Who is this cybersecurity GRC course for?

Career changers from internal audit, IT operations, or legal-adjacent roles entering cybersecurity GRC; junior GRC analysts and compliance specialists; cybersecurity practitioners moving from technical roles into program management; sales engineers at GRC platform vendors; information security officers preparing for CISA, CISM, or CRISC.

What primary sources does this cybersecurity GRC course cite?

NIST CSF 2.0 (NIST 2024), NIST SP 800-53 Rev. 5 (Joint Task Force 2020), NIST SP 800-37 Rev. 2 RMF (Joint Task Force 2018), NIST SP 800-53A Rev. 4 (Joint Task Force 2014), NIST SP 800-161 Rev. 1 C-SCRM (Boyens et al. 2022), HIPAA Security Rule (45 CFR Parts 160 and 164), PCI DSS v4.0 (PCI SSC 2022), AICPA Trust Services Criteria TSP 100 (2017), FedRAMP Rev. 5 (GSA 2023), EU GDPR (Regulation 2016/679), Shared Assessments SIG, CSA CAIQ v4, BLS OES May 2024, ISC2 Workforce Study 2024, ISACA State of Cybersecurity 2024.

Will this cybersecurity GRC course prepare me for CISA, CISM, or CRISC?

It is a primary-source-grounded primer that covers the same frameworks all three ISACA exams test against. Pair the course with ISACA's official review manuals and practice questions for full exam coverage. The course is most useful before sitting CISA, when foundational framework fluency matters most.

Is this course only for US-regulated roles?

No. The course covers EU GDPR explicitly and includes the cross-border patterns that GRC analysts encounter at multinational organizations. NIST frameworks are widely adopted internationally even outside US-regulated contexts; ISO/IEC 27001 alignment is referenced where relevant.

How long does the course take to complete?

Roughly 16 hours of focused study across 6 modules. Most learners complete it in 8 to 10 weeks at 2 to 4 hours per week. Self-paced; no live sessions.

Primary-source-grounded cybersecurity course

GRC and Compliance Fundamentals

A primary-source-grounded six-module path into governance, risk, and compliance work: NIST CSF 2.0, the Risk Management Framework, the major regulatory regimes (HIPAA, PCI DSS, SOC 2, FedRAMP, GDPR), and the GRC career ladder.

6 modules16 hours$197 one-timeNIST + AICPA + regulatory text sourced

What this cybersecurity course is

GRC and Compliance Fundamentals is a 6-module cybersecurity course for analysts entering governance, risk, and compliance work or pivoting from internal audit, IT operations, or legal-adjacent roles. Every module is grounded in primary-source frameworks rather than vendor white papers. Topics cover NIST Cybersecurity Framework version 2.0 (NIST 2024), the NIST Risk Management Framework in SP 800-37 Revision 2 (Joint Task Force 2018), the canonical control catalog in NIST SP 800-53 Revision 5 (Joint Task Force 2020), the major regulatory regimes a GRC analyst will encounter (HIPAA Security Rule, PCI DSS v4.0, SOC 2 Trust Services Criteria, FedRAMP Rev. 5, EU GDPR), and how to write the working artifacts of the role: a control narrative, a risk register entry, an audit response, and a third-party risk assessment. Designed by Julian Calvo, Ed.D. in Applied Learning Sciences (University of Miami, 2026), with reference to his master's-level work in policy and program management at Barry University.

The course sequences six modules around the GRC operational lifecycle: framework selection, control implementation, risk assessment, audit, monitoring, and improvement. Each module pairs a primary-source standard with a hands-on artifact: read the standard, draft the control narrative or risk register row, mark up a sample audit response. The pedagogical pattern follows Knowles' andragogy (1970), Mezirow's transformative learning (1991), and the Dreyfus skill acquisition model (1980): adults learn GRC fastest by working real artifacts against an authoritative standard rather than by reading the standard cover-to-cover first. Every claim cites NIST, the regulatory text itself, AICPA Trust Services Criteria, BLS, ISC2, or peer-reviewed research. No vendor compliance-platform marketing.

