Prerequisites and What You Need

The single prerequisite

General IT and security awareness. You should understand what firewalls, access controls, encryption, and vulnerability management are at a conceptual level. You should know what a security incident is and what "compliance" means in general terms. If you've worked in IT or security for six months, you have enough context. If you haven't but you've studied the concepts independently, that works too.

Nothing else is required. No KQL, no forensics, no programming, no prior GRC experience, no certifications. This course teaches GRC methodology from first principles. Every concept is explained at first use. Technical security knowledge makes the control discussions richer, but the course is designed for learners who come from either a technical or a business background.

What you do NOT need

A GRC platform. The most common objection: "I need ServiceNow/Drata/Vanta before I can start learning GRC." This is backwards. The tool does not create the capability. The capability creates the need for the tool. Every exercise in this course can be completed with a document editor, a spreadsheet, and a shared drive. Many organizations under 500 employees manage their entire GRC program in SharePoint document libraries rather than dedicated platforms, and that approach works if the documents are current, approved, and actually followed.

Module G15 covers GRC tool evaluation after you've operated the program long enough to know what you actually need automated. Buying the platform first is like buying a project management tool before you understand your project methodology. The tool shapes itself to your process, not the other way around.

A compliance certification. CISM, CRISC, CGRC, and ISO 27001 Lead Implementer are all valuable credentials. None of them is a prerequisite for this course. The course builds the practical competence that certification study guides assume you already have. If you're pursuing a certification, the course makes your exam preparation more meaningful because you'll have built the artifacts the exam questions describe. If you're not pursuing a certification, the course's value is entirely in the operational capability.

An auditor relationship. You don't need access to an auditor or a compliance consultant. The course teaches you to prepare audit evidence, manage audit findings, and run the audit lifecycle. When you do engage an auditor, you'll be prepared rather than reactive.

What you DO need

Figure 0.4: Course readiness. The required tools are free (Google Docs, Sheets, Drive). The real prerequisite is organizational context.

A document editor and spreadsheet. Google Docs and Sheets are free and sufficient. Microsoft Word and Excel work equally well. The course produces policies, risk registers, control matrices, and reports. These are documents, not code. The format matters less than the habit of producing structured, version-controlled governance artifacts rather than informal notes.

Shared storage. A folder structure where governance documents can be stored, versioned, and shared with stakeholders. SharePoint, Google Drive, or any shared file system. GRC documents that live on one person's laptop are not governance. Even a simple folder hierarchy (Policies, Risk, Evidence, Reports) establishes the document management discipline that scales into a mature GRC program. Module G2 covers the folder structure and naming conventions in detail.

Stakeholder access (recommended). The artifacts are stronger when you can consult process owners, IT staff, and leadership during the exercises. A risk assessment produced from a single perspective misses threats, overestimates controls, and underestimates impacts. The risk assessment in G3 asks you to identify the top five threats to your organization. An IT manager sees infrastructure threats. A finance manager sees fraud and regulatory exposure. A line-of-business manager sees operational disruption. Each perspective adds risks the others miss. If you don't have stakeholder access yet, the Northgate Engineering scenario provides the organizational context for every exercise.

Time (five to eight hours per week). GRC is not a weekend sprint. Each module takes two to four hours: one to two hours reading and one to two hours building the artifact. The early modules (G0-G2) are faster because the exercises are lighter. The framework modules (G6-G10) are denser because each produces a significant deliverable. The total course time for all seventeen modules is approximately 36 to 42 hours spread across ten to sixteen weeks.

An M365 tenant (optional). Some modules include KQL verification queries that demonstrate control effectiveness using Sentinel data. If your organization has an M365 E5 or Sentinel workspace, you can run these queries against real data. If not, the course includes the expected output for every query. You can also set up a free M365 Developer Tenant for a safe practice environment. The KQL is additive to the GRC content. You learn governance whether or not you run the queries.

Organizational context is the real prerequisite

The most valuable thing you bring is knowledge of your organization. A risk assessment template is generic until you populate it with your organization's assets, threats, and vulnerabilities. An access control policy is abstract until you map it to your organization's identity groups and conditional access rules. The course provides the frameworks and templates. You provide the organizational context that makes them operational.

This means the course becomes more valuable the more you know about where you work. Understanding your organization's technology stack (which cloud services, which identity provider, which endpoint management) helps you map controls to real implementations. Understanding your regulatory obligations (which frameworks your customers require, which regulations your industry mandates) helps you prioritize the Phase 3 modules. Understanding your leadership's risk appetite (how they respond to security investment requests, what language resonates, what metrics they track) helps you build the board reports in G13 that actually influence decisions.

If you don't yet have this context, perhaps because you're studying before starting a new role or you're a student preparing for the profession, use Northgate Engineering as your reference organization throughout the course. NE is a mid-size engineering company with 810 users, an M365 environment, regulatory obligations under NIS2 and GDPR, and a security team that includes SOC analysts, a security architect, and a GRC function under development. Every module provides the NE implementation as a worked example. Adapt it to a hypothetical organization similar to your target employer. The adaptation exercise itself develops the judgment you'll use from day one.

The regulatory landscape

This course references multiple regulatory frameworks: ISO 27001, NIST CSF 2.0, SOC 2, GDPR, NIS2, DORA, and CMMC. You don't need prior knowledge of any of them. Each framework is introduced in the module where it applies. The course teaches the common patterns that all frameworks share (risk assessment, access control, incident response, audit evidence) rather than memorization of framework-specific clause numbers.

A practitioner who understands the common patterns can navigate any framework. A practitioner who memorizes ISO 27001 clause numbers without understanding the underlying principles cannot adapt when the organization's regulatory requirements change. The frameworks are the vehicle. The governance methodology is the skill.

The tool-first failure is expensive and common. The fix is straightforward: operate your governance program manually for at least one full cycle (one audit, one risk review, one board report) before evaluating platforms. After one cycle, you know which steps are painful, which data flows are manual, and which reporting requirements consume the most time. Those pain points become your evaluation criteria for platform selection, and they'll be different from what the vendor's demo highlights.