Personal study, covers the frameworks, concepts, and practical knowledge you actually need — not just theory, but how things work in real environments.
GRC stands for Governance, Risk, and Compliance. It is the discipline of running an organization's policies, decision-making, risk management, and regulatory obligations as one connected effort instead of three disconnected functions.
- Governance is how decisions get made and who is accountable for them — policies, roles, oversight structures.
- Risk is the process of identifying what could go wrong, how likely it is, and what to do about it.
- Compliance is meeting the legal, regulatory, and contractual obligations the organization is subject to, and being able to prove it.
A GRC Analyst sits at the intersection of all three — translating frameworks and regulations into practical controls, running risk assessments, preparing for audits, and giving leadership a clear picture of where the organization actually stands.
A short summary of what each module covers, so you can see the full scope of these notes at a glance.
Module 0 — GRC Core Concepts & Terminology The foundation. Governance structures, the risk management lifecycle, control types, compliance and audit basics, the CIA triad, and what a GRC Analyst actually does day to day. Read this before anything else.
Module 1 — ISO 27001 The international standard for Information Security Management Systems. Covers the mandatory clauses, the Annex A control catalogue, risk assessment and the Statement of Applicability, and how certification and audits actually work.
Module 2 — NIST CSF The US-origin Cybersecurity Framework used globally as a common language for managing cybersecurity risk. Covers the six core functions (Govern, Identify, Protect, Detect, Respond, Recover), implementation tiers, and how it's used for assessment and gap analysis rather than certification.
Module 3 — SOC 2 The audit framework US and global enterprise clients expect from SaaS and tech vendors. Covers the five Trust Service Criteria, the Type 1 vs Type 2 distinction, the audit process, and what auditors actually test.
Module 4 — GDPR + India DPDP Act Privacy law for the EU and India. Covers GDPR's principles, lawful bases, and the eight data subject rights, India's Digital Personal Data Protection Act 2023, and a direct comparison of where the two laws align and diverge.
Module 5 — NCA ECC (Saudi Arabia) Saudi Arabia's mandatory cybersecurity baseline for government entities and critical infrastructure. Covers all five domains and 114 controls, the maturity model used for assessment, and how it relates to ISO 27001.
Module 6 — SAMA CSF (Saudi Arabia) The Saudi Central Bank's cybersecurity framework for the financial sector. Covers its four domains, maturity model, the annual self-assessment cycle, and how it works alongside NCA ECC for banks and financial institutions.
Module 7 — Saudi PDPL Saudi Arabia's Personal Data Protection Law, enforced from September 2023. Covers principles, lawful bases, data subject rights, breach notification, the Privacy Officer role, and a direct comparison with GDPR.
Module 8 — ISO 42001 (AI Governance) The world's first AI management system standard. Covers how it builds on ISO 27001's structure while introducing AI-specific risk — bias, fairness, model drift, human oversight — and what AI governance work looks like in practice.
Module 9 — Risk Assessment Methods The methodology every framework above assumes you already know. Covers qualitative vs quantitative risk assessment, the ALE/SLE/ARO formulas, named methodologies (NIST SP 800-30, ISO 31000, OCTAVE, FAIR), building a risk matrix, and how to actually run a risk assessment end to end.
Module 10 — GRC Tools The technology landscape a GRC Analyst works in. Covers enterprise GRC platforms (Archer, ServiceNow GRC, MetricStream), compliance automation tools (Vanta, Drata, Sprinto, Secureframe) and how their evidence automation actually works, supporting tools, and how organizations choose and implement them — including the 2025-2026 shift toward agentic AI in compliance tooling.
grc-notes/
│
├── 0-core-concepts/
│ ├── README.md
│ ├── 1-what-is-grc.md
│ ├── 2-governance.md
│ ├── 3-risk-management.md
│ ├── 4-controls.md
│ ├── 5-compliance-and-audit.md
│ ├── 6-cia-triad.md
│ ├── 7-grc-in-practice.md
│ └── cheatsheet.md
│
├── 1-iso27001/
│ ├── README.md
│ ├── 1-overview.md
│ ├── 2-clauses.md
│ ├── 3-annex-a-controls.md
│ ├── 4-risk-and-soa.md
│ ├── 5-audit-and-certification.md
│ └── cheatsheet.md
│
├── 2-nist-csf/
│ ├── README.md
│ ├── 1-overview.md
│ ├── 2-core-functions.md
│ ├── 3-implementation-tiers.md
│ ├── 4-profiles.md
│ ├── 5-csf-in-practice.md
│ └── cheatsheet.md
│
├── 3-soc2/
│ ├── README.md
│ ├── 1-overview.md
│ ├── 2-trust-service-criteria.md
│ ├── 3-type1-vs-type2.md
│ ├── 4-audit-process.md
│ ├── 5-soc2-in-practice.md
│ └── cheatsheet.md
│
├── 4-gdpr-dpdp/
│ ├── README.md
│ ├── 1-overview.md
│ ├── 2-key-principles.md
│ ├── 3-lawful-basis-and-consent.md
│ ├── 4-data-subject-rights.md
│ ├── 5-obligations-and-roles.md
│ ├── 6-dpdp-act.md
│ ├── 7-gdpr-vs-dpdp.md
│ └── cheatsheet.md
│
├── 5-nca-ecc/
│ ├── README.md
│ ├── 1-overview.md
│ ├── 2-domains-and-controls.md
│ ├── 3-compliance-and-assessment.md
│ ├── 4-ecc-in-practice.md
│ └── cheatsheet.md
│
├── 6-sama-csf/
│ ├── README.md
│ ├── 1-overview.md
│ ├── 2-domains-and-controls.md
│ ├── 3-maturity-model.md
│ ├── 4-compliance-and-assessment.md
│ ├── 5-sama-csf-in-practice.md
│ └── cheatsheet.md
│
├── 7-pdpl/
│ ├── README.md
│ ├── 1-overview.md
│ ├── 2-key-principles-and-lawful-basis.md
│ ├── 3-data-subject-rights.md
│ ├── 4-obligations.md
│ ├── 5-pdpl-vs-gdpr.md
│ └── cheatsheet.md
│
├── 8-iso42001/
│ ├── README.md
│ ├── 1-overview.md
│ ├── 2-clauses-and-requirements.md
│ ├── 3-annex-controls.md
│ ├── 4-ai-risk-management.md
│ ├── 5-iso42001-vs-iso27001.md
│ ├── 6-iso42001-in-practice.md
│ └── cheatsheet.md
│
├── 9-risk-assessment-methods/
│ ├── README.md
│ ├── 1-overview.md
│ ├── 2-qualitative-vs-quantitative.md
│ ├── 3-common-methodologies.md
│ ├── 4-risk-scoring-and-heat-maps.md
│ ├── 5-risk-assessment-in-practice.md
│ └── cheatsheet.md
│
├── 10-grc-tools/
│ ├── README.md
│ ├── 1-overview.md
│ ├── 2-grc-platforms.md
│ ├── 3-compliance-automation-tools.md
│ ├── 4-supporting-tools.md
│ ├── 5-choosing-and-implementing-tools.md
│ └── cheatsheet.md
│
├── glossary.md
└── README.md
— @kayShahbaaz (kayn0x)