# Cyber Academy > GRC & cybersecurity certification training. Led by Christophe Mazzola (a practicing CISO) alongside a small team of practitioners. > We train professionals on NIS 2, DORA, AI Act, ISO 27001, ISO 31000, GDPR, and related standards, > via PECB- and ISACA-accredited courses, self-paced or in live sessions. **Canonical URL:** https://cyberacademy.net **Authoritative author:** Christophe Mazzola. Active CISO, author of "Être en Cybersécurité", 20+ certifications. See https://cyberacademy.net/christophe. **Organization:** Cyber Academy. PECB Gold Partner, ISACA partner. See https://cyberacademy.net/about. **Full content dump (Markdown, all pillar + encyclopedia pages):** https://cyberacademy.net/llms-full.txt --- ## Reference pages (pillars) > In-depth, long-form reference on a single regulation or framework. Definition, context, scope, deadlines, sources. Updated regularly. - [NIS 2: the guide that replaces your legal watch.](https://cyberacademy.net/resources/pillars/nis-2): Everything a CISO, GRC lead or board member needs to operate under NIS 2 in 2026 — scope, ten control measures, incident reporting timing, penalties, and the audit-room reality. - [DORA: what your RSSI did not tell you.](https://cyberacademy.net/resources/pillars/dora): A practical reading of the Digital Operational Resilience Act for European financial entities and their critical ICT providers. Five pillars, what to do first, the audit-room reality. - [ISO 27001: Foundation, Lead Implementer, Lead Auditor — which one?](https://cyberacademy.net/resources/pillars/iso-27001-foundation-li-la): A practitioner's decision tree for the ISO 27001 certification levels. Who each one is for, what each exam tests, what the next step buys you, and the canonical pricing in Europe in 2026. - [AI Act: compliance without the abstraction.](https://cyberacademy.net/resources/pillars/ai-act): A practical reading of the EU AI Act for product, security and compliance teams. Four risk tiers, what high-risk means in operations, the timeline through 2027, and how ISO 42001 fits. - [Operational resilience: DORA, NIS 2 and ISO 22301 in one place.](https://cyberacademy.net/resources/pillars/operational-resilience-dora-nis-2-iso-22301): How the three frameworks talk to each other, where the obligations overlap, and how to run one resilience programme that satisfies all three audits. - [GDPR in 2026: what changed since 2018.](https://cyberacademy.net/resources/pillars/gdpr-2026): Where European data-protection law actually stands in 2026. Schrems II and the EU-US DPF, the AI Act interaction, recent CNIL and EDPB enforcement, what to refresh in your privacy programme. - [EBIOS RM vs ISO 27005: the match.](https://cyberacademy.net/resources/pillars/ebios-rm-vs-iso-27005): A practical comparison of the two reference information-security risk methods. When each one wins, how they map to ISO 27001, and which one your sector and your audit actually expect. - [The real price of an ISO 27001 Lead Implementer in Europe.](https://cyberacademy.net/resources/pillars/iso-27001-lead-implementer-price-europe): A 2026 benchmark of what ISO 27001 Lead Implementer cohorts actually cost in Europe. Self-paced vs instructor-led, in-house pricing, what the bundle includes, how to negotiate the corporate quote. - [ISO 31000: Foundation → Risk Manager → Lead Risk Manager.](https://cyberacademy.net/resources/pillars/iso-31000-foundation-risk-manager-lead-risk-manager): The full PECB pathway for enterprise risk management. Why ISO 31000 has no Lead Auditor, who each level fits, how it complements ISO 27005 and EBIOS RM. - [CISO vs DPO vs RSSI: who does what, really.](https://cyberacademy.net/resources/pillars/ciso-dpo-rssi): The practical boundaries between three roles that organisations confuse. What each one is accountable for, where they overlap, and which certifications signal which role. ## Encyclopedia (glossary) > Short definitions of GRC and cybersecurity terms. Each entry is self-contained and citable. - [AI Risk Manager](https://cyberacademy.net/resources/encyclopedia/ai-risk-manager): AI Risk Manager is the credential (PECB / ISACA emerging) for practitioners running AI-specific risk programmes: model risk, bias, drift, transparency, third-party model risk. Operational layer that complements ISO 42001 (system-level) and - [Advanced in AI Audit](https://cyberacademy.net/resources/encyclopedia/aaia): AAIA is the advanced ISACA credential for auditing AI systems, models and governance. Newer (2024 onwards). Requires existing CISA or equivalent. Built for senior auditors adding AI capability, mapped onto ISO 42001 and the EU AI Act high-r - [Business Continuity Management](https://cyberacademy.net/resources/encyclopedia/bcm): BCM is the discipline that identifies threats to your critical operations, then designs the plans and procedures to keep them running through disruption. Not a one-off project. The BCM team that delivers under a real incident is the one tha - [Business Email Compromise](https://cyberacademy.net/resources/encyclopedia/bec): BEC is the targeted social-engineering attack that impersonates an executive or supplier to redirect a payment or trick an employee into approving one. No malware required; pure pretexting. Average loss per incident dwarfs ransomware. Proce - [Business Impact Analysis](https://cyberacademy.net/resources/encyclopedia/bia): A BIA is the structured analysis that quantifies the impact of disruption on each critical activity over time. Outputs include the recovery time objective, recovery point objective and minimum business continuity objective. Mandatory input - [CIS Controls](https://cyberacademy.net/resources/encyclopedia/cis-controls): The CIS Critical Security Controls are a prioritised set of 18 control categories published by the Center for Internet Security. Implementation groups (IG1, IG2, IG3) match organisation maturity. The fastest way to take a small or mid-sized - [COBIT](https://cyberacademy.net/resources/encyclopedia/cobit): COBIT is the ISACA framework for the governance and management of enterprise IT. Current edition is COBIT 2019. The framework Big Four uses to assess IT governance maturity, and the reference for the CGEIT credential. More strategic than IS - [Certificate of Cloud Auditing Knowledge](https://cyberacademy.net/resources/encyclopedia/ccak): CCAK is the joint ISACA / Cloud Security Alliance credential for cloud auditors. Covers cloud governance, CCM, the STAR programme and hyperscaler-specific audit considerations. The natural extension for a CISA-holder whose scope went cloud- - [Certified Cybersecurity Operations Analyst](https://cyberacademy.net/resources/encyclopedia/ccoa): CCOA is ISACA's hands-on cybersecurity operations credential, focused on SOC work: monitoring, detection, response, recovery. The technical companion to CISM. Best fit for analysts and incident responders rather than managers or auditors. - [Certified Data Privacy Solutions Engineer](https://cyberacademy.net/resources/encyclopedia/cdpse): CDPSE