Course Content
Free Lessons
0/2
GRC Explorer — Free | UST GRC Academy
GRC Training Programme — Series Overview | Unlimited SkiesTech LLC
MODULE 1 — Core ISO 27001 Training
0/17
Lesson 1 The CISO Kickoff | GRC Series 0 — The CISO Says We Are Getting Certified | Unlimited SkiesTech LLC
Lesson 2 GDPR Foundation | GRC Series 1 — GDPR Foundation | Unlimited SkiesTech LLC
Lesson 3 ISO 27001 Overview | GRC Series 2 — ISO 27001 Overview | Unlimited SkiesTech LLC
Lesson 4 Data Classification | GRC Series 3 — Data Classification | Unlimited SkiesTech LLC
Lesson 5 The GRC Analyst Role | GRC Series 4 — The GRC Analyst Role | Unlimited SkiesTech LLC
Lesson 6 ISMS Scoping in Practice | GRC Series 5 — ISMS Scoping in Practice | Unlimited SkiesTech LLC
Lesson 7 Risk Assessment in Practice | GRC Series 6 — Risk Assessment in Practice | Unlimited SkiesTech LLC
Lesson 8 The Policy Foundation | GRC Series 7 — The Complete Policy Foundation | Unlimited SkiesTech LLC
Lesson 9 Technical Controls & Cloud Policies | GRC Series 7B — Technical Controls & Cloud Policies | Unlimited SkiesTech LLC
Lesson 10 People & Infrastructure Policies | GRC Series 7C — People & Infrastructure Policies | Unlimited SkiesTech LLC
Lesson 11 Internal Audit | GRC Series 8 — Internal Audit at Nexora | Unlimited SkiesTech LLC
Lesson 12 Statement of Applicability | GRC Series 9 — Statement of Applicability (All 93 Controls) | Unlimited SkiesTech LLC
Lesson 13 The Auditee Experience | GRC Series 10 — The Auditee Experience
Lesson 14 Incident Response in Action | GRC Series 11 — Incident Response in Action
Lesson 15 Management Review | GRC Series 12 — Management Review
Lesson 16 Certification Readiness | GRC Series 13 — Certification Readiness
Lesson 17 Supplier & Third Party Risk | GRC Series 14 — Supplier & Third Party Risk
MODULE 2 — Greenfield University Case Study | Education Sector Applied Learning
0/2
GU-000 — Greenfield University ISMS Portal
Greenfield University — All Episodes EP-01 to EP-10 — COMPLETE
MODULE 3 — ISO 27001 Capstone Projects | Build From Scratch — Advanced
0/5
Capstone 1 Finance Sector | ISO 27001 Capstone — Finance Sector (VaultBridge Financial Group)
Capstone 2 Manufacturing Sector | ISO 27001 Capstone — Manufacturing Sector (IronForge Industries)
Capstone 3 Healthcare Sector | ISO 27001 Capstone — Healthcare Sector (MediCare Connect)
Capstone 4 Retail & E-Commerce | ISO 27001 Capstone — Retail & E-Commerce Sector (CartNova)
Capstone 5 Government Contractor | ISO 27001 Capstone — Government Contractor Sector (SentinelPath Solutions)
Interactive hands-on ISO27001
GRC Explorer — Free | UST GRC Academy
GRC Explorer · Free Tier · No Account Required
🎓 New to GRC
🔄 Career Switcher
💼 GRC Professional
🛡️ Security Analyst
⚖️ Compliance Officer
🏗️ Risk Manager

Learn GRC the way it actually happens at work.

Not slides. Not theory. Real scenarios, real characters, real decisions — starting from Day One on the job. Six modules, free forever, no credit card.

Module 1
GDPR
Episode 1 of 6 — free
Module 2
ISO 27001
Episode 1 — the CISO brief
Scenario A
MedCore
160,000 patients · Day One
Scenario B
Greenfield Uni
Surveillance audit · 10 weeks
Reference
GRC Glossary
70 plain-English terms
Tool
Framework Finder
5 questions → your answer
Unlock Full Practitioner Access →
$49/month · Cancel anytime · No lock-in
6
Free Modules
70
Glossary Terms
4
GRC Frameworks
0
Account Needed
Module 1 · GDPR

Episode 1: The Breach Call

It's 7:43 AM on a Tuesday. Your first week as a compliance analyst at FinVault, a UK-based fintech serving 280,000 customers. Your manager forwards you an alert — and everything changes.

