Skip to main content
Image coming soon

IRM Platform Controls Implementation

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

IRM Platform Controls Implementation

Build scoped certifications that your customers' compliance teams can actually audit, with every control mapped to the regulation it covers.

You configure the platform perfectly. Scoped certifications go live, evidence fields are mapped, attestation workflows fire on schedule. Then the customer's internal auditor asks which regulatory clause a specific control traces to, and the answer is not in the platform. That moment is the gap this course closes.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

IRM platform implementations typically deliver working software. The scoped certification runs, the dashboard is green, and the customer signs off on go-live. What surfaces three months later is a different problem: the compliance team, the external auditor, or the regulator asks for traceability. They want to see which control maps to which clause in which framework, what evidence was collected for it, and how the scoped certification was structured to reflect the actual regulatory scope. That question cannot be answered by pointing at a configured platform. It requires framework depth: knowing what ISO 27001 Annex A actually says, what a SOC 2 CC control category covers, how NIST 800-53 control families translate to platform scoped certification structure. Implementers who carry that depth win the advisory relationship after go-live. Those who do not get replaced by consultants who do.

What you walk away with

  • Map controls in a scoped certification to the specific regulatory clauses they satisfy, with traceability an auditor can follow.
  • Structure a scoped certification for ISO 27001, SOC 2, NIST 800-53, or a custom framework using the correct control family logic for each.
  • Write control evidence documentation that passes an external audit review, not just an internal sign-off.
  • Explain to a customer's compliance team why a control is in scope, what the evidence requirement is, and what a gap finding would look like.
  • Identify the three most common scoped-certification configuration errors that produce audit findings after go-live.
  • Deliver a post-go-live advisory session on compliance posture without referring back to the platform vendor.

The 12 modules

Module 1. What an Auditor Actually Reads in a Scoped Certification
Before configuring anything, understand what the customer's internal auditor and external reviewer look for when they open a scoped certification. This module works through a real audit review: which fields they interrogate, which control descriptions they flag as insufficient, and what a clean traceability chain looks like from a requirement in a framework standard to an evidence artefact in the platform.
Module 2. Framework Structure 101: Clauses, Control Families, and Annexes
ISO 27001 Annex A, SOC 2 TSC categories, NIST 800-53 control families, and CIS Controls are structured differently. Each has a different unit of obligation: clause, control, sub-control, criterion. This module maps those structural differences onto the IRM platform's scoped certification model so you can configure scoped certifications that reflect the actual framework hierarchy rather than a flattened list of requirements.
Module 3. Building the Control-to-Clause Mapping Artefact
The control-to-clause mapping is the document that answers the auditor's traceability question. This module walks through building one from scratch: selecting the framework scope, extracting the applicable clauses, mapping each platform control to one or more clauses, and documenting the rationale. The output is a two-page reference document the customer's compliance team can use independently of the platform.
Module 4. Scoped Certification Configuration for ISO 27001
ISO 27001 scoped certifications require the platform to reflect the statement of applicability logic: which Annex A controls apply, which are excluded, and why. This module covers how to configure the scoped certification to match the customer's SOA, how to flag exclusions with documented rationale, and how to structure the control descriptions so that the certification body can map them back to the Annex A reference without additional explanation.
Module 5. Scoped Certification Configuration for SOC 2
SOC 2 scoped certifications are structured around the Trust Services Criteria categories: Security, Availability, Processing Integrity, Confidentiality, Privacy. This module covers how to align platform scoped certification structure with TSC categories, how to configure the evidence collection workflow to capture the artefacts a SOC 2 Type II auditor requires for each criterion, and how to handle the common overlap between CC6 and CC7 in access management controls.
Module 6. Evidence Documentation That Moves an Audit Forward
Evidence fields in a platform are only as useful as the documentation stored in them. This module covers the difference between evidence that satisfies an auditor and evidence that generates a finding: the specificity of the artefact description, the date range it covers, the version of the policy it references, and the attestation chain from the control owner to the certification approver. Includes a template for per-control evidence statements that auditors accept on first review.
Module 7. NIST 800-53 Control Families in a Platform Scoped Certification
NIST 800-53 is structured in 20 control families (AC, AU, CA, CM, CP, IA, IR, MA, MP, PE, PL, PM, PS, PT, RA, SA, SC, SI, SR, and the program management family). Mapping these to a scoped certification requires understanding the control baseline logic: low, moderate, high. This module covers how to configure the scoped certification to reflect the correct baseline for the customer's system categorisation and how to handle control enhancements that add audit requirements.
Module 8. Common Scoped-Certification Errors That Produce Post-Go-Live Findings
Three configuration errors produce the majority of audit findings after a scoped certification goes live: control descriptions that reference the platform workflow instead of the regulatory obligation, evidence artefacts that are populated but not dated or versioned, and scoped certifications that include controls outside the agreed scope boundary. This module walks through each error pattern, how it is typically caught in an audit, and the configuration correction that prevents it.
Module 9. Handling Multi-Framework Scoped Certifications
Customers with obligations under both ISO 27001 and SOC 2, or both NIST 800-53 and CIS Controls, need a scoped certification structure that maps shared controls to both frameworks without duplicating evidence collection. This module covers the shared-control identification method, how to configure a single control to satisfy obligations under two frameworks simultaneously, and how to document the cross-mapping for the auditor who reviews only one framework at a time.
Module 10. The Post-Go-Live Advisory Conversation
After the platform is live, the customer's compliance team will ask questions that are not answered by platform documentation. This module prepares you for the six most common post-go-live compliance advisory questions: gap assessment against a new framework version, control testing frequency requirements, handling a finding that requires a control change, preparing for a recertification cycle, explaining a control failure to an audit committee, and scoping a new system into an existing certification.
Module 11. Writing the Scoped Certification Narrative for an Audit Package
When a customer prepares an audit package, the scoped certification is accompanied by a narrative that explains scope boundaries, methodology, and the framework version the certification was built against. This module covers how to write that narrative so it stands on its own, how to reference the platform configuration without creating dependence on a platform-specific reader, and how to structure the appendices so the auditor can move through the package without additional briefing.
Module 12. Building Your Framework Advisory Capability
The final module covers how to position framework-depth advisory as a distinct capability in your client engagements: how to scope a framework advisory engagement alongside a platform implementation, how to price it separately from configuration work, how to deliver a framework health check that a customer's compliance team commissions independently, and how to maintain currency with framework updates so your advisory advice does not become outdated between engagements.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Customer's compliance lead asks which clause a control traces to during a post-go-live review -> Modules 1, 3, 6
New customer wants ISO 27001 scoped certification that passes a Stage 2 audit -> Modules 2, 4, 6, 11
Existing customer with SOC 2 and ISO 27001 obligations wants a single scoped certification -> Modules 5, 9
Audit finding after go-live traces to a configuration error in the scoped certification -> Module 8, then Modules 3-6 for remediation

