📋

Learning Track · 15 modules

GRC, ISO 27001 & SOC 2

Governance, risk, compliance. ISO 27001, SOC 2, vendor risk, internal audits.

Why this track

Governance, risk, compliance. ISO 27001, SOC 2, vendor risk, internal audits. This track walks you from fundamentals through advanced techniques across 15 practitioner modules — the same body of knowledge senior security professionals build over years, structured for self-paced progression with India-specific context throughout.

Prerequisite: See module 1 for entry context. Most modules are self-contained but follow the suggested sequence for best results.

Modules

11.6 h

Total time

Free modules

∞

Quiz retries

Difficulty mix

Beginner · 3 Intermediate · 10 Advanced · 2

Module sequence

Security Policy Architecture — A Working Hierarchy

The four-tier policy hierarchy (charter, policies, standards, procedures), the minimum 17-policy set for Indian mid-market organisations, how to write policies people actually follow, exception management, and the realistic review cadence.

Beginner 60 min →

GRC Fundamentals

Governance, risk, compliance — the operating loop, frameworks, board reporting, common program failures.

Beginner 60 min →

ISO 27001:2022 Implementation

Required documents, the SoA, 2022 control structure, implementation timeline, common gaps for Indian implementations.

Intermediate 90 min →

SOC 2 for Indian SaaS

Type 1 vs 2, Trust Services Criteria, audit lifecycle, critical controls, choosing an auditor, India-specific gotchas.

Intermediate 90 min →

Third-Party Risk Management

Vendor classification, assessment workflow, contractual provisions, continuous monitoring, India-specific regulations.

Advanced 120 min →

Internal Audit Programme

Independence, audit lifecycle, sampling, common audit areas, severity calibration, follow-through metrics.

Advanced 120 min →

ISO 27001:2022 Implementation

ISO 27001:2022 is the global infosec standard. Indian SaaS that sells to enterprise customers needs it. The ISMS lifecycle Define scope (which systems, departments, locations) Risk assessment (assets, threats, vulnerabilities, risk treatment) Statement of Applicability (SoA) — which Annex A controls apply Implement controls Internal audit Management review External audit (Stage 1 + Stage 2) […]

Intermediate 25 →

SOC 2 Type II — Indian SaaS Reality

SOC 2 isn’t a certification — it’s an attestation. CPA opines on your controls. Indian SaaS selling to US customers will have it requested. Trust Services Criteria (TSC) Security — required Availability — for SLA-bound services Confidentiality — when handling sensitive customer data Processing Integrity — for transaction processors Privacy — when handling PII Most […]

Intermediate 20 →

Policy Architecture

Most security policies are written, ignored, retrieved only for audits. The structure that actually drives behaviour: Three layers Policy — what we believe (high level, stable, board-approved) Standard — how we comply (specific, technical, refreshed annually) Procedure — step-by-step (operational, refreshed as systems change) Hierarchy example Information Security Policy (the umbrella) ↳ Access Control Standard […]

Intermediate 15 →

Enterprise Risk Register

Risk register = single source of truth for organisational security risks. Too often a spreadsheet that nobody reads. Done right, drives quarterly executive conversation. Risk record fields Risk description Likelihood (1-5) Impact (1-5) Inherent score Existing controls Residual likelihood + impact Residual score Owner Treatment (accept / mitigate / transfer / avoid) Action items + […]

Intermediate 15 →

M10

Vendor Risk Management Programme

Module 7 (DPDP track) covered DPA-specific. This is the broader vendor-risk programme. Programme components Vendor classification (tier 1/2/3 by data sensitivity, criticality) Onboarding due diligence (questionnaire, contracts, SOC 2/ISO collection) Continuous monitoring Periodic reassessment (annual for tier 1; biannual for tier 2) Offboarding (data return / deletion) The classification matrix Tier Criteria Treatment 1 Handles […]

Intermediate 20 →

M12

Security Awareness Training

Annual click-through training is theatre. Modern awareness is continuous, simulated, measured. The programme Onboarding — security 101 within first week Quarterly refresh — short, role-specific Phishing simulation — monthly Just-in-time — real incident → relevant training Specialised tracks — engineers, finance, executives have role-specific content Tools KnowBe4 — most-used; large content library Cofense — phishing-focused […]

Beginner 15 →

M13

GRC Metrics for Executives

Operational SOC metrics (Module 13 Blue Team) inform analysts. Executive metrics inform decision-making. Executive metrics Risk trend — total risk score, top-5 risks, treatment status Control coverage — % of controls implemented + tested Audit results — findings count by severity, time-to-remediation Vendor risk — % of tier-1 vendors with current SOC 2/ISO Incident metrics […]

Intermediate 15 →

M14

Reporting Security to the Board

Board members aren’t security experts. They are fiduciaries who need to discharge oversight responsibility. What boards want to know What’s our risk posture? How does it compare to peers? What’s our biggest exposure? Are we investing the right amount? What incidents have happened? What’s coming up regulatorily? The 15-minute briefing Heat-map of top risks (1 […]

Intermediate 15 →

M15

Regulatory Tracking Process

Indian + international regulations evolve constantly. Missing a notification = compliance failure. Establish process for tracking. Sources to monitor MeitY — DPDP, IT Act amendments RBI — for financial services SEBI — for capital markets IRDAI — for insurance CERT-In — directions, advisories NCIIPC — for critical infrastructure TRAI / DoT — telecom International — […]

Intermediate 15 →

Common questions about this track

How long will this track take me? +

Most learners finish in 4-8 weeks at a sustainable 4-5 hours per week. Modules are self-paced so you can move faster or slower as life allows.

Do I need prior experience? +

Module 1 sets the entry baseline. The first module is always free; if it feels approachable, the track is for you.

Will this prepare me for industry certifications? +

Most modules align with the body of knowledge tested by senior security certifications. The Academy is not a cert-prep course but produces working knowledge that transfers to any cert exam in the same domain.

Ready to start?

Begin with Module 1. Work through at your own pace. Free modules require no signup — everything else unlocks with a free RingSafe Academy account.

Start Module 1 → View pricing tiers 🗺️ Explore Skill Map