Bonus Episode 4: Careers in GRC - What a Career in GRC Looks Like

In this bonus episode (1 of 3), we zoom out and unpack what a career in GRC actually looks like. Lily Yeoh explains the field in simple terms, talks through the types of challenges GRC professionals help organizations navigate, and highlights the mix of backgrounds that thrive here. We touch on what early roles focus on, how government and commercial paths differ, and what someone should understand before jumping in. If you’re curious about GRC as a profession, this first of three episode gives you a clear, approachable starting point.

1. GRCP — GRC Professional

⁠OCEG⁠-Great intro to governance, risk, compliance, ethics, and audit basics.

2. CCEP — Certified Compliance & Ethics Professional

⁠SCCE⁠-Focuses on compliance, ethics, investigations, and corporate policy.

3. ISO 31000 Risk Management Certification

⁠Various accredited bodies⁠-Covers organizational risk frameworks and is accessible without technical depth.

4. CompTIA Security

⁠CompTIA⁠-Security fundamentals that support GRC roles tied to IT and cybersecurity.

5. CGRC (formerly CAP)

⁠ISC2⁠-Intro to governance, risk and security authorization. Good for early GRC careers.

ADVANCED LEVEL CERTIFICATIONS

These require experience, deeper security knowledge, or exposure to audit, risk, or governance functions.

6. CISSP — Certified Information Systems Security Professional

⁠ISC2⁠-High-level security governance, risk, architecture, and leadership.

7. CISA — Certified Information Systems Auditor

⁠ISACA⁠-The gold standard for audit, controls, and assessment work inside GRC teams.

8. CRISC — Certified in Risk and Information Systems Control

⁠ISACA⁠-Focused on IT risk, business risk, mitigation, and control design.

9. CISM — Certified Information Security Manager

⁠ISACA⁠-Security governance, program management, and risk management at scale.

10. CGEIT — Certified in the Governance of Enterprise IT

⁠ISACA⁠-Enterprise-level IT governance, strategic alignment, and performance risk.