Career Development Plan Template

So you want to become a GRC Analyst?

Awesome! Here’s a free Career Development Plan template full of resources that I think you’ll find helpful.

It’s the best-of-the-best I’ve discovered in my mid-career transition to GRC, broken into Harvard’s recommended ratio to grow yourself faster of:

  • 10% Education

  • 20% Relationships

  • 70% Experiences

This template format and the menu of resources inside it would also be helpful to a broad range of other target job areas and career stages.

Table of Contents


1-2 years

GRC Analyst

3-4 Years

GRC Manager


Rate your current skill level on a scale from 1 (weakest) to 5 (strongest)


Compliance & Audit (CISA Domains)

Trust but verify. Are we provably compliant?

  • Domain 1. Information Systems (IS) Auditing Process

  • Domain 2. Governance & Management of IT

  • Domain 3. IS Acquisition, Development & Implementation

  • Domain 4. IS Operations & Business Resilience

  • Domain 5. Protection of Information Assets

Assess Risk (CISSP Domains)

Is risk level within tolerance?

  • Domain 1. Security & Risk Management

  • Domain 2. Asset Security

  • Domain 3. Security Architecture and Engineering

  • Domain 4. Communication & Network Security

  • Domain 5. Identity & Access Management

  • Domain 6. Security Assessment & Testing

  • Domain 7. Security Operations

  • Domain 8. Software Development Security

Instill Governance

Does everyone know the company’s risk appetite, and make decisions aligned to it?

  • Policies

  • Procedures

  • Standards

Speak ‘Security’ With the Business

  • Cyber Risk Management Action Plan (CR-MAP)

  • Customer Security Assurance & Trust Center


Source: CPA Competancy Map, which applies perfectly to GRC and many other professions

Acting Ethically & Professionally

  • Ethical Behvaviour

  • Integrity & Trustworthiness

  • Questioning Mindset

  • Due Care

  • Objectivity


  • Strategic focus

  • Risk Management

  • Organizational Culture Advocacy

  • Influence and Consensus Building


  • Inclusivity

  • Teamwork

  • Relationship Building

  • Project Management

Managing Self

  • Adaptability, Resilience & Agility

  • Initiative

  • Continuous Improvement

  • Talent Management

Adding Value

  • Business Context

  • Creativity and Innovation

  • Performance Evaluation and Accountability

Solving Problems & Making Decisions

  • Issue Identification

  • Analysis

  • Recommendations

  • Implementation and Change Management


  • Audience and effectiveness

  • Active Listening

  • Communication



Resume bullets to show you can add value from day 1

Hunt (e.g. ask a Mentor) for GRC Stretch Assignments:

  • Prepare for and manage an audit through planning, execution and reporting phases

    • Write a SOC2 System Description or ISO27001 Statement of Applicability

    • Check-in with control owners to document or update control narratives and test a sample

    • Manage a gantt chart and weekly status reports

  • Perform Third Party Risk Assessments

    • Review intake forms and work with requestor to complete risk assessment

    • Send questionnaires to the vendor and/or review their Trust Centre materials

  • Perform Security Risk Assessments

    • Meet with business requestors to fill out a Risk Assessment template and create a Data Flow Diagram

  • Create or review security policies and standards with subject matter experts

  • Run and report on an internal phishing campaign

  • Run a Tabletop Exercise

  • Create a Security Awareness campaign focused on Cyber Safety tips

  • Run and mature the Security Questionnaire process

  • Document Security Operations Centre processes

Internships, co-ops, entry level roles

Start a Blog and/or YouTube channel

As an aspiring cybersecurity professional:

  • Learn in public

  • Share your story to help others find their path

  • Show your skills


  • Help not-for-profit organizations, small businesses or sports teams with basic cyber hygiene

  • Join a not-for-profit Board of Directors

  • Visit a school to talk to students about careers



  • Find and/or Become a Mentor

    • Types: coach, sponsor or connector (link)

    • Top priorities: (1) make it win-win and optimize use of their time (link), find stretch assignments, get CDP feedback,

  • Reverse Mentor (link)

Peer learning

  • Job shadow

    • GRC, Information Security, Product Security, Internal Audit, IT to learn about their day-to-day responsibilities

Security Community

  • Comment on GRC discussions on Linkedin, YouTube, X and social media platforms

  • Join Discord server communities

    • Simply Cyber (link): join the community and engage with what you have. No judgment. Everybody starts somewhere.

    • Look for sc-toronto-gta if you’re in Canada

  • Attend Conferences

    • Infosec-Conferences (link)

    • Take the initiative to break the ice and network

    • Respond to a Call For Papers

  • Join Professional Organizations like



  • Cybersecurity Cannon (link)



  • Get and stay informed on current events: helpful for job interviews, daily work and networking

    • Unsupervised Learning (link)

    • Simply Cyber Daily Cyber Threat Brief (link)

    • SANS NewsBites (link)


  • CompTIA SY0-701 Security+ Training Course // Professor Messer (link)

  • CCNA 200-301 // Complete Course // NetworkChuck (link)

  • TCM Pentesting for n00bs (link)

  • CISSP Exam Cram // Inside Cloud and Security (link)

  • Google Cybersecurity Certificate (link)

Free Industry Resources

  • NIST Cybersecurity Framework (link)

  • SANS Information Security Policy Templates (link)

  • NIST SP800-30 Guide to Conducting Risk Assessments (link)

  • SOC2 Trust Services Criteria (link)

  • CIS Benchmarks (link)

  • CIS Controls (link)

  • Simply Cyber: GRC Analyst Master Class (link)

  • Simply Cyber: Cyber 101 (link)


  • AKYLADE Certified Cyber Resilience Fundamentals (A/CCRF) (link)

  • AKYLADE Certified Cyber Resilience Practitioner (A/CCRP) (link)


  • GRC Certification Roadmap (link)

Subscribe to keep reading

This content is free, but you must be subscribed to CPA to Cybersecurity to continue reading.

I consent to receive newsletters via email. Terms of Use and Privacy Policy.

Already a subscriber?Sign In.Not now