How to give yourself a GRC MBA

How to give yourself a GRC MBA

How to give yourself a GRC MBA

Written by

Aron Lange

Published

Apr 5, 2024

Let me begin with my own story and how I got into GRC.

I studied industrial engineering and eventually graduated with a masters degree from the Technical University of Ulm. Fresh out of college, I was under the impression that my days of intensive learning were behind me. How wrong I was!

My professional journey started in the quality management department within a data center. Something I felt capable of, given my academic background. However, very soon, I discovered that quality management in a data center is closely related to information security, and data privacy. Two topics I barely knew anything about.

Fast forward to today, I am confident to say that accepting this challenge was one of the best choices of my life. Governance, Risk & Compliance has opened up so many opportunities for me. I could not image to work in a different domain any more.

If I were to start my career in GRC again, here's how I would approach it.

Fundamentals

Governance, Risk & Compliance is often misunderstood, and barely anyone can explain what its all about in less than 3 sentences. By reading the following book, you will develop a solid understanding of GRC and learn about the different career paths.

The Red Book by OCEG teaches GRC professionals how to achieve Principled Performance - the reliable achievement of objectives while addressing uncertainty and acting with integrity in a clear and enjoyable way.



You can access the OCEG Red Book for free via the following link.* https://www.oceg.org/grc-capability-model-red-book/

(*I am no way affiliated with OCEG or any of its subsidiaries)

Information Security

Information security is about ensuring the confidentiality, integrity and availability of information assets. Even if you are not a very technical person, understanding the fundamentals and core concepts of this discipline is an absolute necessity to enter the GRC space.

ISO/IEC 27000:2018 provides a great introduction into this field, explaining basic terms and concepts. Besides many other ISO standards, this one is available for FREE.



You can access ISO/IEC 27000:2018 for free via the following link.

https://standards.iso.org/ittf/PubliclyAvailableStandards/index.html

Risk Management

When it comes to risk management, there are two publications that I consider a must read. They are both published by NIST, the National Institute for Standards and Technology, an agency of the United States Department of Commerce.

NIST SP 800-30 | Guide for Conducting Risk Assessments

This publication explains in detail how to conduct risk assessments, on the organization, mission and system level. It combines the theoretical background with practical guidance for real world assessments in a clear and precise way.

You can access NIST SP 800-30 for free via the following link. https://csrc.nist.gov/pubs/sp/800/30/r1/final

NIST SP 800-37 | Risk Management Framework

The NIST Risk Management Framework (RMF) presents a comprehensive, flexible, and robust process aimed at integrating security, privacy, and risk management activities into the technology life cycle. This publication will help you to better understand how risk management integrates with other activities.



You can access NIST SP 800-37 for free via the following link. https://csrc.nist.gov/pubs/sp/800/37/r2/final

Here is another article of mine about the NIST-RMF.

Where to go from here?

When I started this article I wanted to include at least another 10 publications. But I don’t think that’s really helpful for those getting started right now. GRC is a vast field. There is a lot to learn, maybe even too much to learn. So I think it’s best to focus on just a few aspects in the beginning before delving deeper or discovering a new subdomain.

If you have a hunger for knowledge, here is some more to read.



📕 NIST SP 800-100 Information Security
- Publisher: NIST
- Availability: FREE

📕 CISM All-in-One Guide
- Publisher: Mc Graw Hill
- Availability: PAID

📕 NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations
- Publisher: NIST
- Availability: FREE

📕 PCI DSS 4.0
- Publisher: PCI Council
- Availability: FREE

📕 COBIT 2019 Methodology
- Publisher: ISACA
- Availability: FREE

📕 COBIT 2019 Governance and Management Objectives
- Publisher: ISACA
- Availability: PAID

📕 CISA All-in-One Study Guide
- Publisher: McGraw Hill
- Availability: PAID

📕 IT Audit Framework (ITAF)
- Publisher: ISACA
- Availability: FREE

A broad selection of courses

Take one of our GRC courses and build impactful skills to advance your career.

A broad selection of courses

Take one of our GRC courses and build impactful skills to advance your career.

A broad selection of courses

Take one of our GRC courses and build impactful skills to advance your career.