What you get with this course

  • Twelve written modules covering framework structure, scoped certification configuration, evidence documentation, and post-go-live advisory
  • Downloadable control-to-clause mapping template (ISO 27001, SOC 2, NIST 800-53, CIS Controls)
  • Downloadable per-control evidence statement template accepted by external auditors
  • Scoped certification narrative template for audit packages
  • Multi-framework shared-control mapping worksheet
  • Hand-built implementation playbook tailored to your specific client engagement context, delivered alongside course access

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Before and after

Before

A customer's auditor opens the scoped certification and asks a traceability question you cannot answer from the platform configuration. The implementation is solid. The advisory relationship is not.

After

You open any scoped certification, trace any control to its regulatory clause, produce the evidence documentation the auditor needs, and deliver the post-go-live advisory conversation from framework depth rather than platform familiarity.

What happens if you do not address this

Platform implementation skills are table stakes. The advisory relationships that drive renewals, expansions, and referrals belong to practitioners who can answer the compliance question behind the platform question. Without framework depth, the ceiling is configuration work. With it, the ceiling is the compliance programme itself.

Who it is for

You implement or advise on IRM/GRC platform deployments for enterprise customers. You are technically fluent with workflow configuration, scoped certifications, and integration with ITSM. The next level of your work, the advisory relationship that generates ongoing client trust, requires you to speak the compliance-framework language as fluently as you speak the platform language. This course bridges that gap.

Who this is NOT for. Platform administrators focused purely on technical configuration with no client-facing responsibility. Compliance officers who own the frameworks but not the platform. Anyone looking for a platform administration manual rather than framework-depth advisory skills.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Twelve modules, each 20-30 minutes of reading and template work. Full course completable in three focused sessions. Implementation playbook is hands-on during live client engagements.

Why $199 is the right number

Platform vendor documentation covers configuration. Framework body publications cover the standards. Neither covers the intersection: how to configure a platform scoped certification so it satisfies the framework obligation it is meant to represent. That intersection is what this course covers.

FAQ

Do I need to be an IRM platform administrator to take this course?
No. The course assumes you can navigate a GRC/IRM platform but focuses on framework depth and scoped certification logic rather than platform-specific configuration steps. The skills apply across IRM platforms because they are grounded in the regulatory frameworks, not in any specific product.
Which compliance frameworks does the course cover?
The course covers ISO 27001 Annex A, SOC 2 Trust Services Criteria, NIST 800-53 control families, and CIS Controls. Multi-framework scoped certifications that span two or more of these are covered in Module 9. The mapping methodology taught in Module 3 applies to any framework with a structured control library.
Is this relevant if my customers are in a specific regulated industry?
Yes. The framework depth taught in this course underpins the compliance obligations in financial services, healthcare, government, and technology. The scoped certification methodology is the same regardless of industry; what changes is which framework clauses apply to your customer's scope.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!