GRC Study Plan
This page is updated based on jassics/security-study-plan/grc-study-plan
A detailed study plan for Governance, Risk, and Compliance (GRC) professionals and beginners. Pair it with the site's own GRC Overview, ISO/IEC 27001, NIST RMF, and NIST CSF pages for the framework deep dives.
Introduction to GRC
GRC is an initialism for Governance, Risk, and Compliance, but the reality is much more: it's the integrated set of capabilities that let an organization reliably achieve objectives, address uncertainty, and act with integrity.
- Governance - the framework and processes that align strategies, objectives, and risks with organizational goals (policies, procedures, decision-making structures).
- Risk Management - identifying, assessing, and mitigating risks that could impact objectives (risk assessment, control, monitoring).
- Compliance - adherence to laws, regulations, standards, and internal policies (audits, monitoring, reporting).
Key Components
- Governance Frameworks: COSO, COBIT
- Risk Management Frameworks: ISO 31000, NIST SP 800-30, NIST RMF
- Compliance Frameworks: GDPR, HIPAA, SOX, ISO 27001, SOC
This study plan focuses on: Governance & Oversight, Risk & Decision-Support, Security & Continuity, and Audit & Assurance.
ToC
- GRC Fundamentals - 2 weeks
- Governance and Policy - 2 weeks
- Risk Management Deep Dive - 2 weeks
- Compliance and Auditing - 2 weeks
- GRC Roles & Career Path
- Certifications
- Resources
GRC Fundamentals
Duration: 2 weeks
Week 1-2: Core Concepts
- Governance - the framework/processes ensuring strategy, objectives, and risk stay aligned with goals
- Risk Management - identifying, assessing, and mitigating risks to objectives
- Compliance - adherence to laws, regulations, standards, and internal policy
- Key Frameworks: Governance (COSO, COBIT), Risk (ISO 31000, NIST RMF), Compliance (GDPR, HIPAA, SOX, ISO 27001)
Governance and Policy
Duration: 2 weeks
Week 3-4: Establishing Governance
- Strategic Planning - aligning GRC efforts with organizational goals
- Policy Development - crafting policies that support governance and compliance
- Internal Controls - designing/implementing controls to mitigate risk
- Roles & Responsibilities - Board, Management, Audit, Risk Owners
Risk Management Deep Dive
Duration: 2 weeks
Week 5-6: Risk Lifecycle
- Risk Assessment - qualitative vs. quantitative techniques
- Risk Mitigation - Avoid, Accept, Transfer, Mitigate
- Incident Management - handling and recovering from risk events
- Third-Party Risk Management (TPRM) - managing vendor/supplier risk
Compliance and Auditing
Duration: 2 weeks
Week 7-8: Regulatory Landscape
- Regulatory Knowledge - GDPR, HIPAA, PCI-DSS deep dive
- Compliance Auditing - techniques for auditing and ensuring compliance
- Reporting and Documentation - documenting and reporting compliance status
Integration and Technology
- GRC Software - RSA Archer, MetricStream
- Data Analytics - using data for risk assessments and compliance reporting
The Three Lines of Defense Model
- First Line - operational management owns and manages risk day-to-day
- Second Line - risk management/compliance functions set policy and monitor
- Third Line - internal audit provides independent assurance
COSO & COBIT
- COSO - internal controls, risk management, corporate governance across five components: Control Environment, Risk Assessment, Control Activities, Information & Communication, Monitoring
- COBIT - governance/management of IT enterprise systems, aligning IT and business goals
Measuring GRC
Track metrics across each pillar rather than treating GRC as a checkbox:
- Governance: policy adherence rate, decision-making efficiency, stakeholder engagement
- Risk: risk identification rate, mitigation success, risk-appetite adherence
- Compliance: compliance breach rate, audit findings, training completion rate
- Incident Response: Mean Time to Detect (MTTD), Mean Time to Respond (MTTR), incident recurrence rate
- Program Efficiency: cost of compliance vs. non-compliance, GRC integration efficiency, technology utilization
GRC Roles & Career Path
Career Path Progression
Many GRC professionals start as GRC analysts or compliance officers and progress to GRC program managers, IT risk and compliance managers, or Chief Risk Officer as they gain experience and certifications.
| Role | Focus | Typical Employers |
|---|---|---|
| GRC Analyst | Risk assessments, monitoring, policy drafting | Banks, large enterprises, IT firms |
| Risk Management Specialist | Risk identification, mitigation strategy | Insurance, financial institutions, consulting |
| Compliance Officer | Regulatory adherence, compliance audits | Healthcare, banking, regulated industries |
| GRC Consultant | Advisory on GRC frameworks/programs | Big Four consulting firms |
| Internal Auditor | Auditing controls, reporting findings | Large corporations, government |
| GRC Program Manager | End-to-end GRC program ownership | Large enterprises, multinationals |
| IT Risk and Compliance Manager | IT-specific risk/compliance (GDPR, PCI-DSS, COBIT) | Tech, financial, healthcare |
| Chief Risk Officer (CRO) | Org-wide risk strategy, board reporting | Large enterprises |
| Chief Compliance Officer (CCO) | Org-wide compliance program ownership | Banks, healthcare, multinationals |
| Enterprise Risk Manager | Unified enterprise-wide risk approach | Large corporations, public sector |
| GRC Software Specialist | Administering GRC platforms | Large corporations, IT service providers |
Certifications
For Beginners:
- CRISC (Certified in Risk and Information Systems Control) - risk management focus
- CISA (Certified Information Systems Auditor) - auditing, control, assurance
For Intermediate/Advanced:
- CISSP - broad security principles including governance and risk
- CGRC (Certified in Governance, Risk, and Compliance)
For Expert Level:
- CRMA (Certified in Risk Management Assurance)
- CISM (Certified Information Security Manager)
Resources
Books
- Governance, Risk, and Compliance Handbook for Financial Services by J. J. Stone
- Managing Risk in Information Systems by D. G. Peltier
- The Complete Guide to Cybersecurity Risks and Controls by Anne Kohnke, et al.
Videos
- Practical GRC Series: Part 1 by Prabh Nair
- Practical GRC Series: Part 2 by Prabh Nair
Online Platforms
- LinkedIn Learning, Pluralsight, Coursera/Udemy/Udacity/EdX - search for GRC fundamentals, risk management, compliance courses
Communities
- ISACA - resources, forums, and events for GRC professionals
- GRC Summit - annual networking and learning event
- (ISC)² Community - meetups, training, guidance, job referrals
Useful Links
Interview Questions
Practice with GRC interview questions.
Practice next: GRC interview questions, and jassics/security-study-plan for the latest updates to this plan.