrating ROI, justifying spend after an incident. Executive communication: the one-page security briefing, the quarterly risk report, the annual security strategy. Communicating bad news: breach notifications, audit failures, risk acceptances.

Module G14: Regulatory Change Management How to monitor, assess, and respond to regulatory change without being overwhelmed. The regulatory landscape: where to track changes, what sources to monitor. Impact assessment: determining whether a regulatory change affects your organization. Implementation planning: from regulatory requirement to deployed control. Change communication: who needs to know, what they need to do. The regulatory change register. Horizon scanning: preparing for regulations before they take effect. Recent and upcoming changes: NIS2, DORA, EU AI Act, SEC cybersecurity rules, UK Cyber Security and Resilience Bill.

Module G15: Building and Operating the GRC Function Organizational design for GRC: centralized, federated, and hybrid models. Staffing the GRC function: roles, skills, career paths. GRC tooling: evaluating platforms (ServiceNow, LogicGate, Archer, Drata, Vanta, OneTrust, spreadsheets), selection criteria, implementation pitfalls. The GRC operating model: daily, weekly, monthly, quarterly, and annual rhythms. Integrating GRC with security operations: shared data, shared reporting, aligned objectives. GRC metrics and KPIs. Maturity assessment: where your program is today and where it needs to be.

Module G16: Sector-Specific Governance and Emerging Requirements Financial services: FCA requirements, PRA expectations, operational resilience, DORA. Healthcare: NHS DSPT, HIPAA (for US operations). Critical national infrastructure: NIS2, CAF. Corporate governance and its intersection with information security: UK Corporate Governance Code, Wates Principles, SOX (for US-listed entities). ESG and cyber risk. Cyber insurance: what underwriters require, how GRC maturity affects premiums.

Time commitment

Plan for approximately 36 to 42 hours of estimated study time across all 17 modules if you complete every exercise and build every deliverable.