// CYBERSECURITY EDUCATION

GRC

Governance, Risk and Compliance. The strategic layer of cybersecurity that every organisation needs and most students overlook. Learn it here.

0
ISO 27001 controls
0
NIST CSF functions
0
Max risk score
0
Hours to report a GDPR breach
What is GRC?
GRC stands for Governance, Risk and Compliance. It is the strategic layer of cybersecurity. While technical security teams handle day-to-day threats, GRC makes sure the organisation has the right structure, understands its risks and can prove its controls are working.
Governance
🏛️ Governance
Setting the rules. Who is responsible? What does secure look like? Are people following the policy?
Risk
⚠️ Risk
What could go wrong? How likely is it? How bad would it be? What do we do about it?
Compliance
✅ Compliance
Do our controls match what ISO 27001 and NIST CSF require? Can we prove it in an audit?
🏛️
Governance
Who is responsible? What are the rules?
Security policies, defined roles, management accountability. Without governance, security has no strategy behind it.
⚠️
Risk
What could go wrong? How bad?
Identify threats, score them by likelihood and impact, decide what to fix first. Not everything can be fixed at once.
Compliance
Are controls working? Can we prove it?
Meet the requirements of ISO 27001, NIST CSF, GDPR. Show in an audit that you actually do what the policy says.
Risk scoring
Every risk gets a score: likelihood × impact. The score tells you what to fix first. Click a real-world scenario or move the sliders yourself.
Risk
Risk management is about prioritisation
You cannot fix everything at once. The score tells you what comes first.
Phishing attack
L:5 × I:4 = 20
Unpatched systems
L:4 × I:5 = 20
Insider threat
L:2 × I:5 = 10
Lost laptop
L:3 × I:2 = 6
SQL injection
L:3 × I:5 = 15
DDoS attack
L:3 × I:3 = 9
9
Medium
Fix within 90 days

1-4
Low
Accept or monitor
5-9
Medium
Fix within 90 days
10-16
High
Fix within 30 days
17-25
Critical
Fix immediately
Compliance frameworks
Frameworks are the standards organisations measure themselves against. GRC analysts work with them daily — selecting controls, assessing gaps and preparing for audits.
Frameworks
ISO 27001, NIST CSF and GDPR appear in almost every GRC job description
ISO 27001 is the international standard for information security management. Organisations get certified by passing an external audit. It is the most widely recognised security certification globally and appears in almost every GRC job description.
Organisational controls
Security policies, roles and responsibilities, risk management and supplier relationships. The governance foundation.
People controls
Screening, security awareness training, disciplinary processes and offboarding. People are the most common attack vector.
Physical controls
Building access, equipment protection, clean desk policies and physical media. Often overlooked but essential.
Technological controls
Authentication, access rights, encryption, logging, vulnerability management and software security. 34 controls in this category alone.
NIST CSF 2.0 organises security into six core functions. It is flexible, widely referenced in the US and increasingly globally. Version 2.0 added the Govern function in 2024.
Govern
New in 2.0. Sets the organisational context, risk strategy, roles and cybersecurity policies. Everything else builds on this.
Identify
Know your assets and risks. You cannot protect what you do not know about.
Protect
Access control, training, data security, platform security. Controls that reduce impact.
Detect
Continuous monitoring and alerting. Earlier detection means less damage.
Respond
Incident response planning, communications, containment. What happens when a threat is confirmed.
Recover
Restoring operations and learning from incidents. Resilience over time.
GDPR applies to any organisation handling EU residents' data, regardless of where it is based. Fines can reach 4% of global annual revenue.
Lawful basis for processing
Every use of personal data needs a documented legal reason. Consent, contract, legal obligation, vital interests, public task or legitimate interests.
Data subject rights
Individuals can access, correct, delete and move their data. Organisations must respond within 30 days.
72-hour breach notification
A personal data breach must be reported to the supervisory authority within 72 hours of becoming aware. This is a hard deadline.
Data Protection Officer
Certain organisations must appoint a DPO. They oversee GDPR compliance and act as the contact for regulators.
Build a security policy
Click each section to add it to your policy. Watch it build in real time. This is exactly what a GRC analyst does when setting up a programme from scratch.
Policy
A security policy is the foundation of every GRC programme
security-policy.md
Access Control
Who can access what, and under what conditions. Covers least privilege and account lifecycle.
Patch Management
How and when security updates are applied. Defines timelines and ownership.
Incident Response
What to do when something goes wrong. Who responds and how findings are documented.
Data Handling
How sensitive data is stored, transmitted and disposed of.
Physical Security
Workstation locking, clean desk policy and visitor access.
# Security Policy Click the sections above to build your policy...
ISO 27001 compliance checklist
Work through this checklist to see compliance coverage. Each item is a real ISO 27001 requirement. In a real audit, every unchecked item is a finding.
Checklist
Compliance is about proving controls work, not just having them on paper
0 / 10 controls passed