GRC (Audit, Risk, Compliance)
Governance, risk and compliance. Policy, audit, evidence, frameworks. Biased toward CISA / CRISC / CISM, NOT toward OSCP.
Phased progression
Foundations → first role → specialisation → advanced. The realistic order, not a script.
- 010–6 monthsFoundations
Literacy, lab habits, the cert that opens first conversations.
ISO 27001 Lead Implementer - 026–18 monthsFirst paid role
Land a GRC Analyst. Operational time, not more certs, earns the next move.
GRC Analyst$70–130k entry - 031.5–3 yearsSpecialisation
Add a specialist credential aligned to the work you're already doing.
CRISCCGRC$130–180k senior - 043+ yearsAdvanced
Move into adjacent roles. Long-term credentials become worth their cost.
Compliance SpecialistCISSP$130–180k senior
- 01Foundations0–6 months
Literacy, lab habits, the cert that opens first conversations.
ISO 27001 Lead Implementer - 02First paid role6–18 months
Land a GRC Analyst. Operational time, not more certs, earns the next move.
GRC Analyst$70–130k entry - 03Specialisation1.5–3 years
Add a specialist credential aligned to the work you're already doing.
CRISCCGRC$130–180k senior - 04Advanced3+ years
Move into adjacent roles. Long-term credentials become worth their cost.
Compliance SpecialistCISSP$130–180k senior
Certification sequence
Ordered by realistic relevance, not vendor marketing.
Practical projects
What to actually build, the portfolio that opens interviews.
- Map ISO 27001 controls to a real product
- Author a risk register with quantified risks
- Run a tabletop exercise and write the after-action
- ·Internal audit → security audit pivot
- ·PM → security PM → GRC
Realistic expectations
What no recruiter will tell you.
That stacking certifications shortcuts the timeline. It doesn't. Operational time and a public portfolio are what compress the path.
12–24 months is the realistic time to the first role on this route. Most people overshoot by 6–12 months. Plan for it; don't panic when it happens.