Skip to content

Security & Governance 90 days 2-3 hours/day updated 2026-06-01

GRCOps 90-Day Learning Path

Build GRCOps expertise in 90 days: risk registers, NIST RMF, ISO 27001 controls, audit trails, and automated governance pipelines. Turn GRC from a checkbox into a continuous signal.

What GRCOps means

GRCOps applies operational engineering thinking to Governance, Risk, and Compliance. It treats risk registers as living databases, control frameworks as code, and audit evidence as automated artifacts. Practitioners build systems that continuously surface risk posture to leadership and reduce the manual burden of compliance cycles, enabling faster and safer business decisions.

Who should follow this path

  • Risk and compliance analysts moving toward automation
  • Security engineers building GRC automation platforms
  • CISOs and security leaders designing governance frameworks
  • Internal auditors modernizing their toolchain
  • DevOps engineers at organizations with heavy regulatory burden

Prerequisites

  • Familiarity with at least one compliance framework (SOC2, ISO 27001, or NIST)
  • Basic understanding of information security concepts
  • Spreadsheet and documentation skills
  • Some exposure to cloud platforms
  • Understanding of business risk and impact concepts

The 90-day plan

Daily study recommendation: 2-3 hours/day, six days a week. Consistency beats intensity — block the time in your calendar like a meeting.

Days 1–15: Foundation

  • GRC fundamentals: governance, risk, and compliance defined
  • Risk management lifecycle (identify, assess, treat, monitor)
  • NIST Risk Management Framework (RMF) overview
  • ISO 27001 control domains
  • Control frameworks: COBIT, CIS, SOC2 Trust Services

Outcome: Navigate major GRC frameworks and articulate how risk management connects to control selection.

Days 16–30: Core concepts

  • Risk register design and tooling
  • Qualitative and quantitative risk assessment methods
  • Threat modeling for business risk (FAIR framework)
  • Risk appetite and tolerance definition
  • Risk treatment options: accept, mitigate, transfer, avoid

Outcome: Build and maintain a risk register with quantified risk scores and treatment plans.

Days 31–45: Tools and workflows

  • GRC platform tools: ServiceNow GRC, Archer, and LogicGate
  • Policy management lifecycle
  • Exception management workflows
  • Third-party risk management programs
  • Audit evidence collection and management

Outcome: Configure a GRC platform to manage policies, risks, and exceptions with automated evidence workflows.

Days 46–60: Hands-on projects

  • Control testing methodologies
  • Continuous control monitoring (CCM) design
  • Integrating GRC signals into dashboards
  • Regulatory change management process
  • Data governance alignment with GRC programs

Outcome: Design a continuous control monitoring architecture that feeds real-time risk posture dashboards.

Days 61–75: Advanced practices

  • Audit management: planning, fieldwork, reporting
  • Finding remediation tracking and SLA management
  • Board and executive risk reporting
  • Integrating GRC metrics into engineering OKRs
  • Supply chain and vendor risk in GRC programs

Outcome: Manage a complete audit cycle and produce executive-level risk reporting artifacts.

Days 76–90: Portfolio, interview & certification prep

  • Building a GRCOps automation portfolio project
  • CRISC and CISM exam preparation
  • GRC interview questions and scenarios
  • Metrics: risk closure rates, control effectiveness, audit findings
  • Emerging GRC topics: AI governance and ESG risk

Outcome: Deliver a GRCOps automation project and be ready for GRC engineer and risk manager interviews.

Weekly outcomes at a glance

PhaseOutcome
Days 1–15Navigate major GRC frameworks and articulate how risk management connects to control selection.
Days 16–30Build and maintain a risk register with quantified risk scores and treatment plans.
Days 31–45Configure a GRC platform to manage policies, risks, and exceptions with automated evidence workflows.
Days 46–60Design a continuous control monitoring architecture that feeds real-time risk posture dashboards.
Days 61–75Manage a complete audit cycle and produce executive-level risk reporting artifacts.
Days 76–90Deliver a GRCOps automation project and be ready for GRC engineer and risk manager interviews.

Tools to learn

  • ServiceNow GRC
  • Archer (RSA)
  • LogicGate
  • Drata
  • Vanta
  • AWS Config
  • Jira (risk tracking)
  • Confluence (policy management)
  • Tableau (risk dashboards)
  • FAIR Institute tools

Labs to practice

Mini projects

  • Build a risk register in Jira with automated risk scoring and treatment tracking workflows
  • Create a continuous control monitoring dashboard pulling data from AWS Config and Security Hub
  • Develop an ISO 27001 gap assessment report with automated evidence collection scripts

Interview questions to prepare

  1. What is the FAIR risk model and how does it enable quantitative risk assessment?
  2. How do you build a risk register that stays current rather than becoming stale?
  3. Explain the NIST Risk Management Framework steps.
  4. What is the difference between a policy, a standard, and a procedure?
  5. How do you measure the effectiveness of security controls?
  6. Describe how you would manage a third-party vendor risk assessment program.
  7. What GRC platform features are most important for automation and why?
  8. How do you communicate risk posture to a non-technical board of directors?

Certification suggestions

  • Certified in Risk and Information Systems Control (CRISC) — ISACA
  • Certified Information Security Manager (CISM) — ISACA
  • ISO 27001 Lead Implementer — PECB
  • Certified Information Systems Auditor (CISA) — ISACA

Browse the full certification registry for exam details and official links.

Free resources

// instructor-led option

Prefer live, guided training with mentors and certification support? DevOpsSchool.com runs paid instructor-led programs that pair well with this free path.

Explore paid training on DevOpsSchool.com ↗