Reading width
Wide uses the full column for everything, text, diagrams, code, and exercises. Narrow keeps the standard reading width.
Text size
Scales the body text. Headings and code blocks keep their size.
In this section
Module Summary
Module Summary
Section 0.1. The Problem with GRC Training. The GRC failure pipeline: framework knowledge through documentation to audit readiness to actual risk reduction. Most organizations stop at documentation or audit readiness. Three failure modes (compliance theatre, risk register theatre, audit-driven security) diagnose why programs stall. The documentation model produces increasing costs. The operational model produces stable costs and continuous evidence.
Section 0.2. Who This Course Is For. Three practitioner paths: security practitioners adding governance, GRC professionals adding technical depth, and IT managers building the complete capability. The bridging role between technical security and business governance. Certification alignment across CISM, CRISC, CGRC, ISO 27001 LI, and CDPSE.
Section 0.3. Course Structure and Module Map. Seventeen modules across four phases. Phases 1-2 (Foundations and Risk Management) are sequential. Phase 3 (Framework Implementation) is selective. Phase 4 (Governance Operations) is priority-based. The artifact progression builds from policy framework through risk register to board reports and operating model.
Section 0.4. Prerequisites and What You Need. One prerequisite: general IT and security awareness. No GRC platform, certifications, or prior GRC experience required. Organizational context is the real prerequisite. Northgate Engineering serves as the reference organization for learners without organizational context.
Section 0.5. How to Learn from This Course. The document-first methodology: every module produces a deployable governance artifact, not an exam answer. The NE scenario provides worked examples. Governance documents are living instruments maintained through defined review cycles. Deploy within one week, measure within one month.
What's next
Module G1: What GRC Actually Is, and Why It Fails. The governance-risk-compliance triad as an operating system. Four failure modes with real-world patterns. Organizational positioning of GRC. Regulatory drivers. The GRC maturity self-assessment that establishes your starting baseline and shapes your path through every subsequent module.
How was this module?
Your feedback helps us improve the course. One click is enough, comments are optional.
You know what GRC actually is.
G0 oriented you to the discipline. G1 made the case that governance is an operating system, not a documentation exercise — the shift from "we wrote the policy" to "the policy operates every day." Now you build the operating system.
- 15 operational modulespolicy framework, risk management, compliance operations, audit management, vendor risk, data governance, and sector-specific governance
- External audit management playbookthe protocol for making audits a structured event instead of a firefight
- Policy framework templatesevery policy your organisation actually needs, with the structure that survives audit and operates in practice
- Risk register operationshow to make the risk register a decision-making instrument instead of a spreadsheet
- Sector governance (G16)the specific compliance obligations for financial services, healthcare, public sector, and manufacturing