Sign In
In this module

0.5 How to Learn from This Course

30-45 minutes · Module 0 · Free
Operational Objective
The Method Problem: this is not a course you read passively. Every subsection produces an artifact. The 70/20/10 model means 70% of your time is spent on applied exercises, not reading theory.
Deliverable: A two-week learning plan with specific module targets and time allocations.
⏱ Estimated completion: 10 minutes

How to Learn from This Course

The exercise methodology

Every content subsection in this course follows the same pattern. Understanding the pattern up front means you know what to expect and can prepare.

SUBSECTION STRUCTURE — WHAT YOU ENCOUNTER IN EVERY MODULE CONTEXT The problem, why it matters, what breaks ~10% of subsection DIAGRAM Visual model of the concept or framework SVG every subsection SCENARIO / DECISION Applied exercise, micro- audit, or branching choice ~70% of subsection RED LINE Regulation says X. Reality requires Y. ~20% of subsection ARTIFACT You build something Goes in portfolio 70% of your time is spent on scenarios, decisions, and building — not reading theory Theory is connective tissue between applied exercises, not the main content

Context sets up

Figure 0.4: Subsection structure. Every content subsection follows this five-stage pattern: brief context, visual diagram, applied exercise (70% of time), regulation-vs-reality breakout, and artifact output for your portfolio.

the problem in minimal words. No "In this section we will learn about..." — the problem is stated and you are immediately in it.

Diagram provides the visual model. Every content subsection has at least one SVG: tree diagrams for hierarchies, fishbone diagrams for root cause analysis, flowcharts for processes, mind maps for relationships, pyramids for priorities, journey maps for progressions. The diagram is not decoration — it is the primary teaching tool. The text explains what the diagram shows.

Scenario / Decision is where you spend most of your time. Micro-audits ("find the three failures in this organization's GRC setup"), branching decisions ("the CEO wants an MFA exception — what do you do?"), comparison tables ("integrated system vs disconnected system"), and fill-in exercises ("build your policy mapping"). The reveals show the analysis after you have formed your own assessment.

Red Line breakouts show the gap between what a regulation literally says and what it actually requires in practice. These are the field insights that certification courses do not teach because they come from implementation experience, not from reading the standard.

Artifact outputs go into your GRC deliverables portfolio. By course end, the portfolio contains: policy framework, risk register, compliance mappings, audit program, board reports, and operating model. Not templates — documents built for your organization during the exercises.

Pacing

ScenarioPaceTimeline
Alongside a full-time job, no deadline1 module per week (Phases 1-2), 1 module per 1-2 weeks (Phases 3-4)20-30 weeks
ISO 27001 audit in 6 monthsG0-G2 (weeks 1-3), G3-G5 (weeks 4-8), G6 (weeks 9-14), G12 (weeks 15-18)18 weeks (fast-track)
Building a new GRC functionSequential through all 17 modules26-34 weeks
Validating an existing programSkim G0-G2, deep-dive on weak areas identified in G1 maturity assessment8-12 weeks selective

Try it yourself: Plan your first two weeks

Based on your path (from subsection 0.2) and your pace, decide which modules you will complete in the next two weeks and what time you will allocate.

WeekModule(s)Time availableArtifact to produce
Week 1G0 (finish) + G1___ hoursMaturity assessment, stakeholder map
Week 2G2___ hoursPolicy hierarchy, minimum viable policy set, first mapping
Reveal: Recommended minimum investment

Week 1: 3-4 hours. Complete G0 (you are most of the way through) and G1. The G1 exercises — maturity self-assessment, stakeholder relationship mapping, and regulatory driver identification — produce the context that shapes everything else. Do not rush these.

Week 2: 3-4 hours. Complete G2. The policy hierarchy classification, minimum viable policy set assessment, and policy-to-control mapping are your first three operational artifacts. If you have existing policies, bring them to the exercises. If you do not, the exercises guide you through designing the framework from scratch.

After these two weeks, you have the foundations in place and the G3 risk management module can begin. G3 is the pivotal module — it builds the engine that drives every subsequent module. Budget extra time for it.

Build for your organization, not a hypothetical one. Generic outputs teach you the mechanics. Organization-specific outputs produce deployable governance artifacts that you use the next working day. If you do not have organizational context yet, use the provided case studies as a substitute — but switch to real context as soon as you can. The course value compounds when the artifacts are real.

The document-first methodology

Every module follows the same pattern: understand the governance requirement, study the NE worked example, adapt the template to your organization, and deploy the document. The course does not separate "learning" from "doing" — the learning IS the doing. Module 3 does not teach risk assessment theory and then assign a homework exercise. Module 3 walks through NE's risk assessment, explains every decision, and by the end of the module you have produced your own risk assessment using the same methodology.

The worked documents use Northgate Engineering as the example organization. NE's context — 810 staff, 6 sites, manufacturing + engineering operations, Microsoft 365 environment, hybrid AD infrastructure — is specific enough to demonstrate real implementation decisions but generic enough that the patterns transfer to any mid-sized organization. When NE's risk assessment identifies "unpatched Server 2016 in manufacturing" as a critical risk, your adaptation identifies the equivalent legacy system risk in your environment. The framework is identical. The content is yours.