is the ISACA technical-privacy credential. Three domains: privacy governance, privacy architecture, data lifecycle. The engineering-side companion to the policy-focused DPO/CDPO credentials. Strong fit for security teams owning privac - [Certified Information Security Manager](https://cyberacademy.net/resources/encyclopedia/cism): CISM is the ISACA credential for information-security managers: governance, programme management, risk management, incident management. The gold standard for security-leadership roles, asked for in about 60% of CISO postings. Different lens - [Certified Information Systems Auditor](https://cyberacademy.net/resources/encyclopedia/cisa): CISA is the reference IT-audit credential, awarded by ISACA since 1978. Five domains covering the audit process, governance, acquisition, operations and asset protection. The credential Big Four engagements default to. Recognised globally; - [Certified in Risk and Information Systems Control](https://cyberacademy.net/resources/encyclopedia/crisc): CRISC is the ISACA risk credential for IT-risk practitioners. Identification, assessment, response, monitoring tied to information systems. Bridges business and IT risk. The natural complement to CISA for auditors moving into risk, and to I - [Certified in the Governance of Enterprise IT](https://cyberacademy.net/resources/encyclopedia/cgeit): CGEIT is the ISACA credential for senior practitioners advising on the governance of enterprise IT: strategic alignment, value delivery, risk and resource optimisation. Underpinned by COBIT. Smaller market than CISA / CISM, but the right cr - [Chief Information Security Officer](https://cyberacademy.net/resources/encyclopedia/ciso): The CISO is the executive accountable for the information-security strategy. Owns the risk register, leads incident response, briefs the board, signs off on the residual risk. Under NIS 2 and DORA the accountability is now explicit and pers - [Commission nationale de l'informatique et des libertés](https://cyberacademy.net/resources/encyclopedia/cnil): The CNIL is the French data-protection authority, founded in 1978. Enforces the GDPR in France, issues binding decisions and fines, publishes guidance (cookies, biometrics, AI), operates the PIA tool. One of the most active supervisory auth - [Cyber Resilience Act](https://cyberacademy.net/resources/encyclopedia/cra): The Cyber Resilience Act is the EU regulation that imposes baseline security obligations on hardware and software products with digital elements sold in Europe. Vendor obligations through the lifecycle: secure-by-design, vulnerability handl - [Cybersecurity Maturity Model Certification](https://cyberacademy.net/resources/encyclopedia/cmmc): CMMC is the cybersecurity maturity model the US Department of Defense imposes on its contractors handling federal contract information and controlled unclassified information. CMMC 2.0 collapsed to three levels (Foundational, Advanced, Expe - [Cybersecurity Practitioner Certification](https://cyberacademy.net/resources/encyclopedia/csx-p): CSX-P is the performance-based ISACA cybersecurity practitioner credential. Tested in a live cyber-range environment across the five NIST CSF functions. Less famous than CISM or CISA, but the rare credential where the exam tests what you ac - [Data Protection Impact Assessment](https://cyberacademy.net/resources/encyclopedia/dpia): A DPIA is the structured analysis the GDPR requires before high-risk processing. Documents nature, scope, context, purposes; assesses necessity and proportionality; identifies mitigations. The CNIL ships a free PIA tool — use it. Skipping a - [Data Protection Officer](https://cyberacademy.net/resources/encyclopedia/dpo): The DPO is the GDPR-mandated role that monitors compliance, advises the controller, and acts as the contact point with the supervisory authority. Mandatory for public authorities and for processing that requires large-scale systematic monit - [Defense in depth](https://cyberacademy.net/resources/encyclopedia/defense-in-depth): Defense in depth is the principle of layering controls so no single failure compromises the system. Network, endpoint, application, data, people, physical — each layer slows the attacker, raises the cost and buys you detection time. Foundat - [Digital Operational Resilience Act](https://cyberacademy.net/resources/encyclopedia/dora): DORA is the EU regulation that imposes a unified resilience framework on financial entities and their critical ICT providers. Five pillars: ICT risk management, incident reporting, resilience testing including TLPT, third-party ICT risk, in - [Disaster Recovery](https://cyberacademy.net/resources/encyclopedia/disaster-recovery): Disaster recovery is the IT-focused subset of BCM: restoring infrastructure, applications and data after a disruption. The RPO, RTO and runbooks live here. The DR plan that has never been tested end-to-end is a fiction. ISO 24762 used to co - [Distributed Denial of Service](https://cyberacademy.net/resources/encyclopedia/ddos): DDoS is the attack that floods a service from many sources to exhaust capacity. Volumetric, protocol or application layer. Mitigation has commoditised (Cloudflare, Akamai, AWS Shield). The risk question is no longer "can we block it" but "a - [EBIOS Risk Manager](https://cyberacademy.net/resources/encyclopedia/ebios-rm): EBIOS Risk Manager is ANSSI's cyber-risk method, focused on strategic attack scenarios. Maps business processes against attacker objectives, then derives the technical controls. Standard in French public-sector and operators of vital import - [EU AI Act](https://cyberacademy.net/resources/encyclopedia/ai-act): The EU AI Act is the world's first comprehensive AI regulation. Four risk tiers: unacceptable (banned), high (the heavy obligations and conformity assessment), limited (transparency), minimal. Applies in phases until August 2027. Pair it wi - [Endpoint Detection and Response](https://cyberacademy.net/resources/encyclopedia/edr): EDR is the agent-based platform that records endpoint activity, detects suspicious behaviour and lets analysts isolate or remediate compromised hosts. XDR extends visibility across endpoints, network and cloud; MDR is the managed-service wr - [European Union Agency for Cybersecurity](https://cyberacademy.net/resources/encyclopedia/enisa): ENISA is the EU cybersecurity agency, headquartered in Athens. Supports member states and EU institutions on cybersecurity policy, operational cooperation and the EU certification framework. Operationally involved in NIS 2 cooperation, DORA - [French National Cybersecurity Agency](https://cyberacademy.net/resources/encyclopedia/anssi): ANSSI is the French national cybersecurity agency, reporting to the Prime Minister since 2009. National authority for cybersecurity policy in France, qualifies products and service providers, publishes EBIOS Risk Manager, acts as competent - [General Data Protection Regulation](https://cyberacademy.net/resources/encyclopedia/gdpr): The