Read time: 3 minutes
Welcome to The GRC Lab, a weekly newsletter where I provide actionable advice to help you launch, grow and accelerate your career in Governance, Risk and Compliance
Let me begin with my own story and how I got into GRC.
I studied industrial engineering and eventually graduated with a masters degree from the Technical University of Ulm. Fresh out of college, I was under the impression that my days of intensive learning were behind me. How wrong I was!
My professional journey started in the quality management department within a data center. Something I felt capable of, given my academic background. However, very soon, I discovered that quality management in a data center is closely related to information security, and data privacy. Two topics I barely knew anything about.
Fast forward to today, I am confident to say that accepting this challenge was one of the best choices of my life. Governance, Risk & Compliance has opened up so many opportunities for me. I could not image to work in a different domain any more.
If I were to start my career in GRC again, here's how I would approach it.
Fundamentals
Governance, Risk & Compliance is often misunderstood, and barely anyone can explain what its all about in less than 3 sentences. By reading the following book, you will develop a solid understanding of GRC and learn about the different career paths.
The Red Book by OCEG teaches GRC professionals how to achieve Principled Performance - the reliable achievement of objectives while addressing uncertainty and acting with integrity in a clear and enjoyable way.
You can access the OCEG Red Book for free via the following link.* https://www.oceg.org/grc-capability-model-red-book/
(*I am no way affiliated with OCEG or any of its subsidiaries)
Information Security
Information security is about ensuring the confidentiality, integrity and availability of information assets. Even if you are not a very technical person, understanding the fundamentals and core concepts of this discipline is an absolute necessity to enter the GRC space.
ISO/IEC 27000:2018 provides a great introduction into this field, explaining basic terms and concepts. Besides many other ISO standards, this one is available for FREE.
You can access ISO/IEC 27000:2018 for free via the following link.
https://standards.iso.org/ittf/PubliclyAvailableStandards/index.html
Risk Management
When it comes to risk management, there are two publications that I consider a must read. They are both published by NIST, the National Institute for Standards and Technology, an agency of the United States Department of Commerce.
NIST SP 800-30 | Guide for Conducting Risk Assessments
This publication explains in detail how to conduct risk assessments, on the organization, mission and system level. It combines the theoretical background with practical guidance for real world assessments in a clear and precise way.
You can access NIST SP 800-30 for free via the following link. https://csrc.nist.gov/pubs/sp/800/30/r1/final
NIST SP 800-37 | Risk Management Framework
The NIST Risk Management Framework (RMF) presents a comprehensive, flexible, and robust process aimed at integrating security, privacy, and risk management activities into the technology life cycle. This publication will help you to better understand how risk management integrates with other activities.
You can access NIST SP 800-37 for free via the following link. https://csrc.nist.gov/pubs/sp/800/37/r2/final
Here is another article of mine about the NIST RMF.
Where to go from here?
When I started this article I wanted to include at least another 10 publications. But I don’t think that’s really helpful for those getting started right now. GRC is a vast field. There is a lot to learn, maybe even too much to learn. So I think it’s best to focus on just a few aspects in the beginning before delving deeper or discovering a new subdomain.
If you have a hunger for knowledge, here is some more to read.
📕 NIST SP 800-100 Information Security
- Publisher: NIST
- Availability: FREE
📕 CISM All-in-One Guide
- Publisher: Mc Graw Hill
- Availability: PAID
📕 NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations
- Publisher: NIST
- Availability: FREE
📕 PCI DSS 4.0
- Publisher: PCI Council
- Availability: FREE
📕 COBIT 2019 Methodology
- Publisher: ISACA
- Availability: FREE
📕 COBIT 2019 Governance and Management Objectives
- Publisher: ISACA
- Availability: PAID
📕 CISA All-in-One Study Guide
- Publisher: McGraw Hill
- Availability: PAID
📕 IT Audit Framework (ITAF)
- Publisher: ISACA
- Availability: FREE
Whenever you're ready, there are 3 ways I can help you:
ISO 27001 Lead Implementer Course: Join 8,500 students in mastering ISO/IEC 27001:2022. This comprehensive 8 hour course will teach you a proven 12-Step methodology with ready-to-use templates, saving you and your organisation hundreds of hours.
ISO 27001 Starter Kit: Simplify your Path to Compliance with a customizable Project Plan, a set of reference processes and supporting resources.
BPMN 2.0 for Enterprise Architects: Learn how to model business processes with BPMN 2.0
Refer Friends, Earn Rewards!
You’re just 1 referral away from the first of many free resources.
Thanks for reading The GRC Lab! Subscribe for free to receive new posts and support my work.
Thanks !