Sign In
GRC Track

For security practitioners, GRC professionals, and security leaders building governance programs

Aligned to ISO/IEC 27001:2022NIST CSF 2.0NIS2 DirectiveDFARS 252

GRC for Security Professionals

Implement governance, risk, and compliance that protects the business — not just satisfies the auditor.

Build a GRC program from risk assessment through audit readiness. Conduct risk assessments that identify what actually matters, build policy frameworks that practitioners follow, implement ISO 27001, NIST CSF 2.0, SOC 2, and GDPR controls operationally, prepare for and manage audits without panic, and report security risk to leadership in terms that drive decisions.

Start Free — No Account Needed See Pricing
What you'll deploy
GRC program framework with risk registers and policy templates
Risk assessment methodology aligned to ISO 27005 and NIST SP 800-30
Audit evidence management system with control-to-evidence mapping
Compliance monitoring dashboards for ISO 27001, NIST CSF, and SOC 2
Board-level security reporting templates
Vendor risk assessment workflow with scoring criteria
GRC PROGRAM — OPERATIONAL STATUS RISK REGISTER 24 risks tracked Current POLICY FRAMEWORK 12 policies active Review: OK ISO 27001 78/93 controls mapped 84% SOC 2 TYPE II Observation period Day 142 AUDIT FINDINGS 3 open / 12 closed 1 overdue GDPR / PRIVACY ROPA complete Compliant Next board report: 14 days — Top 5 risks, framework status, investment request Full program 5 frameworks 5 certifications 36-42 hours
View Pricing Take End of Course Exam → 40 CPE Credits

What you'll be able to do

Conduct risk assessments that identify what actually matters
Implement ISO 27001, NIST CSF 2.0, SOC 2, and GDPR controls operationally
Prepare for and manage audits without panic
Build policy frameworks that practitioners actually follow
Report security risk to leadership in terms that drive decisions
Premium tier | 17 modules across 4 phases | 36–40 hours at your own pace | 40 CPE credits | 2 free modules — no account needed | 5 frameworks | Updated May 2026
Course Agenda View all 18 modules

Phase 1 — Foundations

G0
Course Introduction
 G1
What GRC Actually Is — and Why It Fails
 G2
Building the Policy Framework

Phase 2 — Risk Management

G3
Risk Assessment Methodology
 G4
Risk Treatment and Controls
 G5
Risk Monitoring and Reporting

Phase 3 — Framework Implementation

G6
ISO 27001 — Implementing an Information Security Management System
 G7
NIST Cybersecurity Framework 2.0
 G8
SOC 2 — Trust Service Criteria Implementation
 G9
GDPR and Privacy Regulation
 G10
CMMC — Cybersecurity Maturity Model Certification

Phase 4 — Governance Operations

G11
Security Awareness — Changing Behavior, Not Ticking Boxes
 G12
Audit Management — From Panic to Process
 G13
GRC Leadership — Reporting, Communication, and Board Engagement
 G14
Regulatory Change Management
 G15
Building and Operating the GRC Function
 G16
Sector-Specific Governance and Emerging Requirements

Reference

References & Further Reading

Who this course is for

“Our risk register is a spreadsheet nobody reads.” You need a risk management program grounded in your actual threat landscape, where risk decisions drive security investment and the register is a living tool that leadership uses to make budget decisions.

“The auditor arrives in 6 weeks and I'm not ready.” Audit readiness shouldn't be a project. This course builds the evidence pipeline where compliance evidence is a byproduct of how you operate. ISO 27001, SOC 2, NIST CSF, GDPR — the controls generate evidence continuously.

“I write policies that nobody follows.” Policies written to satisfy auditors produce documentation nobody reads. Policies written to describe actual operational practice produce documentation teams follow. The difference is in how you build them — starting from what the organization actually does.

“The board asks for a security update and I don't know what to present.” Board reporting: top risks in business impact terms, control effectiveness metrics, compliance posture, investment requests with ROI. The module produces the template you use for every board meeting.

“I'm technical but I need to understand governance to advance my career.” Security engineers and SOC practitioners moving toward management or architecture. You already know the technical controls — this course teaches you how they connect to governance frameworks, risk management, and the compliance requirements that justify your security budget.

