Assess gaps. Design programmes. Monitor results.
Apply NowCourse Description
What is This Course About?
Identifying a risk is not the same as managing it. Management requires knowing which controls are failing, how those failures connect to your business operations, and how to translate that understanding into a structured security programme that withstands regulatory scrutiny and leadership oversight.
This module develops the enterprise security strategy capability that sits between risk awareness and operational control implementation.
Building directly on Module 1’s risk identification and assessment foundations, you will learn to assess gaps in your existing security controls and measure their business impact, map organisational processes to security system requirements, translate security objectives and control gap findings into structured initiatives and programmes, align your security strategy with established frameworks and regulatory obligations including PDPA, MAS TRM, and ISO 27001 and monitor the effectiveness of security initiatives against both internal standards and external benchmarks.
The GRC discipline in this module is applied and specific.
You will work through vendor and third-party risk evaluation, regulatory compliance mapping, risk maturity assessment, and security programme budgeting, the capabilities that convert a theoretical risk management understanding into an enterprise security function that can be measured, reported, and continuously improved.
By the end of this course, you will be able to assess organisational security posture with rigour, design structured security programmes aligned with both risk findings and regulatory obligations, and monitor initiative effectiveness in a way that provides leadership and governance bodies with a credible, evidence-based view of security performance.
This is an intermediate to advanced-level course. Completion of Module 1 or equivalent foundational cyber risk management experience is recommended.
Target Audience
Who This Course is For
This course is designed for professionals responsible for enterprise security strategy, governance, and regulatory compliance.
- Information security professionals are developing a formal GRC capability
- Cybersecurity analysts and architects transitioning into security strategy roles
- IT governance and compliance professionals managing regulatory obligations
- Risk and security managers responsible for enterprise security programmes
- Technology leaders accountable for enterprise security initiatives
- Professionals who have completed Module 1 and are ready to develop an enterprise-level security strategy
If your role involves translating security risk into governance-level action, not just identifying threats but designing and managing the programmes that address them, this course builds that capability.
Prerequisites
What You’ll Need to Get Started
You should have:
- Basic understanding of organisational IT systems and cybersecurity concepts
- Familiarity with enterprise operations and governance structures
- Completion of Module 1 (Cybersecurity Awareness and Essentials) or equivalent foundational cyber risk management experience
Completion of Module 1 is strongly recommended. This module builds directly on the foundations of risk identification and assessment.
Course Highlights
What You’ll Learn
- How to assess gaps in existing security controls and evaluate their potential business impact, moving from risk identification to control gap analysis
- How to link organisational business processes to security systems and identify where protection measures must be strengthened
- Security baseline assessment methodology benchmarking your current security posture against frameworks, including ISO 27001, NIST CSF, and MAS TRM
- How to translate security objectives and control gap assessments into structured security programmes, guidelines, and action plans
- Security programme design techniques, how to structure a security initiative from risk finding to implementation roadmap
- Vendor and third-party risk management assesses the security posture of suppliers, partners, and service providers
- Regulatory compliance mapping aligning security programmes to PDPA, MAS TRM, and applicable sector-specific obligations
- Risk maturity assessment evaluating the sophistication and consistency of your organisation’s security risk management capability
- How to develop and manage security programme action plans, including resource planning, milestone sequencing, and periodic updates for regulatory or technology changes
- How to align security initiatives with information security and assurance architectures
- How to advise stakeholders on adopting and integrating security architecture across organisational systems
- How to monitor the effectiveness of security initiatives against internal standards and external regulatory benchmarks

Course Objectives
What You’ll Take Away
By the end of this course, you will be able to:
- Assess security risks, threats, vulnerabilities, and control gaps in relation to organisational systems, operations, and business impact
- Design structured security initiatives by translating security objectives and control gap assessments into security programmes and action plans
- Align security initiatives with information security architectures and standards, provide adoption guidance, and monitor initiative effectiveness
Skills You’ll Acquire
Completing this course, you will develop the following enterprise security strategy capabilities:
Control gap assessment
Identify gaps in existing security controls and evaluate business impact systematically
Business-process security mapping
Connect organisational operations to security system requirements
Security programme design
Structure enterprise security initiatives from gap findings to implementation roadmaps
Vendor risk management
Assess third-party and supplier security posture as part of the programme scope
Regulatory compliance mapping
Align security programmes to PDPA, MAS TRM, and ISO 27001 requirements
Risk maturity assessment
Evaluate the sophistication and consistency of organisational security risk management
Architecture adoption guidance
Advise stakeholders on integrating security architectures across enterprise systems
Security initiative monitoring
Design metrics-driven monitoring frameworks and governance review cycles
Certification Track
Level up!
This module forms part of the Certified Cybersecurity Catalyst programme.
Module 1: Cybersecurity Awareness and Essentials for Workplace Employees and Business Owners
Module 2: Cyber and IT Security Governance, Risk, and Compliance (GRC) ← You are here
Module 3: Applied Cybersecurity Controls, Computer and Network Security
This module converts Module 1’s risk assessment foundations into an enterprise security strategy and governance capability. Module 3 then applies that strategy foundation to operational security administration, access control implementation, and breach investigation.