GDPR governs personal data in the EU and anywhere serving EU residents. Lawful basis, data-subject rights, accountability, breach notification, supervisory enforcement. The headline fines (20 million euros or 4% of worldwide turnover) g - [ISO 19011](https://cyberacademy.net/resources/encyclopedia/iso-19011): ISO 19011 is the guidelines standard for auditing management systems. Generic — applies to ISO 27001, 9001, 22301 audits alike. Defines audit principles, programme management, the audit cycle and auditor competence. The Lead Auditor course - [ISO 22301](https://cyberacademy.net/resources/encyclopedia/iso-22301): ISO 22301 is the international standard for business continuity management systems (BCMS). Specifies the requirements to plan, operate, monitor and improve a BCMS that gets critical operations running again after disruption. Increasingly de - [ISO 31000](https://cyberacademy.net/resources/encyclopedia/iso-31000): ISO 31000 is the generic risk-management standard. Principles plus framework plus iterative process. NOT a certifiable management system — there is no ISO 31000 Lead Auditor, despite what some catalogues claim. The PECB path is Foundation → - [ISO/IEC 27001](https://cyberacademy.net/resources/encyclopedia/iso-27001): ISO 27001 is the certifiable framework auditors use to grade your information security. The 2022 revision tightened Annex A down to 93 controls across four themes (organisational, people, physical, technological). Your ISMS lives or dies on - [ISO/IEC 27002](https://cyberacademy.net/resources/encyclopedia/iso-27002): ISO 27002 is the implementation guidance for ISO 27001's Annex A controls. Not certifiable on its own. Auditors use it when they want to challenge HOW you operate a control, not just whether it is "in place". Treat it as the operational pla - [ISO/IEC 27005](https://cyberacademy.net/resources/encyclopedia/iso-27005): ISO 27005 is the information-security risk methodology that bolts onto ISO 27001. Identification, analysis, evaluation, treatment, acceptance. The 2022 revision aligns with ISO 31000's principles and clarifies the relationship with ISO 2700 - [ISO/IEC 27017](https://cyberacademy.net/resources/encyclopedia/iso-27017): ISO 27017 is the cloud-security control extension to ISO 27001. Adds cloud-specific controls and clarifies the shared-responsibility split between provider and customer. If your ISMS scope includes hyperscaler workloads (AWS, Azure, GCP, OV - [ISO/IEC 27018](https://cyberacademy.net/resources/encyclopedia/iso-27018): ISO 27018 is the privacy control extension to ISO 27001 for cloud providers acting as processors of personally identifiable information. Bridges ISO 27001 with GDPR processor obligations. Mostly held by hyperscalers, used by their customers - [ISO/IEC 27034](https://cyberacademy.net/resources/encyclopedia/iso-27034): ISO 27034 is the application security standard. Multi-part. Covers the secure software lifecycle: requirements, design, build, test, deploy, maintain. Less famous than 27001 because it lives inside the SDLC, but the only ISO standard that s - [ISO/IEC 27037](https://cyberacademy.net/resources/encyclopedia/iso-27037): ISO 27037 is the digital forensics standard for identifying, collecting, acquiring and preserving digital evidence. The reference an internal forensic team, a CERT or a litigation-support consultant uses to keep chain-of-custody clean. Trea - [ISO/IEC 27701](https://cyberacademy.net/resources/encyclopedia/iso-27701): ISO 27701 is the privacy-information-management extension to ISO 27001. Adds controller and processor obligations on top of the ISMS. Useful for organisations that want a single certifiable management system covering both security and priva - [ISO/IEC 42001](https://cyberacademy.net/resources/encyclopedia/iso-42001): ISO 42001 is the first international standard for AI management systems, published end of 2023. The AIMS equivalent of ISO 27001's ISMS. Built for organisations that need to govern AI design, deployment and operation: risk, accountability, - [Identity and Access Management](https://cyberacademy.net/resources/encyclopedia/iam): IAM is the discipline that manages who can access what, when, how and under which conditions. Provisioning, authentication, authorisation, deprovisioning. Identity is the new perimeter. Every Zero Trust architecture is, at the core, a hard - [Information Security Management System](https://cyberacademy.net/resources/encyclopedia/isms): An ISMS is the documented system you run to protect information assets — risk-based, evidence-backed, under management review. It is not a binder of policies. Auditors do not grade your policies; they grade your operating evidence. Plan-Do- - [Information Systems Audit and Control Association](https://cyberacademy.net/resources/encyclopedia/isaca): ISACA is the global association for IT audit, security, risk and governance professionals. Founded 1969, headquartered Schaumburg IL, 165,000+ members in 188 countries. Awards CISA, CISM, CRISC, CGEIT, CDPSE, AAIA, CCOA. Publishes COBIT. Cy - [Inherent vs residual risk](https://cyberacademy.net/resources/encyclopedia/inherent-residual-risk): Inherent risk is the exposure before controls. Residual risk is what remains after the controls operate. Auditors look at the gap: it must be justified, accepted (or treated further) by a named owner, and consistent with the risk appetite. - [Lead Auditor](https://cyberacademy.net/resources/encyclopedia/lead-auditor): Lead Auditor is the PECB credential for practitioners who can plan and lead third-party or internal audits of a management system. Five-day course built on ISO 19011. Entry point to becoming an accredited certification-body auditor. Differe - [Lead Ethical Hacker](https://cyberacademy.net/resources/encyclopedia/lead-ethical-hacker): Lead Ethical Hacker is the PECB-certified credential for offensive-security practitioners. Covers methodology, scoping, reconnaissance, exploitation, reporting and ethics. The accreditation companion to hands-on credentials like OSCP and CR - [Lead Implementer](https://cyberacademy.net/resources/encyclopedia/lead-implementer): Lead Implementer is the PECB credential for practitioners who can plan, build and run a management system based on a specific ISO standard (most often ISO 27001, ISO 42001, ISO 22301). Five-day course, exam, certificate. The implementation - [Least privilege](https://cyberacademy.net/resources/encyclopedia/least-privilege): Least privilege is the principle that every identity (human or machine) gets the minimum permissions needed for the job, and no more. Sounds obvious; rarely applied. Most data-exfiltration incidents start with an over-permissioned service a - [MITRE ATT&CK](https://cyberacademy.net/resources/encyclopedia/mitre-attack): MITRE ATT&CK is the open knowledge base of adversary tactics, techniques and procedures (TTPs) observed in the wild. Standard vocabulary for threat-informed defence: detection rules, red-team