“I need to manage third-party risk but I don't have a framework.” Vendor risk assessment: questionnaire design, scoring criteria, continuous monitoring, contractual controls. The workflow that turns vendor risk from a checkbox into an operational capability.

Whatever your background — if the subject interests you and you're willing to put in the work, this course is for you.

Before and after this course

Before

The risk register has 47 entries and nobody can tell you which 5 matter most. Risk ratings are gut feelings presented as quantitative analysis.

Audit preparation is a 6-week scramble. You pull screenshots, write justifications, and fabricate evidence for controls that aren't operating.

The security policies exist in SharePoint. The engineering team has never read them. What the policies describe and what the organization does are two different things.

The board gets a traffic-light dashboard that says “amber” every quarter. Nobody knows what amber means or what decision it's supposed to drive.

After

The risk register has 24 risks with quantified impact, likelihood, and treatment plans. Leadership uses the top 5 to prioritize the security budget. Risk decisions are documented and defensible.

62 KQL queries generate compliance evidence automatically from your security telemetry. The auditor asks for evidence and you run a query. No scramble, no screenshots, no fabrication.

Policies describe what the organization actually does. Engineers reviewed the drafts. The policy framework connects to the technical controls — when the engineer deploys a config change, the policy already describes why.

The board report shows top 5 risks in business impact terms, control effectiveness trends, and a specific investment request with projected risk reduction. The board makes a decision because the report asks for one.

How the course works

Four phases build the complete GRC operating system — from risk foundations through framework implementation to board-level reporting:

Phase 1
Risk Foundations

Risk assessment methodology, threat modeling, risk register, risk appetite and tolerance, risk treatment decisions.

Phase 2
Framework Implementation

ISO 27001, NIST CSF 2.0, SOC 2, GDPR, CMMC. Control mapping, evidence generation, gap analysis. Five frameworks, one integrated program.

Phase 3
Operational Governance

Policy framework, audit management, vendor risk, incident governance. The operational practices that keep the program running between certifications.

Phase 4
Leadership Reporting

Board reporting, security metrics, investment justification, program maturity. Translate the governance program into decisions leadership can act on.

What the content looks like

This is a real control assessment from the compliance evidence module. Instead of screenshotting a portal toggle, you document the control’s operational effectiveness with evidence from telemetry — the format auditors actually accept:

Posture Assessment — From Module 8: Automated Compliance Evidence

Control: ISO 27001 A.8.5 — Secure authentication (MFA enforcement)

Evidence source: SigninLogs (30-day window), queried via KQL, not portal screenshots

Finding: 98.7% of interactive sign-ins enforced MFA. 1.3% bypassed via legacy auth from 4 service accounts in SG-Legacy-Exceptions

Risk rating: Low — bypasses are documented, time-bounded (migration deadline Q3), and monitored via weekly exception report

Remediation: Migrate 4 service accounts to certificate-based auth by Q3. Remove SG-Legacy-Exceptions group. Rerun evidence query to confirm 100% coverage.

Audit readiness: Evidence auto-generated weekly. Assessment updated quarterly. Exception register maintained in SharePoint with owner, justification, and expiry date.

98.7% coverage is evidence. A screenshot of a toggle is configuration. The auditor wants to know the control works, not that it exists. Every module teaches at this level — evidence from telemetry, gaps documented with remediation plans, and the exception register that proves governance is operating.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may use templates, frameworks, and queries in your professional work. You may not redistribute course content or share account credentials.

No legal advice: Compliance and regulatory content is educational, not legal advice. Consult qualified legal counsel for obligations in your jurisdiction.

Fictional environment: All scenarios use Northgate Engineering. Any resemblance to real organizations is coincidental.

Version and changelog

Current version: 1.0  |  Last updated: 2026

2026 — v1.0: Complete course. 17 modules (G0–G16) across 4 phases. 62 KQL verification queries. Five frameworks: ISO 27001, NIST CSF 2.0, SOC 2, GDPR, CMMC.

This course is actively maintained as regulatory requirements evolve.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
1scenario
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.