In this module

0.4 Prerequisites and What You Need

30-45 minutes · Module 0 · Free

Operational Objective

The Readiness Question: do you need a GRC platform, a compliance background, or specific certifications before starting? The answer to all three is no — but you do need specific tools and access.

Deliverable: A readiness checklist confirming you have the tools, access, and time allocation to progress through the course.

⏱ Estimated completion: 10 minutes

Figure 0.4 — Operational workflow from input through documented output.

Figure — Prerequisites and What You Need.

Prerequisites and What You Need

Knowledge prerequisites

You need at least one of these backgrounds. Not all — one is sufficient.

Background	What you already know	What the course adds
Security operations / engineering	Technical controls, SIEM, detection rules, incident response	Governance frameworks, risk methodology, compliance evidence, board reporting
IT management / administration	Technology landscape, operational constraints, business context	Security governance, risk assessment, framework implementation, audit management
GRC / compliance	Framework structures, audit processes, policy writing	Technical control verification, operational evidence, control effectiveness measurement

What you do NOT need

A common objection: "I need a GRC platform before I can start." This is the tool trap applied to learning.

The Red Line. No course can teach you GRC by giving you access to a GRC platform, for the same reason no course can teach you risk management by giving you a spreadsheet. The tool does not create the capability. The capability creates the need for the tool. Every exercise in this course can be completed with a document editor, a spreadsheet, and a shared drive. If you have a GRC platform, use it. If you do not, you lose nothing. Module G15 covers tool evaluation — after you have operated the program long enough to know what you actually need automated.

Readiness checklist

Time commitment: What the course actually requires

Expand for Deeper Context

This course is designed for working professionals operating GRC programs alongside their day jobs. The typical time investment per module: 2-3 hours of reading and 1-2 hours building the artifacts. The early modules (G0-G2) are faster — foundational concepts with lighter exercises. The framework modules (G6-G10) are denser — each produces a significant deliverable (SoA column, compliance mapping, evidence collection). The leadership and operations modules (G11-G16) are the most immediately actionable — each produces a document you use the same week.

Total course time for all 17 modules: approximately 50-70 hours spread across 3-6 months at a pace of 2-3 modules per week. This is not a course you complete in a weekend. The artifacts accumulate — each module builds on the previous — and the value compounds as the portfolio grows.

The KQL lab environment

Many modules include KQL verification queries that you run in Microsoft Sentinel. If your organization has a Sentinel workspace, use it — the queries produce real evidence from your environment. If not, set up a free M365 Developer Tenant (developer.microsoft.com, 25 E5 licenses, 90 days renewable) and connect the free Sentinel trial. Load the sample data packs for realistic-looking user activity. The developer tenant provides a safe environment to run every query in this course without affecting production systems.

The KQL queries use sql syntax highlighting in code blocks. Copy them directly into the Sentinel Logs workspace query editor. Each query includes comments explaining what it does, what the expected output looks like, and what a deviation means. You do not need to be a KQL expert to run them — the course teaches the KQL alongside the GRC context.

Try it yourself: Course readiness assessment

Score each item: 2 = ready, 1 = partially ready, 0 = not ready.

Item	What it means	Score
Document editor	Word, Google Docs, or equivalent for writing policies and reports
Spreadsheet	Excel or Google Sheets for risk registers and compliance matrices
Shared storage	SharePoint, Google Drive, or equivalent for the policy repository
Existing documentation (if any)	Current policies, risk registers, audit reports — even if outdated
A framework requirement	Know which framework your organization needs (ISO 27001, SOC 2, etc.) — or Module G1 helps you determine this
Stakeholder access	Can you talk to the people who own the processes your policies will govern?
30-60 minutes per week	Minimum time investment to progress through the course alongside a day job

Reveal: Interpreting your score

12-14: Fully ready. Start G1 immediately.

8-11: Ready with minor gaps. The most common gap is stakeholder access — you can still complete all exercises, but the outputs are stronger with input from process owners. Start the course and build relationships in parallel.