scenarios, SOC analyst training. Updated continu - [Mean Time to Detect / Recover](https://cyberacademy.net/resources/encyclopedia/mttd-mttr): MTTD is the average time from incident start to detection. MTTR is the average time from detection to recovery. Together they are the headline operational metrics for a SOC and an incident response programme. Industry benchmarks float in th - [Multi-Factor Authentication](https://cyberacademy.net/resources/encyclopedia/mfa): MFA is the requirement that authentication uses two or more factors from different categories (knowledge, possession, inherence). Not all MFA is equal: SMS and email codes are phishable, push notifications get fatigued, hardware tokens and - [NIS 1 Directive](https://cyberacademy.net/resources/encyclopedia/nis-1): NIS 1 (Directive 2016/1148) was the EU's first cross-sector cybersecurity directive, covering operators of essential services and digital service providers. Replaced by NIS 2 in October 2024 because scope was too narrow, enforcement uneven - [NIS 2 Directive](https://cyberacademy.net/resources/encyclopedia/nis-2): NIS 2 is the EU directive that puts cybersecurity boards on the hook. Mid-sized or larger, in any of 18 listed sectors, you are in scope. The clock starts on the first significant incident: 24-hour early warning, 72-hour notification, full - [NIST Cybersecurity Framework](https://cyberacademy.net/resources/encyclopedia/nist-csf): NIST CSF is the cybersecurity framework published by the US National Institute of Standards and Technology. The 2.0 revision (2024) added "Govern" to the existing five functions (Identify, Protect, Detect, Respond, Recover). Not certifiable - [NIST SP 800-171](https://cyberacademy.net/resources/encyclopedia/nist-800-171): NIST SP 800-171 is the US standard that defines security requirements for protecting controlled unclassified information in non-federal systems. The technical backbone of CMMC for defence contractors. Revision 3 (2024) tightened the control - [Non-conformity (NC)](https://cyberacademy.net/resources/encyclopedia/non-conformity): A non-conformity is the auditor finding that a requirement is not met. Major NCs threaten the certificate; minor NCs require a corrective action plan with a deadline. Repeated minor NCs in the same area can escalate to major at the next sur - [PCI DSS](https://cyberacademy.net/resources/encyclopedia/pci-dss): PCI DSS is the Payment Card Industry Data Security Standard. Mandatory for anyone storing, processing or transmitting cardholder data. Version 4.0.1 is the current revision, fully mandatory since 31 March 2025. Scope-reduction (tokenisation - [Patch management](https://cyberacademy.net/resources/encyclopedia/patch-management): Patch management is the operational process that takes a published fix and applies it across the estate, on a defined SLA, with verification. Often the weakest link: emergency patches collide with change windows, vendor compatibility, third - [Penetration testing](https://cyberacademy.net/resources/encyclopedia/penetration-testing): A penetration test is an authorised, scoped attack simulation to find exploitable weaknesses before real attackers do. Black box / grey box / white box, internal / external, application / infrastructure. Distinguish from a vulnerability sca - [Phishing](https://cyberacademy.net/resources/encyclopedia/phishing): Phishing is the social-engineering attack that tricks a user into clicking a malicious link, opening a malicious file or revealing credentials. Variants: spear phishing (targeted), whaling (executives), smishing (SMS), vishing (voice), BEC - [Privacy by design and by default](https://cyberacademy.net/resources/encyclopedia/privacy-by-design): Privacy by design (GDPR Article 25) is the obligation to bake privacy controls into systems from the requirements stage. Privacy by default is the obligation to make the highest-protection option the standard. Auditors look for documented e - [Privileged Access Management](https://cyberacademy.net/resources/encyclopedia/pam): PAM is the subset of IAM focused on privileged accounts: admins, root, service accounts, break-glass. Vaults credentials, brokers sessions, records activity. The first thing the attacker goes for after the initial foothold, and the control - [Professional Evaluation and Certification Board](https://cyberacademy.net/resources/encyclopedia/pecb): PECB is the Montreal-based accredited certification body that issues professional credentials on 30+ ISO standards across 150+ countries. Information security, risk, BCM, AI governance, privacy, quality. Cyber Academy is a PECB Gold Partner - [Pseudonymisation](https://cyberacademy.net/resources/encyclopedia/pseudonymisation): Pseudonymisation is the GDPR Article 4(5) technique of replacing direct identifiers with reversible tokens, with the key stored separately. Reduces risk and earns regulatory goodwill, but the data is still personal data. Anonymisation is th - [Ransomware](https://cyberacademy.net/resources/encyclopedia/ransomware): Ransomware is the malware class that encrypts data and demands payment for the key, often paired with data theft and extortion (double extortion). Attack vectors: phishing, internet-facing exposure, supply chain. Insurance pays less, regula - [Record of Processing Activities](https://cyberacademy.net/resources/encyclopedia/ropa): The ROPA is the documented inventory of processing activities required by GDPR Article 30. Controllers list purpose, categories, recipients, retention, transfers; processors list controllers served, categories, transfers. Most organisations - [Recovery Time and Recovery Point Objectives](https://cyberacademy.net/resources/encyclopedia/rto-rpo): RTO is the maximum acceptable duration a business process can stay down before unacceptable harm. RPO is the maximum data loss measured in time before the disruption. Both come out of the BIA. The numbers your CIO writes in the BCP without - [Risk appetite](https://cyberacademy.net/resources/encyclopedia/risk-appetite): Risk appetite is the amount and type of risk the organisation is willing to take to meet its objectives. Set at executive or board level, in writing. Without it, every risk-treatment decision is a personal judgement call by the risk team, a - [Risk register](https://cyberacademy.net/resources/encyclopedia/risk-register): The risk register is the canonical, living list of identified risks with their analysis, evaluation, treatment and ownership. Not a one-time spreadsheet. Auditors expect dated entries, named owners, traceable changes and review cycles tied - [Risk treatment](https://cyberacademy.net/resources/encyclopedia/risk-treatment): Risk treatment is what you do once you know the risk: avoid, reduce, transfer, accept. Each decision is documented, justified by the risk appetite, and traced through the SoA to the controls and the operating evidence. Most failed audits bo - [SOC 2](https://cyberacademy.net/resources/encyclopedia/soc-2): SOC 2 is the AICPA attestation