Y
You
Compliance Analyst (Week 1)
DK
Diana Kim
Head of Compliance
TW
Tom Walsh
Lead Engineer
SG
Sarah Grant
DPO (external)
⚡ Incident Alert

FROM: security-alerts@finvault.io
TO: compliance@finvault.io
SUBJECT: [URGENT] Misconfigured S3 bucket — customer data exposed

A third-party penetration tester has identified that our customer transaction log bucket (prod-tx-logs-2024) was publicly accessible for an estimated 11 days. Approximately 14,200 customer records may have been exposed including names, email addresses, and partial IBAN data.

⚖️ Decision Point #1

Diana calls you in. "We need to decide — is this a notifiable breach? And if so, how long do we have?" She's looking at you for the answer.

📘 GDPR Article 33 — Notification to supervisory authority

A personal data breach must be notified to the competent supervisory authority (the ICO in the UK) within 72 hours of the controller becoming aware — unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The clock starts when you have reasonable certainty a breach has occurred.

Breach Discovered
Tuesday 07:43 AM
When the alert email was received by the compliance team
72-Hour Deadline
Friday 07:43 AM
Latest point to notify the ICO or document why notification isn't required
Records Affected
~14,200
Names, emails, partial IBAN — all personal data under GDPR
Data Categories
Standard personal data
Not special category — but financial data increases risk rating

What you need to assess

  • Was data actually accessed, or just accessible? (The distinction affects risk severity, not the reporting obligation)
  • Partial IBAN data — what does "partial" mean? Could it enable fraud combined with other data?
  • Is the S3 bucket now secured? Evidence of containment is required in your ICO notification
  • Which customers need to be individually notified under Article 34? (Those facing "high risk" to their rights)
  • Do you have a processor agreement with the cloud provider (AWS)? If not, that's a second compliance issue
Scene — 2 Hours Later

"Tom tells me the bucket was locked down at 6 AM this morning. But he can't confirm whether anyone accessed it during those 11 days — the access logs were only retained for 7 days and they've already rolled over."

— Diana Kim, Head of Compliance

This is a common real-world problem: inadequate logging. The absence of logs doesn't mean no access occurred — it means you can't rule it out. Your ICO notification must acknowledge this uncertainty.

⚖️ Decision Point #2

With logs gone and access unknown, Sarah Grant (your DPO) says you have a choice: treat it as a "likely low risk" breach and skip customer notification, or apply the precautionary principle and notify all 14,200 people. What are the trade-offs?

Option A — Notify Customers
Higher trust, meets spirit of GDPR. Risk of reputational damage and customer churn. Costs time and resource. Article 34 compliant.
Option B — ICO Only (No Customer Notification)
Lower immediate disruption. ICO may disagree with your risk assessment and require notification anyway, potentially adding a fine for delay.

What this episode teaches

  • The 72-hour clock is measured from "awareness" — which is when your organisation has reasonable certainty, not when you've fully investigated
  • Incomplete logs are a finding in themselves — GDPR Article 5(2) (accountability) requires you to be able to demonstrate compliance
  • The DPO role is advisory — they don't make the final call, the controller (your company) does
  • Most real breaches involve uncertainty — your job is to make a documented, reasoned decision, not a perfect one
Next in Module 1
Episode 2: Writing the ICO Notification
Practitioner access · How to structure Article 33 notifications that satisfy regulators
Module 2 · ISO/IEC 27001:2022

Episode 1: The CISO Brief

Arcadia Digital just won a £6M NHS contract. The client's legal team adds one line to the SOW: "ISO 27001 certification required within 12 months." Your CISO calls a 9 AM stand-up. You're the new information security analyst.

MR
Marcus Reid
CISO
AL
Anya Larsson
IT Director
JP
James Park
Lead Auditor (external)
Y
You
Information Security Analyst
Stand-Up — 9:04 AM

"We've got 12 months. I'm not going to pretend that's comfortable. James is joining us next week to run a gap assessment. Before he arrives, I need everyone to know exactly what ISO 27001 actually requires — not the marketing version, the real version."

— Marcus Reid, CISO
📘 What ISO 27001 Actually Is

ISO/IEC 27001 is an international standard for an Information Security Management System (ISMS). It's not a technology checklist — it's a management framework. Certification means an accredited body has audited your ISMS and confirmed it meets the standard. The 2022 revision brought 93 controls (down from 114) organised into 4 themes: Organisational, People, Physical, Technological.

