A focused course, tailored for you
Cyber GRC Assurance Mapping for Advisory Practices
Build the client-ready control evidence pack that satisfies regulators, not just the internal audit team.
A cyber GRC senior manager at an advisory firm carries a specific burden: clients arrive with ISO certifications, internal audit reports, and control registers they believe are comprehensive - and then a regulator asks for something the client's ISMS never produced. The gap is not a controls gap. It is an assurance translation gap. Closing it requires a methodology, not improvisation.
$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.
Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.
Why this course
Cyber GRC advisory engagements reliably hit the same wall. The client has a mature internal programme - ISO 27001 certified, NIST CSF aligned, regular internal audit cadence. The regulator (FCA, PRA, NIS2 competent authority, DORA oversight body) examines the evidence pack and issues a finding. The finding is not that controls are absent. The finding is that the evidence does not speak the right language: the scope narrative is written for auditors, not regulators; the residual risk sign-off is verbal, not documented; the control objective maps to a standard clause but not to the specific regulatory outcome. The advisory manager is then responsible for a rapid remediation that was never scoped into the engagement. This course turns that remediation into a repeatable methodology.
The 12 modules
Module 1. The Assurance Translation Problem
Why client control estates that satisfy internal audit consistently fail regulatory examination: the three structural mismatches between ISMS documentation and regulator evidence expectations. This module maps the gap between ISO 27001 clause language, NIST CSF function language, and the specific artefact vocabulary used by FCA, PRA, NIS2 competent authorities, and DORA oversight bodies. Participants leave with a diagnostic checklist that identifies translation gaps in any existing client control pack.
Module 2. Regulatory Evidence Architecture
How each major regulatory regime structures its evidence expectations: FCA's risk appetite statement linkage, PRA's senior manager accountability chain, NIS2's essential service obligation evidence, DORA ICT risk framework documentation requirements. The module builds a regime-by-regime evidence architecture map that advisory teams use to pre-scope engagements before the first client document is reviewed. Each architecture is a template, not a theory.
Module 3. ISO 27001 to NIS2 Assurance Bridge
The practical methodology for taking a client's certified ISO 27001 ISMS and producing NIS2 Article 21 measure evidence without duplicating the control programme. This module covers scope boundary definition, the ISMS statement of applicability as a NIS2 measure inventory, and the three artefact types NIS2 competent authorities most frequently request that ISO 27001 audits do not produce: incident response rehearsal records, supply chain security evidence, and multi-factor authentication policy documentation at the right specificity level.
Module 4. NIST CSF to DORA Operational Resilience Translation
DORA's ICT risk management framework maps partially but not cleanly onto NIST CSF. This module works through the gap analysis methodology: identifying which NIST CSF subcategories produce DORA-compliant evidence as-is, which require reformatting, and which have no NIST CSF equivalent and must be built from scratch. The output is a client-deliverable gap analysis template pre-populated with the most common findings from DORA readiness assessments, ready for advisory team customisation.
Module 5. Scope Narratives That Survive Regulatory Review
The scope narrative is the document regulators read first and return to most often during examination. This module covers the structural difference between an ISMS scope statement (written for auditors) and a regulatory scope narrative (written for a competent authority reviewer who must assess whether the right systems and processes are covered). Participants draft two scope narratives for a model client: one ISO 27001 style, one NIS2 submission style, then mark up the differences as a reusable translation guide.
Module 6. Residual Risk Sign-Off Documentation
Regulators require documented residual risk acceptance by an accountable senior manager. Internal audit processes often capture this verbally or in meeting minutes. This module builds the formal residual risk register entry format, the risk acceptance statement template with the required accountability linkage (SMCR senior manager function, NIS2 management body obligation, DORA ICT risk owner), and the escalation pathway documentation that demonstrates the sign-off reached the right level. The template produced is immediately deployable on client engagements.
Module 7. Board Risk Reporting That Satisfies Dual Audiences
A board risk report written for the audit committee reads differently from the same report written for regulatory submission. This module covers the structural adaptation: how to produce a single underlying analysis that generates both a board-facing narrative (strategic framing, key metrics, recommended decisions) and a regulator-facing evidence document (control implementation status, residual risk quantification, remediation timeline). Participants produce a dual-format report template for a model cyber GRC engagement.