report on a service organisation's controls covering five trust criteria (security, availability, processing integrity, confidentiality, privacy). North-American canonical for SaaS vendors; ISO 27001 is the Eu - [Schrems II](https://cyberacademy.net/resources/encyclopedia/schrems-ii): Schrems II is the 2020 CJEU judgement that struck down the EU-US Privacy Shield and added the Transfer Impact Assessment requirement. Every transfer to a third country now needs a documented analysis of local surveillance law and supplement - [Security Information and Event Management](https://cyberacademy.net/resources/encyclopedia/siem): A SIEM aggregates logs, normalises events and runs detection rules across your stack. The visibility layer the SOC depends on. Modern SIEM vendors (Splunk, Sentinel, Elastic, Sumo) increasingly bundle SOAR and UEBA. The hard work is not buy - [Security Operations Center](https://cyberacademy.net/resources/encyclopedia/soc): A SOC is the team and toolset that monitors, detects, analyses and responds to security events in real time. Tiered analysts (T1 detection, T2 investigation, T3 threat hunting), 8x5 or 24x7. Internal, outsourced (MSSP) or hybrid. Without a - [Security Orchestration, Automation and Response](https://cyberacademy.net/resources/encyclopedia/soar): SOAR is the layer that takes SIEM alerts and runs playbooks: enrichment, triage, containment, ticketing. Goal: reduce MTTR and free analysts from copy-paste work. Watch for vendor over-promise: a SOAR is only as good as the playbooks you wr - [Stage 1 / Stage 2 audit](https://cyberacademy.net/resources/encyclopedia/stage-1-2-audit): Initial ISO certification splits into stage 1 (documentation and readiness review, usually 1–2 days) and stage 2 (operational evidence audit, 2–5 days). Stage 1 confirms the management system exists on paper; stage 2 verifies it actually op - [Standard Contractual Clauses](https://cyberacademy.net/resources/encyclopedia/scc): SCCs are the European Commission-approved template clauses for transferring personal data to third countries without an adequacy decision. The 2021 SCCs replaced the older versions and require a Transfer Impact Assessment (TIA) since Schrem - [Statement of Applicability](https://cyberacademy.net/resources/encyclopedia/soa): The SoA is the controlled document that tells the auditor which Annex A controls apply to you, why, where the evidence lives. Mandatory under ISO 27001. Inconsistency between SoA, risk treatment plan and actual operations is the most common - [Tabletop exercise](https://cyberacademy.net/resources/encyclopedia/tabletop): A tabletop exercise is a discussion-based simulation of a disruptive scenario with the response team around a table. Cheap, fast, exposes the gaps no document review will. Required practice under ISO 22301, NIS 2 and DORA, and the single hi - [Third-Party Risk Management](https://cyberacademy.net/resources/encyclopedia/tprm): TPRM is the discipline that governs the risk introduced by suppliers, subcontractors and service providers. Onboarding due diligence, contract clauses, ongoing assurance, off-boarding. Mandated by NIS 2 (supply chain security) and DORA (ICT - [Threat-Led Penetration Testing](https://cyberacademy.net/resources/encyclopedia/tlpt): TLPT is the regulator-supervised red-team exercise required by DORA for significant financial entities. Built on the TIBER-EU framework (Threat Intelligence-Based Ethical Red Teaming). Multi-month, intelligence-driven, supervised by the nat - [Vulnerability management](https://cyberacademy.net/resources/encyclopedia/vulnerability-management): Vulnerability management is the cycle of discovering, prioritising, remediating and verifying vulnerabilities in your estate. Scanners flag thousands; the discipline is in the prioritisation (asset criticality + exploit availability + busin - [Zero Trust](https://cyberacademy.net/resources/encyclopedia/zero-trust): Zero Trust is the security model where you stop trusting the network perimeter. Every access decision is authenticated, authorised and contextually evaluated, every time. Identity becomes the perimeter. Born at Forrester, popularised by Goo - [ePrivacy Directive](https://cyberacademy.net/resources/encyclopedia/eprivacy): The ePrivacy Directive (2002/58/EC, amended in 2009) is the "cookie law" everyone half-implements. Governs confidentiality of electronic communications and tracking technologies on user devices. Older than GDPR and still in force; the ePriv ## Courses catalogue > Formal training programs with a certification at the end (PECB, ISACA). Available in live sessions and self-paced formats. - [CISA: Certified Information Systems Auditor](https://cyberacademy.net/courses/cisa): The ISACA reference credential for IT audit. Five domains, four-hour exam, the audit credential Big Four engagements default to. Four-day cohort with one re-sit included. - [CISM: Certified Information Security Manager](https://cyberacademy.net/courses/cism): The ISACA reference credential for security management. Four domains, the cert asked for in roughly 60% of CISO postings. Four-day cohort with one re-sit included. - [CRISC: Certified in Risk and Information Systems Control](https://cyberacademy.net/courses/crisc): The ISACA reference credential for IT risk. Four domains bridging business risk to IS controls. The natural complement to CISA and to ISO 31000 / 27005 for the ISACA vocabulary. - [AAIA: Advanced in AI Audit](https://cyberacademy.net/courses/aaia): The ISACA advanced credential for auditors moving into AI. Audit methodology for AI systems, AI risk assessment, AI governance frameworks. Three-day intensive, CISA recommended as foundation. - [AAIR: Advanced in AI Risk](https://cyberacademy.net/courses/aair): The ISACA advanced credential for risk managers building an AI risk programme. AI risk assessment, risk treatment, AI risk governance. Three-day intensive, CRISC recommended as foundation. - [AAISM: Advanced in AI Security Management](https://cyberacademy.net/courses/aaism): The ISACA advanced credential for security managers building an AI security programme. AI threat modelling, secure model lifecycle, AI security operations. Three-day intensive, CISM recommended as foundation. - [CGEIT: Certified in the Governance of Enterprise IT](https://cyberacademy.net/courses/cgeit): The ISACA reference credential for IT governance at executive level. Five domains covering framework, strategic management, benefits realisation, risk optimisation and resource optimisation. Built for CIOs, governance leads and board-facing - [CDPSE: Certified Data Privacy Solutions Engineer](https://cyberacademy.net/courses/cdpse): The ISACA credential at the intersection of privacy and technology. Three domains spanning privacy governance, privacy architecture and data lifecycle. The cert for privacy engineers building GDPR-grade systems, not just policies. - [CCOA: Certified Cybersecurity Operations Analyst](https://cyberacademy.net/courses/ccoa): The ISACA hands-on