A practical, lightweight checklist to build real, defensible GRC experience without overcomplicating it.

This repo is designed to help you produce portfolio-ready artifacts:

• Environment profile
• Asset inventory
• Risk register
• Risk → control mapping (ISO 27001 or NIST)
• Evidence plan
• Risk decisions
• Reflection notes (interview gold)

✅ Goal: Execute GRC, not just study it.

• People pivoting into Cyber GRC / Compliance / Risk
• IT professionals who want to translate daily work into GRC artifacts
• Students who want a repeatable mini-project they can publish

1. Environment Profile (fictional or familiar org)
2. Asset Inventory (10–15 assets)
3. Risk Register (5–8 risks)
4. Risk → Control Mapping (1–2 controls per risk)
5. Evidence Plan (what an auditor would ask for)
6. Risk Decisions (accept/mitigate/transfer/avoid)
7. Reflection (assumptions, challenges, audit questions)

• Step 1: 30–45 min
• Step 2: 45 min
• Step 3: 45–60 min
• Step 4: 45 min
• Step 5: 30 min
• Step 6: 20 min
• Step 7 (optional): 10–15 min

⏱ Total: ~3.5–4.5 hours
(You can also split it across 2 days.)

1. Read docs/quickstart.md
2. Copy all files in /templates into a new folder named: my-submission/ (or your org name)
3. Fill them out using your chosen environment
4. (Optional) Publish your filled artifacts in a separate repo for your portfolio

Pick one:

• ISO/IEC 27001 (great for policy + ISMS thinking)
• NIST CSF or NIST 800-53 (great for US-oriented environments)

Your mapping only needs to be logical, not perfect.

• /templates → blank templates to fill
• /examples → fully filled sample outputs
• /docs → quickstart + FAQ

• v2: SSP mini-section
• v3: Vendor risk assessment
• v4: Audit walkthrough simulation

See LICENSE.

See DISCLAIMER.md.