Module 8. Supply Chain and Third-Party Evidence Packs
NIS2, DORA, and FCA operational resilience rules all require evidence of third-party and supply chain risk management that client ISMS programmes often handle at a summary level. This module covers the specific evidence types each regime requires: DORA's ICT third-party register, NIS2 supply chain security measures under Article 21(2)(d), FCA operational resilience impact tolerance testing for outsourced services. The module builds a third-party evidence assembly workflow that advisory teams can deploy as a standalone engagement workstream.
Module 9. Incident Response Evidence for Regulatory Examination
Regulators examining cyber resilience ask for incident response evidence that most ISMS programmes do not structure for external review: actual incident records with detection-to-response timelines, tabletop exercise records with named participants and scenario descriptions, and post-incident review reports that link findings to control improvements. This module builds the incident evidence pack template that satisfies both ISO 27001 clause 9.1 monitoring requirements and NIS2/DORA incident reporting obligations, with worked examples at the right level of specificity.
Module 10. Regulatory Examination Preparation Sessions
Running a client through examination preparation requires a structured methodology: identifying the examiner's likely document request list, rehearsing the CISO and senior manager accountability lines, and stress-testing the scope narrative against the hardest questions. This module provides the examination preparation session agenda, the document request simulation exercise, and the accountability rehearsal framework. Participants run a full mock examination preparation session and debrief using the structured review checklist.
Module 11. Cross-Framework Mapping Maintenance
Regulatory regimes update. ISO standards release new versions. NIST CSF 2.0 added governance and supply chain functions not present in 1.1. DORA's technical standards are still being finalised. This module builds the cross-framework mapping maintenance workflow: how to structure the client's control register so regulatory mapping updates require a targeted process rather than a full reassessment. The output is a versioned mapping register template with a change-tracking column set that advisory teams can hand over to client GRC functions.
Module 12. The Repeatable Engagement Methodology
Assembling the full engagement methodology: a scoping checklist, a document request template, an assurance gap analysis template, a residual risk sign-off pack, a board report dual-format template, and an examination preparation session agenda. This module packages all twelve modules' outputs into a single engagement playbook that advisory teams can deploy from the first client call. Participants complete the playbook for a model engagement and review it against the quality bar a senior partner would apply before client delivery.
How this addresses your situation
Specific modules that map to what you said you are dealing with.
Client hands over ISO cert before NIS2 submission deadline: use modules 3 and 5 to build the assurance bridge and scope narrative in sequence.
DORA readiness assessment for a financial institution with existing NIST CSF programme: start with module 4 gap analysis, then module 6 for residual risk sign-off documentation.
FCA supervision review preparation with 6 weeks' notice: modules 10 and 7 provide the examination preparation session structure and the dual-format board report.
New engagement scoping where client's third-party risk evidence is known to be thin: modules 8 and 9 deliver the supply chain evidence pack and incident response documentation workstreams.
Who it is for
Cyber security senior managers and directors in advisory practices who lead GRC client engagements. They are accountable for client deliverables that must satisfy both internal audit and external regulatory review. They manage teams of analysts and consultants, coordinate with client CISO offices and legal counsel, and present findings to risk committees and boards. They are not learning GRC from scratch - they are learning to systematise the assurance translation work that currently relies on senior judgement.
Who this is NOT for. Entry-level GRC analysts who have not yet led a client engagement. Internal GRC managers without client-advisory responsibilities. Practitioners working exclusively in one regulatory regime who have no cross-framework translation requirement.
How it arrives
Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.
Time investment. 10-14 hours total across 12 modules. Each module is a self-contained written session with a template completion exercise. No synchronous sessions required.
FAQ
Is this course relevant outside the UK and EU regulatory context?
The methodology is regime-agnostic. The worked examples use UK FCA, EU NIS2, and EU DORA because those are the regimes most frequently encountered in cross-border GRC advisory. The assurance translation approach applies to any jurisdiction where a client holds an ISO or NIST certification and must satisfy a separate regulatory evidence requirement.
How current is the DORA content given the technical standards are still being finalised?
The course covers the DORA Level 1 regulation requirements and the published RTS drafts. The cross-framework mapping maintenance module (module 11) specifically addresses how to keep client registers current as technical standards are finalised. The implementation playbook delivered alongside course access includes the current RTS status at the time of your enrolment.
Can the templates be used directly with clients or do they need to be adapted?
The templates are structured for adaptation, not direct hand-off. Each template includes a customisation guide that identifies the fields requiring client-specific input. The engagement playbook from module 12 includes a template customisation checklist as part of the scoping process.