credential for SOC analysts and cyber-defence operators. Five domains covering monitoring, incident response, threat hunting and threat intelligence. Practitioner-level, exam mixes scenarios with multiple-choice. - [COBIT 2019 Foundation](https://cyberacademy.net/courses/cobit-foundation): The entry-level credential for the COBIT 2019 governance framework. Two-day cohort covering the framework structure, principles, design factors and governance system components. Live cohort with ISACA exam included. - [COBIT 2019 Design & Implementation](https://cyberacademy.net/courses/cobit-design-implementation): The advanced COBIT credential. Three-day cohort focused on applying the design factors to build a tailored governance system, then driving the implementation roadmap. Live cohort with ISACA exam included. Foundation is a prerequisite. - [Cybersecurity Audit Certificate (ISACA)](https://cyberacademy.net/courses/cybersecurity-audit-certificate): The ISACA certificate dedicated to cybersecurity audit. Two-day cohort, scenario-driven, designed to bridge classical IS audit (CISA) and modern cyber-defence operations. Useful for auditors evaluating SOC, IR and threat intel programmes. - [IT Audit Fundamentals (ISACA)](https://cyberacademy.net/courses/it-audit-fundamentals): The entry-level ISACA certificate on IT audit. Two-day cohort covering audit planning, fieldwork, evidence and reporting through the ISACA vocabulary. A clean on-ramp before CISA. - [IT Risk Fundamentals (ISACA)](https://cyberacademy.net/courses/it-risk-fundamentals): The entry-level ISACA certificate on IT risk. Two-day cohort introducing risk identification, assessment, response and monitoring through the ISACA vocabulary. A clean on-ramp before CRISC. - [ISO27001 - Foundation](https://cyberacademy.net/courses/iso27001-foundation): Official PECB-accredited ISO27001 - Foundation certification training. Live online course with expert instructors and certified-or-refunded guarantee. Enroll... - [AI Risk Manager](https://cyberacademy.net/courses/ai-risk-manager): PECB-accredited AI Risk Manager certification. Live online training with certified-or-refunded guarantee. - [Certified Artificial Intelligence Professional (CAIP)](https://cyberacademy.net/courses/certified-artificial-intelligence-professional-caip): PECB-accredited Certified Artificial Intelligence Professional (CAIP) certification. Live online training with certified-or-refunded guarantee. - [Certified CISO by PECB](https://cyberacademy.net/courses/certified-ciso-by-pecb): Official PECB-accredited Certified CISO by PECB certification training. Live online course with expert instructors and certified-or-refunded guarantee. Enrol... - [Certified Lead Crisis Manager](https://cyberacademy.net/courses/certified-lead-crisis-manager): PECB-accredited Certified Lead Crisis Manager certification. Live online training with certified-or-refunded guarantee. - [PECB CMMC Foundations](https://cyberacademy.net/courses/cmmc-foundations): Official PECB-accredited PECB CMMC Foundations certification training. Live online course with expert instructors and certified-or-refunded guarantee. Enroll... - [Cyber Threat Analyst](https://cyberacademy.net/courses/cyber-threat-analyst): PECB-accredited Cyber Threat Analyst certification. Live online training with certified-or-refunded guarantee. - [Cybersecurity Foundation](https://cyberacademy.net/courses/cybersecurity-foundation): PECB-accredited Cybersecurity Foundation certification. Live online training with certified-or-refunded guarantee. - [DORA Foundation](https://cyberacademy.net/courses/dora-foundation): DORA Foundation for financial sector. ICT risk management and incident reporting. PECB-accredited. - [DORA Lead Manager](https://cyberacademy.net/courses/dora-lead-manager): Become a certified DORA Lead Manager. Implement digital operational resilience for financial institutions. PECB-accredited course with exam included. - [EBIOS Risk Manager](https://cyberacademy.net/courses/ebios-risk-manager): Official EBIOS RM certification training. Learn the ANSSI 5-workshop risk assessment methodology. PECB-accredited course with practical exercises and exam. - [GDPR - Certified Data Protection Officer](https://cyberacademy.net/courses/gdpr-certified-data-protection-officer): PECB-accredited GDPR - Certified Data Protection Officer certification. Live online training with certified-or-refunded guarantee. - [GDPR Foundation](https://cyberacademy.net/courses/gdpr-foundation): PECB-accredited GDPR Foundation certification. Live online training with certified-or-refunded guarantee. - [ISO 22301 Foundation](https://cyberacademy.net/courses/iso-22301-foundation): PECB-accredited ISO 22301 Foundation certification. Live online training with certified-or-refunded guarantee. - [ISO 22301 Lead Auditor](https://cyberacademy.net/courses/iso-22301-lead-auditor): PECB-accredited ISO 22301 Lead Auditor certification. Live online training with certified-or-refunded guarantee. - [ISO 22301 Lead Implementer](https://cyberacademy.net/courses/iso-22301-lead-implementer): PECB-accredited ISO 22301 Lead Implementer certification. Live online training with certified-or-refunded guarantee. - [ISO 27005 Foundation](https://cyberacademy.net/courses/iso-27005-foundation): Official PECB-accredited ISO 27005 Foundation certification training. Live online course with expert instructors and certified-or-refunded guarantee. Enroll ... - [ISO 27005 Lead Risk Manager](https://cyberacademy.net/courses/iso-27005-lead-risk-manager): Official PECB-accredited ISO 27005 Lead Risk Manager certification training. Live online course with expert instructors and certified-or-refunded guarantee. ... - [ISO 27005 Risk Manager](https://cyberacademy.net/courses/iso-27005-risk-manager): PECB-certified ISO 27005 Risk Manager training. Master information security risk assessment, treatment, and monitoring. Practical methodology with exam inclu... - [ISO 27033 Lead Network Security Manager](https://cyberacademy.net/courses/iso-27033-lead-network-security-manager): PECB-accredited ISO 27033 Lead Network Security Manager certification. Live online training with certified-or-refunded guarantee. - [ISO 27034 Lead Application Security Auditor](https://cyberacademy.net/courses/iso-27034-lead-application-security-auditor): PECB-accredited ISO 27034 Lead Application Security Auditor certification. Live online training with certified-or-refunded guarantee. - [ISO 27034 Lead Application Security Implementer](https://cyberacademy.net/courses/iso-27034-lead-application-security-implementer): PECB-accredited ISO 27034 Lead Application Security Implementer certification. Live online training with certified-or-refunded guarantee. - [ISO 27035 Foundation](https://cyberacademy.net/courses/iso-27035-foundation): Official PECB-accredited ISO 27035 Foundation certification training. Live online course with expert instructors and certified-or-refunded guarantee. Enroll ... - [ISO 27035 Lead Incident