The 12-Month Certification Road

  • Months 1–2: Gap Assessment

    External auditor maps your current state against ISO 27001 clause requirements and Annex A controls. Output: a gap report with prioritised findings. This is not an audit — no certificate is at stake yet.

  • Months 2–4: ISMS Design

    Scope definition, information security policy, risk assessment methodology, Statement of Applicability (SoA). Every control you exclude from Annex A needs a documented justification.

  • Months 4–9: Implementation

    Policies, procedures, technical controls, training. The most time-intensive phase. Asset inventory, supplier assessments, access management reviews, incident response procedures.

  • Months 9–10: Internal Audit

    You audit your own ISMS before the external auditor arrives. Find your nonconformities now, not during Stage 2. Non-conformities must be formally recorded and tracked to closure.

  • Month 10–11: Stage 1 Audit (Documentation Review)

    External auditor reviews your ISMS documentation. Are your policies complete? Is the scope defensible? Stage 1 findings become a punch-list before Stage 2.

  • Month 12: Stage 2 Audit (Evidence Audit)

    Auditor tests whether your ISMS operates as described. They will interview staff, request evidence of controls, and look for gaps between documentation and practice.

⚖️ Decision Point #1

Marcus asks you to define the ISMS scope before the gap assessment. Should you scope the entire company, or just the division handling the NHS contract? Each choice has significant cost and risk implications.

Narrow Scope (NHS Division Only)
Faster, cheaper, lower risk of finding showstopper issues. But: if that division shares infrastructure with the rest of the company, your scope statement may be challenged by auditors.
Wide Scope (Full Organisation)
More credible and future-proof. Harder to achieve in 12 months. Reveals more gaps. But positions you for additional contracts requiring certification.

Key ISO 27001 Concepts to Know

  • ISMS: The management system itself — policies, processes, people, technology working together. Certification is of the ISMS, not individual controls
  • Statement of Applicability (SoA): The document that lists all 93 Annex A controls, states whether each is implemented, and justifies any exclusions. Auditors scrutinise this closely
  • Risk Treatment Plan: Documents how each identified risk is handled — Accept, Mitigate, Transfer, or Avoid. Must link to controls
  • Nonconformity: A formal finding where your ISMS doesn't meet the standard. Minor = fix within agreed timeframe. Major = certification cannot proceed until resolved
  • Surveillance Audits: After certification, annual check-ins (lighter than full audit) to confirm your ISMS is maintained. Recertification every 3 years
Next in Module 2
Episode 2: Writing the Risk Assessment
Practitioner access · Asset inventory, threat modelling, risk matrices — with real templates
Scenario A · Healthcare Compliance

MedCore Health Systems: Day One

MedCore Health Systems is a US-based regional hospital network. 160,000 active patients. 4 hospitals, 18 clinics. You join as a compliance analyst. On your first morning, your manager drops a file on your desk marked "URGENT — OCR Investigation."

Y
You
Compliance Analyst (Day 1)
RC
Rosa Chen
Chief Compliance Officer
BT
Ben Torres
IT Security Manager
📬 OCR Letter

Office for Civil Rights — U.S. Department of Health & Human Services
Re: Complaint Investigation — File No. 24-MC-0847

This office has received a complaint alleging that MedCore Health Systems disclosed protected health information (PHI) to a third-party marketing vendor without a valid HIPAA authorisation or Business Associate Agreement. Please provide the following documentation within 30 days...

📘 HIPAA at a Glance

The Health Insurance Portability and Accountability Act (1996) creates rules around Protected Health Information (PHI) — any information that relates to an individual's health condition, treatment, or payment, combined with an identifier. The key rules: Privacy Rule (who can see PHI and why), Security Rule (how electronic PHI must be protected), and Breach Notification Rule (what you must do when something goes wrong).