Expand for Deeper Context

Study at the pace that matches your document production. If Module 5 (access control policy) takes two weeks because you need to map your organization's access groups and conditional access policies before you can complete the adapted document, take two weeks. The pace is determined by implementation depth, not reading speed.

The governance artifact produced in this subsection should be reviewed with your organization's stakeholders within one week of creation. Governance documents that sit in SharePoint unreviewed provide zero organizational value. The review cycle — draft, stakeholder feedback, revision, approval, publication — transforms a training exercise into a deployed control. Schedule the review meeting before you finish the module, not after.

Governance as a living system

The documents you produce in this course are not final products — they are first versions. A risk assessment completed in Module 3 reflects your understanding of the organization's risk landscape at that point. Three months later, after new systems are deployed, new threats are identified, and new regulations take effect, the risk assessment needs updating. The course teaches not just how to create governance documents but how to maintain them: what triggers a review, who approves changes, how to version the document, and how to communicate updates to the organization.

The maintenance discipline separates functional GRC from checkbox GRC. An organization with a risk register last updated 18 months ago has a historical document, not a governance tool. An organization with a risk register updated quarterly based on threat intelligence, incident findings, and environmental changes has a living document that drives security decisions. The quarterly review cycle is as important as the initial creation — this course establishes both habits.

The deploy-and-measure pattern

Each module's governance artifact should be deployed within one week and measured within one month. Deployment means: the document is published, communicated to relevant stakeholders, and integrated into operational processes. Measurement means: is the document being used? Are the controls it defines being followed? Are the metrics it specifies being collected? A policy that no one reads is not a policy. A risk register that no one consults before making decisions is not a risk register. The course provides measurement criteria for each artifact so you can verify that governance documents produce the operational outcomes they were designed for.

Building the governance portfolio

By Module 16, you will have produced a complete governance document portfolio — not a folder of templates you might use someday, but a set of documents adapted to your organization, reviewed by stakeholders, and integrated into operational processes. The portfolio includes: information security policy, risk assessment and register, access control policy, incident response plan, data classification scheme, vendor risk assessment framework, security awareness program, and board security posture report.

Each document builds on the previous. The information security policy (Module 2) defines the access control requirements that the access control policy (Module 5) implements. The risk assessment (Module 3) identifies the threats that the incident response plan (Module 6) addresses. The data classification scheme (Module 8) determines which data the vendor risk assessment (Module 10) must protect. This interdependence means the documents work as a system, not a collection — changing one document triggers a review of the documents it connects to.

The stakeholder engagement pattern

Every governance document requires stakeholder input to be effective. A risk assessment written by the security team without business unit input misses operational risks. An access control policy written without IT input specifies controls that cannot be technically implemented. Each module includes guidance on which stakeholders to involve, what input to request, and how to incorporate feedback without losing the document's governance integrity. The stakeholder engagement is not a formality — it is the mechanism that transforms a security team document into an organizational commitment.

Compliance Myth: "Risk registers prevent incidents"

The myth: Risk registers prevent incidents

The reality: Risk registers document known risks and accepted treatments. They do not prevent incidents — controls prevent incidents. A risk register with 200 entries and no implemented controls provides zero protection. A risk register with 20 entries and all controls implemented, tested, and monitored provides substantial protection. The register is a management tool. The controls are the security.

Artifact Output
Two-week plan set: Week 1 targets (G0 + G1), Week 2 targets (G2), time allocated. The G1 maturity assessment and G2 policy framework are your first operational artifacts — they feed every subsequent module.
Next objective → 0.6 Module Summary
Decision point

NE's GRC program produces quarterly reports showing green status. The SOC handled 3 incidents the same quarter. The board asks: 'If we are compliant, why are we attacked?'

Compliance confirms controls are in place. Security outcomes depend on whether controls are effective. The incidents were detected and contained BECAUSE the controls worked. A more accurate report: 'Controls detected and contained 3 incidents including a BEC attempt intercepted before financial loss — demonstrating compliance is producing security outcomes.'

NE's GRC quarterly report shows green across all frameworks. The same quarter had 3 Severity 2 incidents. The board asks: 'If we are compliant, why are we attacked?'
Compliance means no attacks — question the SOC's detection capability.
Compliance confirms controls are in place. The incidents were detected and contained BECAUSE the controls worked. A better report: 'Controls detected and contained 3 incidents including a BEC attempt intercepted before loss — demonstrating compliance produces security outcomes.' Compliance is not immunity; it is capability.
Compliance is just paperwork with no security relationship.
Any incident should change compliance status to amber.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You know what GRC actually is.

G0 oriented you to the discipline. G1 made the case that governance is an operating system, not a documentation exercise — the shift from "we wrote the policy" to "the policy operates every day." Now you build the operating system.

  • 15 operational modules — policy framework, risk management, compliance operations, audit management, vendor risk, data governance, and sector-specific governance
  • External audit management playbook — the protocol for making audits a structured event instead of a firefight
  • Policy framework templates — every policy your organisation actually needs, with the structure that survives audit and operates in practice
  • Risk register operations — how to make the risk register a decision-making instrument instead of a spreadsheet
  • Sector governance (G16) — the specific compliance obligations for financial services, healthcare, public sector, and manufacturing
Unlock the full course with Premium See Full Syllabus
← Previous Next →