Manager](https://cyberacademy.net/courses/iso-27035-lead-incident-manager): PECB-accredited ISO 27035 Lead Incident Manager certification. Live online training with certified-or-refunded guarantee. - [ISO 27701 Foundation](https://cyberacademy.net/courses/iso-27701-foundation): PECB-accredited ISO 27701 Foundation certification. Live online training with certified-or-refunded guarantee. - [ISO 27701 Lead Auditor](https://cyberacademy.net/courses/iso-27701-lead-auditor): PECB-accredited ISO 27701 Lead Auditor certification. Live online training with certified-or-refunded guarantee. - [ISO 27701 Lead Implementer](https://cyberacademy.net/courses/iso-27701-lead-implementer): PECB-accredited ISO 27701 Lead Implementer certification. Live online training with certified-or-refunded guarantee. - [ISO 31000 Foundation](https://cyberacademy.net/courses/iso-31000-foundation): PECB-accredited ISO 31000 Foundation certification. Live online training with certified-or-refunded guarantee. - [ISO 31000 Lead Risk Manager](https://cyberacademy.net/courses/iso-31000-lead-risk-manager): PECB-accredited ISO 31000 Lead Risk Manager certification. Live online training with certified-or-refunded guarantee. - [ISO 31000 Risk Manager](https://cyberacademy.net/courses/iso-31000-risk-manager): PECB-accredited ISO 31000 Risk Manager certification. Live online training with certified-or-refunded guarantee. - [ISO 42001 Foundation](https://cyberacademy.net/courses/iso-42001-foundation): PECB-accredited ISO 42001 Foundation certification. Live online training with certified-or-refunded guarantee. - [ISO 42001 Lead Auditor](https://cyberacademy.net/courses/iso-42001-lead-auditor): PECB-accredited ISO 42001 Lead Auditor certification. Live online training with certified-or-refunded guarantee. - [ISO 42001 Lead Implementer](https://cyberacademy.net/courses/iso-42001-lead-implementer): PECB-accredited ISO 42001 Lead Implementer certification. Live online training with certified-or-refunded guarantee. - [ISO 9001 Foundation](https://cyberacademy.net/courses/iso-9001-foundation): PECB-accredited ISO 9001 Foundation certification. Live online training with certified-or-refunded guarantee. - [ISO 9001 Lead Auditor](https://cyberacademy.net/courses/iso-9001-lead-auditor): PECB-accredited ISO 9001 Lead Auditor certification. Live online training with certified-or-refunded guarantee. - [ISO 9001 Lead Implementer](https://cyberacademy.net/courses/iso-9001-lead-implementer): PECB-accredited ISO 9001 Lead Implementer certification. Live online training with certified-or-refunded guarantee. - [ISO27001 - Lead Auditor](https://cyberacademy.net/courses/iso27001-lead-auditor): Official PECB-accredited ISO27001 - Lead Auditor certification training. Live online course with expert instructors and certified-or-refunded guarantee. Enro... - [ISO27001 - Lead Implementer](https://cyberacademy.net/courses/iso27001-lead-implementer): Official PECB-accredited ISO27001 - Lead Implementer certification training. Live online course with expert instructors and certified-or-refunded guarantee. ... - [ISO27002 Foundation](https://cyberacademy.net/courses/iso27002-foundation): Official PECB-accredited ISO27002 Foundation certification training. Live online course with expert instructors and certified-or-refunded guarantee. Enroll t... - [ISO27002 Lead Manager](https://cyberacademy.net/courses/iso27002-lead-manager): Official PECB-accredited ISO27002 Lead Manager certification training. Live online course with expert instructors and certified-or-refunded guarantee. Enroll... - [ISO27002 Manager](https://cyberacademy.net/courses/iso27002-manager): Official PECB-accredited ISO27002 Manager certification training. Live online course with expert instructors and certified-or-refunded guarantee. Enroll today. - [Lead Cloud Security Manager](https://cyberacademy.net/courses/lead-cloud-security-manager): PECB-accredited Lead Cloud Security Manager certification. Live online training with certified-or-refunded guarantee. - [Lead Cybersecurity Manager](https://cyberacademy.net/courses/lead-cybersecurity-manager): PECB-accredited Lead Cybersecurity Manager certification. Live online training with certified-or-refunded guarantee. - [Lead Disaster Recovery Manager](https://cyberacademy.net/courses/lead-disaster-recovery-manager): PECB-accredited Lead Disaster Recovery Manager certification. Live online training with certified-or-refunded guarantee. - [Lead Ethical Hacker](https://cyberacademy.net/courses/lead-ethical-hacker): PECB-accredited Lead Ethical Hacker certification. Live online training with certified-or-refunded guarantee. - [Lead Operational Resilience Manager](https://cyberacademy.net/courses/lead-operational-resilience-manager): PECB-accredited Lead Operational Resilience Manager certification. Live online training with certified-or-refunded guarantee. - [Lead SOC 2 Analyst](https://cyberacademy.net/courses/lead-soc-2-analyst): PECB-accredited Lead SOC 2 Analyst certification. Live online training with certified-or-refunded guarantee. - [NIS 2 Directive Foundation](https://cyberacademy.net/courses/nis-2-directive-foundation): PECB-accredited NIS 2 Directive Foundation certification. Live online training with certified-or-refunded guarantee. - [NIS 2 Directive Lead Implementer](https://cyberacademy.net/courses/nis-2-directive-lead-implementer): PECB-accredited NIS 2 Directive Lead Implementer certification. Live online training with certified-or-refunded guarantee. - [NIST Cybersecurity Consultant](https://cyberacademy.net/courses/nist-cybersecurity-consultant): PECB-accredited NIST Cybersecurity Consultant certification. Live online training with certified-or-refunded guarantee. ## Articles (blog) > Short-form articles on regulatory news, practical templates, and career guidance. Most recent first. - [Can ChatGPT Draft Your ISMS Policy? A Real Test](https://cyberacademy.net/resources/blog/can-chatgpt-draft-your-isms-policy-a-real-test): Can AI write your ISMS policies? Yes ; but not the way most people think. Here’s a field-tested look at what works, what fails, and how to use AI safely in your governance program. - [Building a Compliance Dashboard that Speaks Board Language](https://cyberacademy.net/resources/blog/building-a-compliance-dashboard-that-speaks-board-language): Most compliance dashboards overwhelm executives with noise. Here’s how to build one that speaks the Board’s language ; clear, strategic, and decision-ready. - [Brussels’ Next Move: What Comes After NIS2 and DORA](https://cyberacademy.net/resources/blog/brussels-next-move-what-comes-after-nis2-and-dora): NIS2 and DORA were only Phase 1. AI Act, Data Act, CRA, EUCS and new accountability rules are about to define Phase 2. Here’s the concrete roadmap GRC leaders must prepare for. - [Bridging GDPR, NIS2, and DORA for Unified Compliance](https://cyberacademy.net/resources/blog/bridging-gdpr-nis2-and-dora-for-unified-compliance): GDPR, NIS2, and DORA overlap more than most organisations realise. Here’s how to build