New career track · GRC — Governance, Risk & Compliance
Governance, risk & compliance — learned by doing the actual job
Most GRC courses hand you definitions. This one hands you the work: a ten-lesson course that builds a real security program for a fictional company, and a hands-on lab where you score live risks and defend your treatment calls — the same decisions a GRC analyst makes in week one on the job.
Included in the one HelpWithCert subscription — $19.99/month, alongside all nine certification exam banks. Cancel anytime.
From the Risk Register Lab
hover or tap a cellSeverity: —
In the lab, severity is computed, never typed — two honest inputs, one un-arguable output. Pick a cell to see the score and what a defensible treatment looks like.
NIST is the National Institute of Standards and Technology (SP = Special Publication, CSF = Cybersecurity Framework); CIS is the Center for Internet Security. SOC 2 (System and Organization Controls 2) and PCI DSS (Payment Card Industry Data Security Standard) are introduced where they fit. Every lesson cites its source.
Three pillars, one job
GRC is one discipline wearing three hats
The course is organized the way the work is organized — and in the order a real program gets built: you inventory assets before you rate risks, rate risks before you choose controls, and write policies last, once you know what the rules need to say.
PILLAR 01 · GOVERNANCE
Set the rules
Policies, standards, and procedures — and the difference between them. How security decisions get made, documented, reviewed on a schedule, and enforced through gates instead of good intentions.
Lessons 1 · 7PILLAR 02 · RISK
Measure what could go wrong
Score risks by likelihood × impact against a fictional company, walk them through a gated lifecycle, and decide — accept, mitigate, transfer, or avoid — with the reasoning written down.
Lessons 2 · 3 · 4 · 5 · 8PILLAR 03 · COMPLIANCE
Prove it
Evidence, audits, and frameworks. Map controls to NIST CSF 2.0 and CIS Controls v8, learn what auditors actually ask for, and why an untested control is a hope, not a control.
Lessons 6 · 9 · 10Why it’s different
Built like a real program, not a slideshow
The track is modeled on a working GRC system — the mechanics that keep real programs honest are the mechanics you learn.
Severity is computed, never typed
Likelihood × impact, 1–25, exactly as NIST SP 800-30 lays it out. If people can type the severity directly, they’ll argue it down — two anchored inputs and one computed output keep the scoring honest.
Risks walk a gated lifecycle
Every risk descends through six stages, and each gate blocks until the right person has done the right thing — unowned risks can’t advance, untested controls can’t be trusted, unsigned closures don’t exist.
Three names, three roles
Separation of duties (NIST SP 800-53, control AC-5): the person who builds a control doesn’t test it, and neither of them signs the acceptance. Self-graded homework proves nothing — you’ll learn why, and practice being each role.
If it isn’t written down, it didn’t happen
Audit trails, evidence binders, and the tamper-evident hash chain — plus the sign-off certificate that binds a closed risk to three distinct authorities. The habits auditors are checking for, taught as habits.
Curriculum — live today
Ten lessons that build one program
Each lesson ends with quick-check questions; pass all ten and you earn the completion certificate. The running example is Brightline Plumbing Supply, a 40-person company whose security program you build from nothing.
What GRC is (and why the order matters)
Governance, risk, and compliance in plain English — and the one sequencing rule the whole field hangs on.
Assets: know what you protect
The inventory comes first. Asset types, criticality, and why every Critical rating needs a written reason.
Risks: likelihood × impact
The 5×5 scale from NIST SP 800-30, the heat map, and why severity is computed rather than typed.
The risk register and the lifecycle
One authoritative list, six gated stages, and a clock on every risk.
Treating risk: the four choices
Accept, mitigate, transfer, avoid — when each is defensible, and the fine print on transfer and avoidance.
Prove it: evidence and separation of duties
Assessment methods, the evidence binder, and why implementer, tester, and authorizer must be three people.
Policies: the G in GRC
Policy vs. standard vs. procedure, review cadence, and time-boxed exceptions.
Risk acceptance and the POA&M
Formal, expiring, signed acceptance — and the Plan of Action and Milestones, the honest list of what’s still wrong.
Frameworks: CSF 2.0, CIS v8, ISO 27001
Tag, count, color — the compliance rollup, and letting the gaps tell you what to build next.
Audit trails, sign-off, and reporting
Tamper-evident records, the three-signature certificate, and the five metrics leadership actually reads.
Risk Register Lab
Seven scored scenarios: set likelihood and impact on a live heat map, choose a treatment, get graded on whether it’s defensible.
Risk Lifecycle Lab
Walk one risk down the gated stages — each gate blocks until the right person has done the right thing.
Capstone: Run the Program
Four simulated quarters as a company’s first GRC hire — separation of duties enforced, sign-off certificate at the end.
ISC2 CGRC practice exams
Full-length practice exams for ISC2’s Certified in Governance, Risk and Compliance, matching the site’s exam format.
What you finish with
Proof you can talk about in an interview
Today’s track ends with a certificate and defended decisions; the roadmap adds portfolio artifacts as each lab ships.
A completion certificate
Finish all ten lessons and their quick checks and the certificate is yours — issued by the site, tied to your account.
Seven defended risk calls
The lab’s scenarios train the exact interview question — “here’s a risk, what do you do?” — including the trap answers, like transferring a legal duty to an insurer.
Portfolio artifacts
The policy pack, the evidence binder, and the capstone’s three-signature sign-off certificate arrive with their labs — each one a folder you open when a hiring manager asks “have you done this?”
One subscription. Everything on the site.
The GRC track is included with all nine certification exam banks, every course and lab, and the AI study assistant — $19.99/month, cancel anytime. No separate track fee.
FAQ
Common questions
Do I need a technical background?
No. GRC is the most accessible entry point into cybersecurity — it rewards clear thinking and clear writing more than command-line skills. Every technical concept the course touches is explained in plain English, and the labs are decision-based, not terminal-based.
Is this included in my existing subscription?
Yes. If you already subscribe to HelpWithCert, the GRC track is in your dashboard now at no extra cost — same subscription that covers the nine certification exam banks.
Which certifications does this prepare me for?
The track overlaps heavily with the governance and risk material in CompTIA Security+ and ISC2’s CC (Certified in Cybersecurity) — both of which have full practice-exam banks on this site. It also builds the working vocabulary for ISC2’s CGRC (Certified in Governance, Risk and Compliance), and CGRC practice exams are on the track’s roadmap.
How long does the course take?
It’s designed for roughly three to four weeks at a few hours per week — ten lessons plus the lab. You can move faster; the lessons build on each other in order, so skipping ahead costs more than it saves.
Is this based on the real NIST framework?
Yes. Risk scoring follows NIST SP 800-30, the lifecycle mirrors SP 800-37’s Risk Management Framework, and control mapping uses CSF 2.0 — lessons cite their sources, and you can verify everything against the official NIST Cybersecurity Framework documentation.
Score your first risk above. Build the rest inside.
Ten lessons, a live lab, and a certificate — inside the one subscription you may already have.
Start the GRC path