Course Introduction

0.1: What is GRC

Governance, risk, and compliance are three words that make most security practitioners reach for the exit. The typical experience involves a consultant handing over a spreadsheet with 400 controls, a policy template pack full of "[insert organization name]" placeholders, and an invoice for $50,000. Six months later, the spreadsheet is out of date, the policies live in a SharePoint folder nobody visits, and the next audit triggers the same panic as the last one.

That model is broken, and it breaks in a specific, predictable way. GRC is not a documentation exercise. It is an operating capability — a system that continuously aligns security controls to business risk, regulatory obligations, and organizational objectives. When it works, it funds security projects, defends budget decisions, satisfies auditors without panic, and gives leadership the information they need to make informed risk decisions. When it fails, security teams spend their energy filling in spreadsheets instead of reducing risk.

The difference between GRC that works and GRC that produces shelf-ware is operational integration. A risk register that sits in a spreadsheet, updated annually before the audit, governs nothing. A risk register connected to live control data, where MFA enforcement rates feed the "identity risk" row automatically, where incident counts update the "detection and response" row quarterly, governs everything. The register becomes the lens through which leadership sees security posture, and the controls become the evidence that the register is accurate.

This course teaches GRC as operations. Every module produces deployable artifacts — policy documents, risk registers, control matrices, audit evidence packs, and board reports — built for Northgate Engineering and adaptable to your own organization. The artifacts are designed for use in production, not for a consultant's deliverable folder.

0.2: What you will learn

Five sections in this module, each building the foundation for the course.

Section 0.1: The Problem with GRC Training. Why most GRC training produces graduates who understand frameworks but cannot implement governance programs. The failure pipeline from framework knowledge through documentation to audit readiness — and where value leaks at each stage. You'll assess where your own organization's GRC effort currently stops in the pipeline.

Section 0.2: Who This Course Is For. Three practitioner profiles that enter the course with different knowledge gaps — security practitioners adding governance, GRC professionals adding technical depth, and IT managers building the complete capability. The bridging role between technical security and business governance.

Section 0.3: Course Structure and Module Map. The full seventeen-module architecture across four phases: Foundations, Policy and Risk, Framework Implementation, and Governance Operations. Phase dependencies, selective study paths, and the artifact progression from policy framework through risk register to board report.

Section 0.4: Prerequisites and What You Need. The single prerequisite (general IT and security awareness), the template pack, and the optional M365 environment for control verification. Why GRC is the most accessible course on the platform.

Section 0.5: How to Learn from This Course. The operational GRC methodology — every sub teaches through worked examples built for Northgate Engineering, every module produces a deployable artifact, and the course rewards application to your own organization as you progress.

0.3: Why GRC needs a practitioner course

The GRC training market in 2026 splits into two categories, and neither serves the practitioner who needs to build and operate a governance program.

The first category is certification preparation. CISM, CRISC, CGRC, ISO 27001 Lead Implementer — these courses teach frameworks as knowledge domains. You memorize control categories, learn risk assessment terminology, and pass an exam. The graduate knows what "Annex A control A.8.16" means but cannot write the access control policy that implements it, cannot configure the conditional access rule that enforces it, and cannot build the KQL query that verifies it is working. Framework knowledge without implementation skill produces consultants, not practitioners.

The second category is vendor platform training. ServiceNow GRC, Drata, Vanta, OneTrust — these courses teach you to operate a specific tool. The graduate can navigate dashboards and generate compliance reports but cannot design the governance structure the tool should automate. Tool proficiency without governance methodology produces operators who depend on the vendor's workflow decisions rather than making their own.

The gap between these two categories is where most organizations struggle. The security manager at a mid-size company who has been handed GRC responsibility needs both: the methodology to design a governance program and the implementation skill to deploy it. They need to write policies that people actually follow, build risk assessments that leadership uses for decisions, and produce audit evidence from operational data rather than retroactive documentation sprints.

This course fills that gap. Every framework concept is taught through a worked implementation. Every control discussion includes the technical verification. Every governance artifact is built as a deployable document, not an exam answer.

0.4: How to get the best from this module

This is the orientation module. Read all five sections before starting Module 1. The course architecture and operational GRC philosophy established here frame every subsequent module.

Sections 0.1 through 0.3 establish the problem space and course positioning. They are worth reading carefully even if you have GRC experience, because they define the operational methodology that distinguishes this course from framework memorization.

Sections 0.4 and 0.5 are practical: prerequisites, lab setup, and learning methodology. If you are confident in your background and ready to start building, these sections take 10–15 minutes.

The course is self-paced. No cohorts, no deadlines, no streaks. Phase 1 (G0–G1) takes one evening. Phase 2 (G2–G5) takes two to three weeks at five to eight hours per week. Phase 3 (G6–G10) takes four to five weeks if you complete all five framework modules, less if you select only the frameworks relevant to your organization. Phase 4 (G11–G16) takes three to four weeks. Full course at five to eight hours per week: ten to sixteen weeks.

0.5: Module structure

This module contains five sections:

• 0.1 The Problem with GRC Training
• 0.2 Who This Course Is For
• 0.3 Course Structure and Module Map
• 0.4 Prerequisites and What You Need
• 0.5 How to Learn from This Course

Go to Section 0.1 to begin.