0-7: Address the gaps first. If you do not have a document editor or spreadsheet, those are free (Google Docs/Sheets). If you do not have shared storage, create a folder structure first. If you have no idea which framework applies, Module G1 covers regulatory driver identification. If you have zero time, the course will not work — GRC requires sustained effort, not a weekend sprint.

Relationship to other Ridgeline courses

This course stands alone. It also compounds with the other courses on the platform.

If you also complete...	The GRC course adds...
M365 Security Operations	Maps your detection rules, playbooks, and hardening to governance frameworks. Your technical artifacts become compliance evidence.
Mastering KQL	Your queries produce compliance evidence directly — MFA enforcement rates, detection coverage, response timelines become audit artifacts.
SOC Operations	Your SOC processes (triage, investigation, escalation) are control activities. The GRC course maps them to ISO 27001, NIST CSF, and SOC 2.
Claude for Security Professionals	Module C6 covers AI-assisted compliance. This GRC course provides the methodology that makes those AI outputs accurate and deployable.

No prerequisites. Start wherever your need is greatest.

What you will build during this course

By module 16, you will have produced: an information security policy (adapted to your organization), a risk assessment methodology and completed risk register, an access control policy with conditional access mapping, an incident response plan with playbook references, a vendor risk assessment template with scoring criteria, a data classification scheme with handling procedures, a security awareness program outline, and a board-ready security posture report. Each document is produced during the module that teaches the concept — not as a separate exercise after the course. The prerequisite for building these documents is not certification or experience — it is access to your organization's context (its systems, its people, its regulatory obligations) and the willingness to apply each module's template to your specific environment.

The governance artifact produced in this subsection should be reviewed with your organization's stakeholders within one week of creation. Governance documents that sit in SharePoint unreviewed provide zero organizational value. The review cycle — draft, stakeholder feedback, revision, approval, publication — transforms a training exercise into a deployed control. Schedule the review meeting before you finish the module, not after.

The regulatory landscape context

This course references multiple regulatory frameworks — ISO 27001, NIST CSF, GDPR, NIS2, PCI DSS, DORA — but does not require prior knowledge of any specific framework. Each framework is introduced in the module where it applies. The course teaches the common patterns that all frameworks share (risk assessment, access control, incident response, audit evidence) rather than memorisation of framework-specific clause numbers. An analyst who understands the common patterns can navigate any framework; an analyst who memorises ISO 27001 clause numbers without understanding the underlying principles cannot adapt to NIST or NIS2 when the organization's regulatory requirements change.

You do not need access to an auditor, a compliance tool, or a GRC platform. Every governance artifact in this course is produced in standard document formats (Markdown, Word-exportable templates) that work with any GRC tool or without one. Many organizations under 500 employees manage GRC in SharePoint document libraries rather than dedicated platforms — and that approach works if the documents are current, approved, and actually followed.

Organizational context is the real prerequisite

The single most valuable thing you bring to this course is knowledge of your organization: its systems, its people, its regulatory obligations, and its risk tolerance. A risk assessment template is generic until you populate it with YOUR organization's assets, threats, and vulnerabilities. An access control policy is abstract until you map it to YOUR organization's Entra ID groups and conditional access policies. The course provides the frameworks and templates. You provide the organizational context that makes them operational.

If you do not yet have this organizational context — perhaps you are studying before starting a new role, or you are a student preparing for the profession — use Northgate Engineering as your reference organization throughout the course. Every module provides the NE implementation as a worked example. Adapt the NE context to a hypothetical organization similar to your target employer. The adaptation exercise itself develops the skill you will use on day one of the job.

Compliance Myth: "Compliance equals security"

The myth: Compliance equals security

The reality: Compliance frameworks define minimum acceptable controls — not optimal security posture. An organization can be fully compliant with ISO 27001 and still be breached because the framework does not mandate specific detection rules, threat hunting programs, or incident response testing. Compliance is the floor. Security capability is the ceiling. The gap between them is where attackers operate.

