Skip to content

GRC Study Plan

This page is updated based on jassics/security-study-plan/grc-study-plan

A detailed study plan for Governance, Risk, and Compliance (GRC) professionals and beginners. Pair it with the site's own GRC Overview, ISO/IEC 27001, NIST RMF, and NIST CSF pages for the framework deep dives.

Introduction to GRC

GRC is an initialism for Governance, Risk, and Compliance, but the reality is much more: it's the integrated set of capabilities that let an organization reliably achieve objectives, address uncertainty, and act with integrity.

  • Governance - the framework and processes that align strategies, objectives, and risks with organizational goals (policies, procedures, decision-making structures).
  • Risk Management - identifying, assessing, and mitigating risks that could impact objectives (risk assessment, control, monitoring).
  • Compliance - adherence to laws, regulations, standards, and internal policies (audits, monitoring, reporting).

Key Components

  • Governance Frameworks: COSO, COBIT
  • Risk Management Frameworks: ISO 31000, NIST SP 800-30, NIST RMF
  • Compliance Frameworks: GDPR, HIPAA, SOX, ISO 27001, SOC

This study plan focuses on: Governance & Oversight, Risk & Decision-Support, Security & Continuity, and Audit & Assurance.

ToC

  1. GRC Fundamentals - 2 weeks
  2. Governance and Policy - 2 weeks
  3. Risk Management Deep Dive - 2 weeks
  4. Compliance and Auditing - 2 weeks
  5. GRC Roles & Career Path
  6. Certifications
  7. Resources

GRC Fundamentals

Duration: 2 weeks

Week 1-2: Core Concepts

  • Governance - the framework/processes ensuring strategy, objectives, and risk stay aligned with goals
  • Risk Management - identifying, assessing, and mitigating risks to objectives
  • Compliance - adherence to laws, regulations, standards, and internal policy
  • Key Frameworks: Governance (COSO, COBIT), Risk (ISO 31000, NIST RMF), Compliance (GDPR, HIPAA, SOX, ISO 27001)

Governance and Policy

Duration: 2 weeks

Week 3-4: Establishing Governance

  • Strategic Planning - aligning GRC efforts with organizational goals
  • Policy Development - crafting policies that support governance and compliance
  • Internal Controls - designing/implementing controls to mitigate risk
  • Roles & Responsibilities - Board, Management, Audit, Risk Owners

Risk Management Deep Dive

Duration: 2 weeks

Week 5-6: Risk Lifecycle

  • Risk Assessment - qualitative vs. quantitative techniques
  • Risk Mitigation - Avoid, Accept, Transfer, Mitigate
  • Incident Management - handling and recovering from risk events
  • Third-Party Risk Management (TPRM) - managing vendor/supplier risk

Compliance and Auditing

Duration: 2 weeks

Week 7-8: Regulatory Landscape

  • Regulatory Knowledge - GDPR, HIPAA, PCI-DSS deep dive
  • Compliance Auditing - techniques for auditing and ensuring compliance
  • Reporting and Documentation - documenting and reporting compliance status

Integration and Technology

  • GRC Software - RSA Archer, MetricStream
  • Data Analytics - using data for risk assessments and compliance reporting

The Three Lines of Defense Model

  • First Line - operational management owns and manages risk day-to-day
  • Second Line - risk management/compliance functions set policy and monitor
  • Third Line - internal audit provides independent assurance

COSO & COBIT

  • COSO - internal controls, risk management, corporate governance across five components: Control Environment, Risk Assessment, Control Activities, Information & Communication, Monitoring
  • COBIT - governance/management of IT enterprise systems, aligning IT and business goals

Measuring GRC

Track metrics across each pillar rather than treating GRC as a checkbox:

  • Governance: policy adherence rate, decision-making efficiency, stakeholder engagement
  • Risk: risk identification rate, mitigation success, risk-appetite adherence
  • Compliance: compliance breach rate, audit findings, training completion rate
  • Incident Response: Mean Time to Detect (MTTD), Mean Time to Respond (MTTR), incident recurrence rate
  • Program Efficiency: cost of compliance vs. non-compliance, GRC integration efficiency, technology utilization

GRC Roles & Career Path

Career Path Progression

Many GRC professionals start as GRC analysts or compliance officers and progress to GRC program managers, IT risk and compliance managers, or Chief Risk Officer as they gain experience and certifications.

Role Focus Typical Employers
GRC Analyst Risk assessments, monitoring, policy drafting Banks, large enterprises, IT firms
Risk Management Specialist Risk identification, mitigation strategy Insurance, financial institutions, consulting
Compliance Officer Regulatory adherence, compliance audits Healthcare, banking, regulated industries
GRC Consultant Advisory on GRC frameworks/programs Big Four consulting firms
Internal Auditor Auditing controls, reporting findings Large corporations, government
GRC Program Manager End-to-end GRC program ownership Large enterprises, multinationals
IT Risk and Compliance Manager IT-specific risk/compliance (GDPR, PCI-DSS, COBIT) Tech, financial, healthcare
Chief Risk Officer (CRO) Org-wide risk strategy, board reporting Large enterprises
Chief Compliance Officer (CCO) Org-wide compliance program ownership Banks, healthcare, multinationals
Enterprise Risk Manager Unified enterprise-wide risk approach Large corporations, public sector
GRC Software Specialist Administering GRC platforms Large corporations, IT service providers

Certifications

For Beginners:

  • CRISC (Certified in Risk and Information Systems Control) - risk management focus
  • CISA (Certified Information Systems Auditor) - auditing, control, assurance

For Intermediate/Advanced:

  • CISSP - broad security principles including governance and risk
  • CGRC (Certified in Governance, Risk, and Compliance)

For Expert Level:

  • CRMA (Certified in Risk Management Assurance)
  • CISM (Certified Information Security Manager)

Resources

Books

  • Governance, Risk, and Compliance Handbook for Financial Services by J. J. Stone
  • Managing Risk in Information Systems by D. G. Peltier
  • The Complete Guide to Cybersecurity Risks and Controls by Anne Kohnke, et al.

Videos

Online Platforms

  • LinkedIn Learning, Pluralsight, Coursera/Udemy/Udacity/EdX - search for GRC fundamentals, risk management, compliance courses

Communities

  • ISACA - resources, forums, and events for GRC professionals
  • GRC Summit - annual networking and learning event
  • (ISC)² Community - meetups, training, guidance, job referrals

Interview Questions

Practice with GRC interview questions.

Practice next: GRC interview questions, and jassics/security-study-plan for the latest updates to this plan.