Six modules

Module 01 · 130 min
Frameworks and the CSF as the Organizing Spine
What a cybersecurity framework is, why the NIST Cybersecurity Framework version 2.0 is the most-adopted organizing structure in US enterprise GRC, and how to read it as a working tool rather than as marketing.
Learning objectives
- Cite the six functions of NIST Cybersecurity Framework v2.0 (Govern, Identify, Protect, Detect, Respond, Recover) and explain what each contains
- Map the CSF to a control catalog (NIST SP 800-53 Rev. 5) and identify why frameworks need control catalogs to be operational
- Distinguish frameworks (NIST CSF, ISO/IEC 27001, COBIT 2019) from regulations (HIPAA, PCI DSS, GDPR, SOC 2) in a way that survives an interview question
Module 02 · 140 min
The Risk Management Framework: NIST SP 800-37 in Practice
The seven-step Risk Management Framework, what each step produces, and how to write the working documents (System Security Plan, Risk Assessment Report, POA&M) that a federal or enterprise auditor expects to see.
Learning objectives
- Cite the seven steps of NIST SP 800-37 Rev. 2 (Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor) and the deliverable each step produces
- Write a one-paragraph control narrative for a SP 800-53 control of your choice that would survive an auditor's review
- Distinguish the System Security Plan (SSP), the Security Assessment Report (SAR), and the Plan of Action and Milestones (POA&M)
Module 03 · 160 min
Regulatory Regimes: HIPAA, PCI DSS, SOC 2, FedRAMP, GDPR
What each regulation actually requires, how scope is defined, and what the GRC analyst's daily work looks like under each regime.
Learning objectives
- Cite the HIPAA Security Rule's three safeguard categories (Administrative, Physical, Technical) and identify which department of HHS enforces them
- Distinguish PCI DSS v4.0 scope (cardholder data environment, CDE), the four merchant levels, and the difference between a Self-Assessment Questionnaire and a Report on Compliance
- Summarize SOC 2 Trust Services Criteria from AICPA TSP 100 and explain when a SOC 2 Type 2 report is required versus a SOC 2 Type 1
- Identify the seven principles of GDPR (lawfulness, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, accountability)
Module 04 · 110 min
Third-Party Risk and the Vendor Questionnaire
Why supply-chain risk is the fastest-growing GRC category, what the SIG questionnaire and the CAIQ try to capture, and how to write a third-party risk assessment that holds up under audit.
Learning objectives
- Cite NIST SP 800-161 Rev. 1 (Cybersecurity Supply Chain Risk Management) and explain its relationship to NIST CSF v2.0's Govern function
- Distinguish the Shared Assessments SIG questionnaire and the CSA Consensus Assessments Initiative Questionnaire (CAIQ)
- Write a third-party risk-tier classification (low / moderate / high / critical) and the controls each tier requires
Module 05 · 120 min
Audit Evidence and the Control Narrative Discipline
What auditors actually test, how to assemble an evidence library that survives an unannounced sample request, and the tone discipline that makes a GRC analyst credible in fieldwork.
Learning objectives
- Distinguish design-effectiveness testing from operating-effectiveness testing per AICPA and NIST SP 800-53A
- Build an evidence library for a given control family (AU Audit and Accountability is a good first pick) that survives a sample request
- Apply the principle of 'concrete, falsifiable, traceable' to a real control narrative and identify what would fail an auditor
Module 06 · 100 min
The GRC and Compliance Career Trajectory
What the GRC analyst, GRC senior analyst, GRC manager, and CISO-track ladder looks like, the credentials hiring managers price into the offer, and what BLS, ISC2, and ISACA data say about compensation.
Learning objectives
- Distinguish GRC analyst, senior GRC analyst, GRC manager, and CISO-track roles by daily decisions and credentials
- Cite BLS OES 2024, ISC2 2024, and ISACA 2024 data on GRC and compliance compensation
- Build a 12-month plan from current state to a target GRC role with credentialed milestones (Security+, CISA, CISM, CRISC)

