Competencies: Security > Governance, Risk & Compliance

Governance, Risk & Compliance

Body of Knowledge

Topic	Description	Relevance	Career Tracks
Risk Assessment	Risk identification, analysis, evaluation, risk registers, risk appetite, risk treatment options, residual risk acceptance.	Critical	GRC Analyst, Security Manager, Security Architect
Security Frameworks (NIST CSF)	NIST Cybersecurity Framework, five functions (Identify, Protect, Detect, Respond, Recover), maturity assessment, gap analysis.	Critical	GRC Analyst, Security Architect, Security Manager
NIST 800-53	Security and privacy controls catalog, control families, tailoring, baselines (Low/Moderate/High), FedRAMP alignment.	High	GRC Analyst, Security Engineer (Federal)
ISO 27001/27002	Information security management system (ISMS), Annex A controls, certification process, continuous improvement.	High	GRC Analyst, Security Manager
SOC 2 Type II	Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy), audit readiness, evidence collection.	High	GRC Analyst, Security Engineer
PCI-DSS	Payment card industry standard, 12 requirements, scope reduction, compensating controls, SAQ vs ROC.	High	GRC Analyst, Security Engineer
HIPAA/HITECH	Healthcare data protection, PHI safeguards, administrative/physical/technical controls, breach notification, BAAs.	High	GRC Analyst, Healthcare Security Engineer
GDPR/Privacy	Data protection regulation, data subject rights, lawful basis, DPIAs, privacy by design, cross-border transfers.	High	Privacy Engineer, GRC Analyst
Security Policies	Policy development, standards, procedures, guidelines, policy lifecycle, enforcement, exceptions management.	Critical	GRC Analyst, Security Manager
Business Continuity (BCP/DRP)	Business impact analysis, recovery objectives (RTO/RPO), disaster recovery planning, testing, crisis communication.	High	GRC Analyst, Security Manager, SRE
Audit and Assessment	Internal audits, external audits, control testing, audit evidence, findings management, remediation tracking.	High	GRC Analyst, Internal Auditor
Third-Party Risk Management	Vendor assessment, due diligence, security questionnaires, contract security requirements, ongoing monitoring.	High	GRC Analyst, Vendor Management

Topic

Description

Relevance

Career Tracks

Risk Assessment

Risk identification, analysis, evaluation, risk registers, risk appetite, risk treatment options, residual risk acceptance.

Critical

GRC Analyst, Security Manager, Security Architect

Security Frameworks (NIST CSF)

NIST Cybersecurity Framework, five functions (Identify, Protect, Detect, Respond, Recover), maturity assessment, gap analysis.

Critical

GRC Analyst, Security Architect, Security Manager

NIST 800-53

Security and privacy controls catalog, control families, tailoring, baselines (Low/Moderate/High), FedRAMP alignment.

High

GRC Analyst, Security Engineer (Federal)

ISO 27001/27002

Information security management system (ISMS), Annex A controls, certification process, continuous improvement.

High

GRC Analyst, Security Manager

SOC 2 Type II

Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy), audit readiness, evidence collection.

High

GRC Analyst, Security Engineer

PCI-DSS

Payment card industry standard, 12 requirements, scope reduction, compensating controls, SAQ vs ROC.

High

GRC Analyst, Security Engineer

HIPAA/HITECH

Healthcare data protection, PHI safeguards, administrative/physical/technical controls, breach notification, BAAs.

High

GRC Analyst, Healthcare Security Engineer

GDPR/Privacy

Data protection regulation, data subject rights, lawful basis, DPIAs, privacy by design, cross-border transfers.

High

Privacy Engineer, GRC Analyst

Security Policies

Policy development, standards, procedures, guidelines, policy lifecycle, enforcement, exceptions management.

Critical

GRC Analyst, Security Manager

Business Continuity (BCP/DRP)

Business impact analysis, recovery objectives (RTO/RPO), disaster recovery planning, testing, crisis communication.

High

GRC Analyst, Security Manager, SRE

Audit and Assessment

Internal audits, external audits, control testing, audit evidence, findings management, remediation tracking.

High

GRC Analyst, Internal Auditor

Third-Party Risk Management

Vendor assessment, due diligence, security questionnaires, contract security requirements, ongoing monitoring.

High

GRC Analyst, Vendor Management

Personal Status

Topic	Level	Evidence	Active Projects	Gaps
No personal status recorded	—	—	—	—

Topic

Level

Evidence

Active Projects

Gaps

No personal status recorded

—