What the OCR Will Want to See

Business Associate Agreement
BAA
A signed contract with any vendor who handles PHI on your behalf. Mandatory under HIPAA. If this marketing vendor didn't have one — you have a direct violation.
Minimum Necessary Standard
Rule 164.502(b)
You can only disclose the minimum PHI needed for the stated purpose. Sending a full patient list to a marketing firm almost certainly violates this.
Valid Authorisation
45 CFR 164.508
Marketing uses of PHI (beyond treatment communications) require individual patient authorisation — a signed, specific document. "General consent" doesn't cover this.
OCR Response Deadline
30 Days
From receipt of the OCR letter. Missing this deadline makes the situation significantly worse and signals poor compliance culture.
⚖️ Decision Point

Rosa hands you the marketing vendor contract. There's a Data Processing Addendum — but it was signed 8 months after MedCore first shared data with the vendor. Does this BAA protect you? What do you tell the OCR?

  • A retroactive BAA does not eliminate the prior period of non-compliance. The 8 months without a BAA is a separate violation requiring its own response
  • OCR investigators are experienced — incomplete, misleading, or selective responses will damage your credibility and likely escalate the investigation
  • Self-disclosure of the gap, combined with evidence of corrective action, typically results in better outcomes than OCR discovering it independently
  • HIPAA civil penalties can reach $1.9M per violation category per year — the financial exposure depends on the "culpability" tier (unknowing, reasonable cause, willful neglect)
Continue MedCore Scenario
Chapter 2: Drafting the OCR Response
Practitioner access · Real response structures, corrective action plan templates, legal privilege considerations
Scenario B · ISO 27001 Audit

Greenfield University: Surveillance Audit

Greenfield University achieved ISO 27001 certification 11 months ago. The annual surveillance audit starts in 10 weeks. You've just joined as Information Security Officer — and the previous ISO discovered three control gaps that were never closed.

Y
You
Information Security Officer
PB
Prof. Bridget
Deputy VC (Operations)
KN
Kieran Nash
Lead Auditor (CB)
📋 Inherited Issues

Your predecessor left a handover note with three open findings from last year's surveillance audit. All three were recorded as "in progress" but none have documented closure evidence:

Minor NC — A.8.2 (Access Control)
18 former staff accounts still active in Active Directory. Leaver process not consistently followed.
Minor NC — A.8.13 (Information Backup)
Backup restoration testing not performed in the past 14 months. Testing was due quarterly.
OFI — A.5.31 (Legal Requirements)
Legal and regulatory register last reviewed 19 months ago — out of date with recent UK Data Protection amendments.
⚖️ Decision Point #1

10 weeks isn't much time. Do you prioritise closing all three before the audit, or brief the auditor on your remediation progress and let them see it in-flight? What does "closure" actually mean to an ISO auditor?

📘 What Auditors Mean by "Closed"

A nonconformity is closed when there is documented evidence that the root cause has been addressed — not just the symptom. For the access control issue, disabling 18 accounts doesn't close the NC. You need to show the process has changed so it won't happen again: updated leaver procedure, HR integration, periodic recertification. The auditor will test whether new leavers since the fix are also handled correctly.

Your 10-Week Remediation Plan

  • Weeks 1–2: Evidence Gathering

    Pull the current state on each NC. How many leavers since the last audit? When was the last backup test actually run? Get IT to run the backup restoration test and document it this week.

  • Weeks 2–4: Root Cause Analysis

    For each NC, document the root cause in a formal Corrective Action record. "We didn't follow process" is not a root cause. Why didn't staff follow process? Missing training? No ownership? No enforcement?

  • Weeks 4–7: Implementation

    Update leaver procedure + integrate with HR system. Complete backup restoration test + schedule quarterly recurring. Update legal register + set 6-month review cadence with documented owner.

  • Weeks 8–10: Evidence Packaging

    Compile a closure evidence pack for each NC. Brief the Deputy VC. Prepare your audit presentation — auditors appreciate organisations that tell a clear story about what went wrong and what changed.

⚠️ The Risk if You Don't Close These

A surveillance audit that finds the same minor NCs as the previous year is a serious signal to the certification body. It suggests the ISMS isn't operating effectively. Depending on the CB's policy, two consecutive years of the same finding could be escalated to a major nonconformity — which risks your certification being suspended.

Continue Greenfield Scenario
Chapter 2: The Audit Day
Practitioner access · How auditors conduct interviews, what "sampling" means, and how to handle unexpected findings
Reference · Plain English

GRC Glossary

70 terms defined without jargon. The definitions practitioners actually use, not the textbook versions.

70 terms
Tool · 5 Questions

Framework Finder

Answer 5 questions about your organisation and we'll recommend the most relevant GRC framework to prioritise. No account, no email, no catch.

Previous
Next
0% Complete