Target audience

Career changers from internal audit, IT operations, or legal-adjacent work entering cybersecurity GRC
Junior GRC analysts and compliance specialists who need a primary-source-grounded reference for the major frameworks
Cybersecurity practitioners moving from technical roles into program management and policy
Sales engineers at GRC platform vendors who need fluency in the regulatory regimes their software supports
Information security officers preparing for the CISA, CISM, or CRISC examinations

Prerequisites

Working comfort with reading standards documents (NIST SPs, ISO summaries, regulatory text)
Basic understanding of cybersecurity terminology (firewalls, IAM, encryption-at-rest)
Willingness to commit 8 to 10 weeks of 4 to 6 hours per week study
Familiarity with one or more enterprise operating environments (cloud-native, on-prem, hybrid)

Sources

NIST Cybersecurity Framework 2.0 (CSF v2.0) — NIST (2024). Public-domain US Government work.
NIST SP 800-53 Rev. 5: Security and Privacy Controls — Joint Task Force (2020). Public-domain.
NIST SP 800-37 Rev. 2: Risk Management Framework — Joint Task Force (2018). Public-domain.
NIST SP 800-53A Rev. 4: Assessment Procedures — Joint Task Force (2014). Public-domain.
NIST SP 800-161 Rev. 1: C-SCRM Practices — Boyens et al. (2022). Public-domain.
HIPAA Security Rule (45 CFR Parts 160, 164) — U.S. Department of Health and Human Services.
PCI DSS v4.0 — PCI Security Standards Council (2022).
AICPA Trust Services Criteria (TSP 100) — American Institute of CPAs (2017).
FedRAMP Rev. 5 Baselines — U.S. General Services Administration (2023).
EU GDPR (Regulation 2016/679) — European Parliament and Council (2016).
BLS OES May 2024: Information Security Analysts (15-1212) — U.S. Bureau of Labor Statistics.
ISC2 Cybersecurity Workforce Study 2024 — Workforce gap and compensation by tier and region.

Disclaimer

This course is for educational purposes only. It does not constitute legal advice, regulatory interpretation, or a substitute for engagement with a qualified compliance counsel, certified public accountant, or licensed information security auditor. Regulatory text changes; readers should consult primary sources for currency. NIST and US Government materials are public works. ISO/IEC standards referenced here are summarized for educational purposes; readers must purchase the standards from ISO for working use. PCI DSS is a trademark of the PCI Security Standards Council; SOC 2 is a trademark of the AICPA; HIPAA is administered by the US Department of Health and Human Services; FedRAMP is administered by the US General Services Administration. DecipherU is not affiliated with any standards body or regulatory agency.

What this cybersecurity course is

Six modules

Module 01 · 130 min

Frameworks and the CSF as the Organizing Spine

What a cybersecurity framework is, why the NIST Cybersecurity Framework version 2.0 is the most-adopted organizing structure in US enterprise GRC, and how to read it as a working tool rather than as marketing.

Learning objectives

Cite the six functions of NIST Cybersecurity Framework v2.0 (Govern, Identify, Protect, Detect, Respond, Recover) and explain what each contains
Map the CSF to a control catalog (NIST SP 800-53 Rev. 5) and identify why frameworks need control catalogs to be operational
Distinguish frameworks (NIST CSF, ISO/IEC 27001, COBIT 2019) from regulations (HIPAA, PCI DSS, GDPR, SOC 2) in a way that survives an interview question

Module 02 · 140 min

The Risk Management Framework: NIST SP 800-37 in Practice

The seven-step Risk Management Framework, what each step produces, and how to write the working documents (System Security Plan, Risk Assessment Report, POA&M) that a federal or enterprise auditor expects to see.

Learning objectives

Cite the seven steps of NIST SP 800-37 Rev. 2 (Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor) and the deliverable each step produces
Write a one-paragraph control narrative for a SP 800-53 control of your choice that would survive an auditor's review
Distinguish the System Security Plan (SSP), the Security Assessment Report (SAR), and the Plan of Action and Milestones (POA&M)

Module 03 · 160 min

Regulatory Regimes: HIPAA, PCI DSS, SOC 2, FedRAMP, GDPR

What each regulation actually requires, how scope is defined, and what the GRC analyst's daily work looks like under each regime.

