Course Structure and Module Map

Four phases, seventeen modules

The course is organized into four phases. Phases 1 and 2 are sequential: foundations and risk management build on each other, and every later module assumes you have completed them. Phase 3 is selective: you choose the compliance frameworks relevant to your organization and skip the rest. Phase 4 is priority-based: complete the governance operations modules in whatever order matches your immediate needs.

Figure 0.3: Four-phase course architecture. Phases 1-2 are sequential. Phase 3 is selective (choose your frameworks). Phase 4 is priority-based (complete by immediate need). The artifact progression builds layer by layer.

Phase 1: Foundations (G0-G2)

These three modules establish the conceptual and structural foundations that every subsequent module builds on. Skipping them makes the framework modules feel disconnected from practical reality.

G0: Course Introduction (this module). Course structure, practitioner profiles, prerequisites, and learning methodology. The orientation that frames everything that follows.

G1: What GRC Actually Is, and Why It Fails. The governance-risk-compliance triad as an operating system. The four failure modes: compliance theatre, documentation theatre, tool dependence, and audit-driven security. What a working GRC program looks like versus performative governance. Organizational positioning of GRC: where it sits, who it reports to, why reporting lines determine effectiveness. Regulatory drivers: legal obligation, customer requirement, insurance requirement, competitive advantage, and risk reduction. Module 1 includes the GRC maturity self-assessment that establishes your starting baseline.

G2: Building the Policy Framework. Policy as executable governance. The policy hierarchy: governing policies, standards, procedures, and guidelines. Writing policies that people actually follow: clear language, specific requirements, measurable compliance criteria, and defined exception processes. The policy lifecycle from drafting through review, approval, communication, implementation, monitoring, and retirement. Version control and change management for governance documents. Mapping policies to the controls that enforce them and the regulations they satisfy.

Phase 2: Risk Management (G3-G5)

Risk management is the engine. Without a functioning risk management capability, compliance becomes a checkbox exercise and governance becomes bureaucracy. These three modules are sequential: G3 builds the assessment methodology, G4 applies it to control selection, and G5 connects both to ongoing monitoring.

G3: Risk Assessment Methodology. Threat identification for your organization's specific context. Likelihood and impact scoring: calibrating scales so the scores mean something. Risk appetite: helping leadership articulate how much risk they're willing to accept. Quantitative versus qualitative methods: when to use each and why most organizations need both. Building the risk register that drives every decision from this point forward. The risk assessment workshop: how to run one that produces actionable output rather than a spreadsheet nobody references.

G4: Risk Treatment and Controls. The four treatment options: mitigate, transfer, accept, and avoid. Control selection: mapping available controls to identified risks. Control mapping to compliance frameworks: one control can satisfy requirements across ISO 27001, NIST CSF, and SOC 2 simultaneously. The Statement of Applicability: the document that connects your risk assessment to your framework compliance. Control testing: verifying that implemented controls actually work, not just that they exist.

G5: Risk Monitoring and Reporting. Risk dashboard design: what to measure, how to present it, who needs to see it. Key risk indicator (KRI) tracking: leading indicators that predict risk changes before incidents occur. Risk reporting cadence: aligning reporting frequency to audience needs. Communicating risk in business language: translating technical findings into investment decisions. The connected risk register: where operational data feeds risk scores automatically so the register stays current without manual intervention.

Phase 3: Framework Implementation (G6-G10)

Five modules covering the major compliance frameworks practitioners encounter. These modules are independent of each other. Choose the frameworks your organization requires and skip the rest. Each module applies the risk management methodology from Phase 2 to the specific framework requirements.

G6: ISO 27001. Implementing an ISMS from scoping through certification. The clause-by-clause walkthrough of ISO 27001:2022. Annex A control selection methodology: which of the 93 controls apply and why. The certification audit: Stage 1, Stage 2, and surveillance. Evidence preparation for each clause. The gap analysis that becomes your implementation roadmap.

G7: NIST CSF 2.0. The six functions (Govern, Identify, Protect, Detect, Respond, Recover). Implementation tiers and organizational profiles. The gap analysis methodology. Using CSF as an organizing framework when the organization isn't pursuing formal certification but needs structured security governance.

G8: SOC 2. Trust Service Criteria. Type I versus Type II: what each proves and when each is appropriate. Evidence preparation and the audit lifecycle. The system description: what to include and how to write it. Managing the SOC 2 audit relationship.

G9: GDPR and Privacy Regulation. Data protection principles applied to operational security. Data Protection Impact Assessments (DPIAs): when they're required and how to conduct them. Breach notification: the 72-hour timeline and what it requires operationally. Building the privacy program that integrates with the broader GRC function.

G10: CMMC 2.0. The three maturity levels. Practice requirements for Level 2 (110 practices from NIST SP 800-171). Assessment methodology. The defense contractor compliance pathway: from self-assessment through C3PAO certification.

Phase 4: Governance Operations (G11-G16)

Six modules building the operational capability that sustains the GRC program. Without these, the frameworks implemented in Phase 3 decay within twelve months. Complete in any order based on your immediate priorities. If an audit is imminent, start with G12. If budget approval is the immediate need, start with G13.

G11: Security Awareness. Designing an awareness program that changes behavior, not one that produces completion percentages. Phishing simulation: what the data tells you and what it doesn't. Role-based training for developers, finance, executives, and IT. Behavioral metrics that correlate with incident data. Building a security culture that sustains itself.

G12: Audit Management. Internal audit program design. Managing external audits: preparation, evidence packaging, auditor management, and finding response. The audit finding lifecycle from identification through corrective action to closure. Continuous auditing and monitoring: using automated evidence to reduce the audit burden. Planning audits across multiple frameworks without auditor fatigue.

G13: GRC Leadership. Translating security risk into business language. Board reporting: what boards want to know, what they don't understand, and how to present risk without creating panic or complacency. Committee structures: risk committee, audit committee, and information security steering committee. Building the business case for security investment. The quarterly risk report and annual strategy presentation.

G14: Regulatory Change Management. Monitoring, assessing, and implementing regulatory changes without disruption. Impact assessment methodology. The regulatory change register. Horizon scanning for upcoming requirements: NIS2, DORA, EU AI Act, SEC cybersecurity rules.

G15: Building and Operating the GRC Function. Organizational design: centralized, federated, and hybrid models. Staffing, skills, and career paths. GRC platform evaluation and selection criteria. The operating rhythm: daily, weekly, monthly, quarterly, and annual cycles. Integrating GRC with security operations.

G16: Sector-Specific Governance. Financial services (FCA, PRA, DORA). Healthcare (NHS DSPT, HIPAA). Critical infrastructure (NIS2, CAF). Corporate governance intersections. Cyber insurance requirements and how GRC maturity affects premiums.

Study paths and time commitment

The full course at five to eight hours per week takes ten to sixteen weeks if you complete all framework modules, seven to ten weeks if you select two or three frameworks. Plan for approximately 36 to 42 hours of study if you build every artifact.

Most learners don't complete every module. The three common study paths based on practitioner profile are: security practitioners prioritize G2-G5 and G12-G13 (policy, risk, audit, leadership reporting). GRC professionals prioritize G3-G5 and G11-G12 (risk methodology, awareness, audit management). IT managers building the program from scratch complete the full sequence.