The Complete GRC Training Programme · ISO 27001:2022
The Most Interactive
GRC Programme
Ever Built
15 series. Real scenarios. Real policies. Real evidence. You do not just learn about ISO 27001 — you build the ISMS, conduct the audit, respond to the incident, chair the management review, and defend every control to the certification auditor. Built for the GRC professional who wants to do the job, not just know about it.
15
Series
93
Controls Mapped
18
Policies Written
100+
Think-First Challenges
20
Mock Auditor Questions
Scenario throughout: Nexora Health Technologies Ltd — UK SaaS startup processing NHS patient data. 85 staff. Series B funded. Pursuing ISO 27001 certification in 6 months. Every series uses real Nexora decisions, real Nexora risks, and real Nexora evidence — so you always know what you are building and why.
Filter:
Foundation — Before You Build Anything
2 series
Series 0
Monday morning. The CISO walks in. "We need ISO 27001 in 6 months." You are the GRC Analyst. Where do you even begin? Live dialogue, 6-month project plan, Day 1 gap analysis, the team you need, Stage 1 vs Stage 2 explained, and the 7 things that kill certification projects.
Series 1
Why data protection law exists and how it drives every ISO 27001 decision. 7 principles, 8 rights, 6 legal bases, 72-hour breach response, GDPR vs ISO 27001 mapping, sector scenarios. The foundation everything else is built on.
Build the ISMS — Policies, Risk, Controls
8 series
Series 2
What ISO 27001 actually is — and how it works. The ISMS concept, the Plan-Do-Check-Act cycle, and a clause-by-clause walkthrough of Clauses 4–10. Every requirement explained in plain English with Nexora context.
Series 3
Restricted. Confidential. Internal. Public. How to classify every piece of information at Nexora — and what handling rules apply to each level. Interactive decision tree, sector scenarios, and the GRC Analyst's role in maintaining classification.
Series 4
Day in the life at Nexora. The skills triangle (governance, risk, compliance). Career path from junior analyst to CISO. Salary bands. Interview prep. Reporting lines and stakeholder map. What the job actually looks like — not what the job description says.
Series 5
Define exactly what is in — and out — of the ISMS. Too broad and you cannot evidence it. Too narrow and the auditor finds a breach in an out-of-scope system. Write the Nexora scope statement, handle exclusions, and defend it in the audit room.
Series 6
Build Nexora's complete Risk Register from scratch. Identify, score (likelihood × impact), and treat all 10 key risks — from ransomware to wrong-email recipients. Treatment decisions: modify, transfer, accept, avoid. Then defend every decision in the audit room.
Series 7
The 5-link policy chain: Law → Risk → Policy → Control → Evidence. All 32 ISO 27001 policies explained. Nexora's priority order. 6 core policies written in full. Evidence and audit room defence for every policy. What good looks like vs what creates findings.
Series 7B
6 technical policies written using the 3-layer method: Framework (WHY) → Challenge (write it yourself with Nexora context) → Model Policy + audit defence. Remote Working, Cryptography, Backup (RTO 4hr/RPO 1hr), Vulnerability Management, Physical Security, Information Transfer.
Series 7C
6 more policies in the same 3-layer format. HR Security, Change Management (CI/CD enforcement), Network Security (4-tier AWS VPC), Logging & Monitoring (CloudTrail + GuardDuty SLAs), Media Disposal, Data Retention & Deletion.
Audit & Certification — Both Sides of the Table
3 series
Series 8
You are the auditor. Plan the audit, build the checklists, conduct 4 live interviews, classify every finding, write the complete audit report, and build the corrective action plan. Result: 0 Major NCs · 4 Minor NCs · 3 Observations · 3 Positive Findings.
Series 9
Every ISO 27001:2022 Annex A control — all 93. Plain English meaning, what it requires, why it applies to Nexora, the implementing policy, the audit question, and the evidence required. Plus the Quick Reference Table (filterable) and the formal SoA document Nexora hands to the certification body.
Series 10
Flip the table. You are 3 weeks in. The external auditor arrives Monday. Brief the CEO, engineering, and HR. Handle 4 evidence challenges under pressure. Manage a Major NC you did not see coming — live, in the room. The closing meeting. What happens in the 30 days after.
ISMS Operations — Running It After Certification
4 series
Series 11
11:47pm. PagerDuty fires. Ransomware. 5 live decisions from detection to ICO notification. Then the wrong-recipient GDPR breach — is it reportable? When you have written deletion confirmation, what must you still do? Post-incident review with root cause analysis and 3 specific ISMS improvements.
Series 12
Clause 9.3 — you chair the meeting. The 7 mandatory inputs. Build a pack the CEO will actually read. Live meeting simulation with 4 decision points. The CEO asks "could we have prevented the ransomware?" — how do you answer? Write the minutes that pass the certification audit.
Series 13
The 8-week countdown. What cannot be done the final week. 35-item interactive evidence pack checklist. 20 real auditor questions with model answers and evidence required. Stage 1 vs Stage 2 explained. Year 1 and 2 surveillance audits. The certificate anatomy.
Series 14
Your risk does not stop at your door. The 3-tier supplier model. Nexora's full supplier register — AWS, Microsoft, Salesforce (overdue!), BambooHR, Stripe. Conduct a real Salesforce assessment question by question. DPA gaps identified. AWS and Salesforce exit plans documented.