one unified compliance model instead of three separate nightmares. - [Awareness Program is dead.](https://cyberacademy.net/resources/blog/awareness-program-is-dead): Awareness training reduces risk, but only when it’s designed for real humans, real incentives, and real-world context. Here’s why most programs fall flat ; and what actually works. - [ISO27001: I Inherited an ISMS. It Was a SharePoint Folder with 200 Documents and a Prayer.](https://cyberacademy.net/resources/blog/iso27001-i-inherited-an-isms): What nobody tells you about implementing ISO27001 — and how to stop faking it in 5 days. May 11–15, online. - [NIS 2 Is Live. Your Regulator Won’t Wait.](https://cyberacademy.net/resources/blog/nis-2-is-live-your-regulator-wont-wait): How to go from “I’ve read the directive” to “I can implement it” in 5 days — May 4–8, online. - [Your BIA Is Probably a Spreadsheet Someone Filled In Alone.](https://cyberacademy.net/resources/blog/your-bia-is-probably-a-spreadsheet-someone-filled-in-alone): Free Business Impact Assessment template. Three sections. Pre-built impact matrix. Ready for ISO 22301. - [The BC/DR Policy Template That Doesn't Die in SharePoint](https://cyberacademy.net/resources/blog/the-bc-dr-policy-template-that-doesnt-die-in-sharepoint): Free download. Built from real projects. Not another ISO copy-paste. - [Storytelling for Compliance Leaders](https://cyberacademy.net/resources/blog/storytelling-for-compliance-leaders): Because facts inform, but stories make people care about compliance. - [GRC KPIs That Matter: How to Prove Compliance with Numbers](https://cyberacademy.net/resources/blog/grc-kpis-that-matter-how-to-prove-compliance-with-numbers): Most GRC KPIs are useless. Here are the ones that actually prove compliance ; and drive decisions. - [How to Get Executives to Care About Risk](https://cyberacademy.net/resources/blog/how-to-get-executives-to-care-about-risk): How to make executives genuinely care about risk ; and act on it. - [GRC Dashboards Executives Actually Read](https://cyberacademy.net/resources/blog/grc-dashboards-executives-actually-read): If you want executives to pay attention, you must stop reporting like a compliance officer and start reporting like a business partner. - [How to Run a Risk Assessment that Doesn’t Bore the Board](https://cyberacademy.net/resources/blog/how-to-run-a-risk-assessment-that-doesnt-bore-the-board): If you want your board to actually care, not just endure your slides, you need to turn risk assessment from a reporting ritual into a decision conversation. Here’s how. - [How to Talk Compliance to Non-GRC People (and Make Them Care)](https://cyberacademy.net/resources/blog/how-to-talk-compliance-to-non-grc-people-and-make-them-care): How to Talk GRC to Non-GRC People (and Make Them Care) - [5 Mistakes in Risk Registers (and How to Fix Them)](https://cyberacademy.net/resources/blog/5-mistakes-in-risk-registers-and-how-to-fix-them): Because most risk registers are just expensive spreadsheets of wishful thinking. - [Top 10 Gaps Auditors Will Look for Under NIS2](https://cyberacademy.net/resources/blog/top-10-gaps-auditors-will-look-for-under-nis2): And why “we have a policy for that” won’t be enough this time with NIS2 - [From Checkbox to Strategy: The Death of Fake Compliance](https://cyberacademy.net/resources/blog/from-checkbox-to-strategy-the-death-of-fake-compliance): Compliance built on checklists is dying. Here's how organisations move from fake maturity to real strategic security. - [AI Governance vs. AI Compliance: What’s the Difference?](https://cyberacademy.net/resources/blog/ai-governance-vs-ai-compliance-whats-the-difference): And why confusing AI Governance and AI Compliance will get you in trouble. - [The Ultimate Guide to ISO Certifications for GRC Pros](https://cyberacademy.net/resources/blog/the-ultimate-guide-to-iso-certifications-for-grc-pros): A practical, field-tested guide to ISO certifications every GRC professional should understand ; and why they matter in real life. - [How to Write Policies People Actually Follow](https://cyberacademy.net/resources/blog/how-to-write-policies-people-actually-follow): Because “In accordance with applicable legal requirements…” is not how humans talk. Therefore, not your policies should not include this. - [Data Classification Policies that Actually Work](https://cyberacademy.net/resources/blog/data-classification-policies-that-actually-work): Because most “Confidential / Internal / Public” labels are just data decorative. - [From intern to CISO: How to Build a GRC Career That Scales](https://cyberacademy.net/resources/blog/from-intern-to-ciso-how-to-build-a-grc-career-that-scales): A field-tested roadmap for your career from junior GRC analyst to CISO ; without getting lost in templates, audits, or corporate confusion. - [Lessons from Failed Audits: What Every Organization Should Learn](https://cyberacademy.net/resources/blog/lessons-from-failed-audits-what-every-organization-should-learn): Why audits fail, what it really means, and the lessons every organization must learn to avoid repeating the same mistakes. - [Lead Auditor vs. Lead Implementer: Which Certification Fits You?](https://cyberacademy.net/resources/blog/lead-auditor-vs-lead-implementer-which-certification-fits-you): How to Talk GRC to Non-GRC People (and Make Them Care) - [Top 10 Audit Findings in 2025: The Real Ones](https://cyberacademy.net/resources/blog/top-10-audit-findings-in-2025-the-real-ones): Field notes from actual gap assessments across Europe, not from textbooks. - [How to Build a Compliance Culture Beyond Checklists](https://cyberacademy.net/resources/blog/how-to-build-a-compliance-culture-beyond-checklists): Compliance culture is not built with policies or checklists ; it’s built with behaviours, ownership, and clarity. - [How to Stand Out as a vCISO](https://cyberacademy.net/resources/blog/how-to-stand-out-as-a-vciso): How a vCISO can truly stand out in a crowded market by being practical, human, and relentlessly useful. - [Why 2026 Is the Year of Compliance Convergence](https://cyberacademy.net/resources/blog/why-2026-is-the-year-of-compliance-convergence): How to Talk GRC to Non-GRC People (and Make Them Care) By 2026, the companies that survive the regulatory storm, NIS2, DORA, the AI Act, The CRA Act, The DATA Act, ESG, privacy, you name it, will be the ones that finally stop managing frame - [When Excel Is Enough and When You Need a Real GRC Platform](https://cyberacademy.net/resources/blog/when-excel-is-enough-and-when-you-need-a-real-grc-platform): Excel works… until it doesn’t. Here’s the pragmatic line between “good enough” spreadsheets and when your organisation truly needs a GRC platform. --- ## Optional - Upcoming live sessions: https://cyberacademy.net/sessions - Downloadable kits & templates: https://cyberacademy.net/resources/kits - Case studies: https://cyberacademy.net/resources/case-studies - RSS feed: https://cyberacademy.net/feed.xml - Sitemap: https://cyberacademy.net/sitemap.xml