Detection depth: NE-specific implementation

This detection rule addresses a technique that directly threatens NE's operational environment. The implementation accounts for NE's specific infrastructure characteristics:

Telemetry source: The primary data table for this detection ingests approximately 0.5-3.2 GB/day depending on the activity volume. At NE's scale (810 users, 865 devices, 42 servers), the event volume generates a stable baseline that statistical detection methods (percentile analysis from DE9.4) can reliably characterize. Deviations from this baseline represent either environmental changes (new applications, infrastructure modifications) or attacker activity.

Expand for Deeper Context

Threshold calibration: The threshold was selected using the percentile method: P99 of 30-day historical data establishes the upper bound of normal activity. The production threshold is set at 1.5x P99 to provide margin above normal fluctuation while maintaining detection sensitivity for attack patterns that typically generate 5-50x normal volume.

False positive profile: The primary FP sources for this detection include: IT administrative activity (legitimate but anomalous-looking operations), automated tools and scripts (scheduled tasks, monitoring agents), and business events (quarterly reporting, annual audits, project deadlines). Each FP source is addressed through the watchlist architecture (DE9.6) — Corporate IPs (WL1), Service Accounts (WL2), IT Admin Accounts (WL3), and Known Applications (WL4) provide systematic exclusion without reducing the rule's detection scope below acceptable levels.

Attack chain integration: This detection maps to one or more of the 6 NE attack chains (CHAIN-HARVEST, CHAIN-MESH, CHAIN-ENDPOINT, CHAIN-FACTORY, CHAIN-PRIVILEGE, CHAIN-DRIFT). When this rule fires, the SOC analyst correlates with adjacent-phase alerts to determine whether the activity is isolated or part of a multi-phase attack. The correlation query from this module's cross-technique subsection provides the KQL pattern for this analysis.

Response procedure: On alert, the analyst: (1) checks the entity against the watchlists — is this a known benign source? (2) checks for correlated alerts from adjacent kill chain phases within 60 minutes, (3) classifies as TP/FP/BTP using the DE9.5 decision tree, and (4) escalates to Rachel if the alert correlates with other phases (potential active attack chain).

Decision point

NE's GRC program produces quarterly reports showing green status. The SOC handled 3 incidents the same quarter. The board asks: 'If we are compliant, why are we attacked?'

Compliance confirms controls are in place. Security outcomes depend on whether controls are effective. The incidents were detected and contained BECAUSE the controls worked. A more accurate report: 'Controls detected and contained 3 incidents including a BEC attempt intercepted before financial loss — demonstrating compliance is producing security outcomes.'

NE's GRC quarterly report shows green across all frameworks. The same quarter had 3 Severity 2 incidents. The board asks: 'If we are compliant, why are we attacked?'

Compliance means no attacks — question the SOC's detection capability.

Compliance confirms controls are in place. The incidents were detected and contained BECAUSE the controls worked. A better report: 'Controls detected and contained 3 incidents including a BEC attempt intercepted before loss — demonstrating compliance produces security outcomes.' Compliance is not immunity; it is capability.

Compliance is just paperwork with no security relationship.

Any incident should change compliance status to amber.

You know what GRC actually is.

G0 oriented you to the discipline. G1 made the case that governance is an operating system, not a documentation exercise — the shift from "we wrote the policy" to "the policy operates every day." Now you build the operating system.

15 operational modules — policy framework, risk management, compliance operations, audit management, vendor risk, data governance, and sector-specific governance
External audit management playbook — the protocol for making audits a structured event instead of a firefight
Policy framework templates — every policy your organisation actually needs, with the structure that survives audit and operates in practice
Risk register operations — how to make the risk register a decision-making instrument instead of a spreadsheet
Sector governance (G16) — the specific compliance obligations for financial services, healthcare, public sector, and manufacturing

Unlock the full course with Premium See Full Syllabus

← Previous Next →