Learning objectives

Cite the HIPAA Security Rule's three safeguard categories (Administrative, Physical, Technical) and identify which department of HHS enforces them
Distinguish PCI DSS v4.0 scope (cardholder data environment, CDE), the four merchant levels, and the difference between a Self-Assessment Questionnaire and a Report on Compliance
Summarize SOC 2 Trust Services Criteria from AICPA TSP 100 and explain when a SOC 2 Type 2 report is required versus a SOC 2 Type 1
Identify the seven principles of GDPR (lawfulness, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, accountability)

Module 04 · 110 min

Third-Party Risk and the Vendor Questionnaire

Why supply-chain risk is the fastest-growing GRC category, what the SIG questionnaire and the CAIQ try to capture, and how to write a third-party risk assessment that holds up under audit.

Learning objectives

Cite NIST SP 800-161 Rev. 1 (Cybersecurity Supply Chain Risk Management) and explain its relationship to NIST CSF v2.0's Govern function
Distinguish the Shared Assessments SIG questionnaire and the CSA Consensus Assessments Initiative Questionnaire (CAIQ)
Write a third-party risk-tier classification (low / moderate / high / critical) and the controls each tier requires

Module 05 · 120 min

Audit Evidence and the Control Narrative Discipline

What auditors actually test, how to assemble an evidence library that survives an unannounced sample request, and the tone discipline that makes a GRC analyst credible in fieldwork.

Learning objectives

Distinguish design-effectiveness testing from operating-effectiveness testing per AICPA and NIST SP 800-53A
Build an evidence library for a given control family (AU Audit and Accountability is a good first pick) that survives a sample request
Apply the principle of 'concrete, falsifiable, traceable' to a real control narrative and identify what would fail an auditor

Module 06 · 100 min

The GRC and Compliance Career Trajectory

What the GRC analyst, GRC senior analyst, GRC manager, and CISO-track ladder looks like, the credentials hiring managers price into the offer, and what BLS, ISC2, and ISACA data say about compensation.

Learning objectives

Distinguish GRC analyst, senior GRC analyst, GRC manager, and CISO-track roles by daily decisions and credentials
Cite BLS OES 2024, ISC2 2024, and ISACA 2024 data on GRC and compliance compensation
Build a 12-month plan from current state to a target GRC role with credentialed milestones (Security+, CISA, CISM, CRISC)

Target audience

Career changers from internal audit, IT operations, or legal-adjacent work entering cybersecurity GRC

Junior GRC analysts and compliance specialists who need a primary-source-grounded reference for the major frameworks

Cybersecurity practitioners moving from technical roles into program management and policy

Sales engineers at GRC platform vendors who need fluency in the regulatory regimes their software supports

Information security officers preparing for the CISA, CISM, or CRISC examinations

Prerequisites

Working comfort with reading standards documents (NIST SPs, ISO summaries, regulatory text)

Basic understanding of cybersecurity terminology (firewalls, IAM, encryption-at-rest)

Willingness to commit 8 to 10 weeks of 4 to 6 hours per week study

Familiarity with one or more enterprise operating environments (cloud-native, on-prem, hybrid)

Disclaimer

GRC and Compliance Fundamentals

What this cybersecurity course is

Six modules

Frameworks and the CSF as the Organizing Spine

The Risk Management Framework: NIST SP 800-37 in Practice

Regulatory Regimes: HIPAA, PCI DSS, SOC 2, FedRAMP, GDPR

Third-Party Risk and the Vendor Questionnaire

Audit Evidence and the Control Narrative Discipline

The GRC and Compliance Career Trajectory

Target audience

Prerequisites

Related cybersecurity content

Sources

Disclaimer

GRC and Compliance Fundamentals

What this cybersecurity course is

Six modules

Frameworks and the CSF as the Organizing Spine

The Risk Management Framework: NIST SP 800-37 in Practice

Regulatory Regimes: HIPAA, PCI DSS, SOC 2, FedRAMP, GDPR

Third-Party Risk and the Vendor Questionnaire

Audit Evidence and the Control Narrative Discipline

The GRC and Compliance Career Trajectory

Target audience

Prerequisites

Related cybersecurity content

Sources

Disclaimer