A Certification of Completion by Equinet Academy will be awarded to candidates who have demonstrated competency in the Cyber and IT Security Governance, Risk, and Compliance (GRC) course assessment and achieved at least 75% attendance.
Course Outline
Inside The Course
This course follows the enterprise security strategy development cycle: first, understand where your existing controls are failing; then design programmes to close those gaps; then align those programmes with architecture and standards; and finally build the monitoring capability to sustain them. The Security Programme document assembled during the later phases serves as both the primary learning output and the Individual Project Presentation assessment instrument.

Security Risk Context, Business Processes and Control Gap Assessment
- Establishing a security baseline, assessing your organisation’s current control posture across systems, processes, and data assets
- Profiling security risks, threats, and vulnerabilities relevant to your specific organisational environment
- Mapping business processes to security systems, identifying where operational dependencies create security exposure
- Conducting a structured control gap analysis, evaluating existing control coverage, identifying gaps, and assessing business impact
- Benchmarking security posture against external frameworks, ISO 27001, NIST CSF, and MAS TRM, as gap identification reference points
Security Programme Design and Strategic Initiative Development
- Security programme design principles: what a structured security programme contains and how its components connect
- Security objectives and strategic protection priorities aligning programme scope to risk findings and business priorities
- Translating security objectives and control gap findings into actionable security initiatives and guidelines
- Developing structured action plans, milestone sequencing, ownership assignment, and resource planning for security programmes
- Vendor and third-party risk management, assessing supplier and partner security posture as part of the enterprise programme scope
- Regulatory compliance mapping aligning security initiatives to PDPA, MAS TRM, and sector-specific obligations
- Security programme prioritisation, evaluating trade-offs between risk coverage, regulatory obligation, and available resources
Security Architecture Alignment and Strategic Monitoring
- Risk maturity assessment evaluating the sophistication and consistency of organisational security risk management capability
- Implementing security and assurance architectures within enterprise technology environments
- Advising stakeholders on adopting and integrating security architecture across organisational systems
- Applying internal and external security standards, ISO 27001, NIST CSF, MAS TRM, and Singapore regulatory frameworks
- Monitoring the effectiveness of security initiatives, establishing metrics, governance review cycles, and performance reporting
- Reviewing residual control gaps and planning continuous security improvement aligned to technological and regulatory change
Assessment Methods
- Case Study Written Assessment
- Individual Project Presentation
Trainers
Meet Your Educators
Trainer Bio
Torry Henderson
Torry Henderson is a cybersecurity practitioner and Threat-Informed Defense specialist with over 20 years of experience in IT infrastructure, cloud security, and enterprise security governance. He has led security program development aligned to ISO 27001, NIST, CIS Controls, and PCI DSS, and focuses on helping organisations move beyond compliance toward intelligence-led, measurable defence. Torry brings practical, real-world insight into building resilient, secure-by-design cybersecurity programs.
Course Fee & Funding
Fund Your Brain Gain
Don’t let funding hold you back. Discover grants and resources built for your next career move.
Full Course Fee (without funding)
S$499.00 S$999.00
Course Schedule
Mark Your Calendar!
This applied workshop integrates security gap assessment, security programme design exercises, regulatory mapping sessions, and a governance simulation over two intensive days.
2 Days | 16 Hours
Day 1: Security baseline assessment, control gap analysis, framework benchmarking, and security programme design.
Day 2: Vendor risk, regulatory mapping, programme prioritisation, risk maturity assessment, architecture alignment, and monitoring framework design, followed by Case Study Written Assessment (90 min) and Individual Project Presentation (30 min).
| Learning Mode | Course Dates | Duration | Trainer |
|---|---|---|---|
| In-Person | 12, 13 Oct 2026 (Mon, Tue) | 9:00am - 6:00pm | |
| In-Person | 05, 06 Nov 2026 (Thu, Fri) | 9:00am - 6:00pm |
Click on the course dates above to register online.
Frequently Asked Questions (FAQs)
The Need-to-Know Stuff, Fast
Everything you need to know about the course. Can’t find the answer you’re looking for? Please contact our friendly team.
Yes. Module 1 teaches you to identify and assess cyber risks. This module teaches you to assess where your existing controls fail to manage those risks, design structured security programmes to address the gaps, and align those programmes with regulatory obligations and enterprise architecture. They are complementary, not repetitive.
Yes. PDPA and MAS TRM are used throughout the course in compliance mapping, regulatory obligation benchmarking, and compliance monitoring design. The focus is on applying them as strategic planning tools, not memorising their provisions.
Yes. Vendor and third-party risk evaluation is covered as a core component of security programme design, with the MAS TRM third-party management requirements serving as the regulatory reference point.
A completed Security Programme document for a realistic case organisation covering gap assessment, prioritised security initiatives with regulatory mapping, risk maturity assessment, and a monitoring framework that you can adapt as a template for your own organisation.

