Skip to content

badrnkarim/grc-portfolio-sdg

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

82 Commits
.github/workflows
.github/workflows
 
 
artifacts
artifacts
 
 
docs
docs
 
 
tools
tools
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 

Repository files navigation

SDG GRC Portfolio — Multi-Framework Assurance (US-Grade)

Author/Owner: Badr Karim — Cybersecurity GRC Intern | Security Assurance | Risk-Based Controls | Multi-Framework Controls

Portfolio type: Risk-based controls + multi-framework mapping + assurance-ready evidence structure

This repository is my multi-framework GRC assurance portfolio, anchored on a real system (Secure Database Gateway — SDG), built to demonstrate US workplace-style security governance and control assurance.
It is organized around risk-first control decisions and mapped across COBIT • NIST CSF 2.0 • ISO 27000 family • ISO 31000 • SOC 2 • ISO 37301 to maximize coverage and reduce redundancy.

Why this portfolio is “assurance-grade”

This repo is structured like a real assurance engagement and supports clear traceability:

Risk → Controls → Test Approach → Evidence → Findings → CAPA → Verification

A reviewer can follow the logic from risk drivers to control selection, then to validation outcomes and proof.

Start Here (60 seconds)

  1. Recruiter overview: docs/RECRUITER_OVERVIEW.md
  2. Portfolio index: artifacts/00_Index/PORTFOLIO_INDEX.md
  3. Executed tests summary: docs/CONTROL_TESTS_SUMMARY.md
  4. Framework coverage: docs/FRAMEWORK_COVERAGE.md

What makes this portfolio strong

  • Evidence-driven: screenshots + sanitized exports linked end-to-end (risk → control → test → evidence)
  • Framework-aligned: COBIT • NIST CSF 2.0 • ISO 27001/27002/27005 • ISO 31000 • SOC 2 • ISO 37301
  • Audit-ready: workpapers, issue log, mapping tracker, and an evidence naming standard
  • Honest reporting: findings are documented and remediations are tracked

Executed controls (proof)

Evidence is stored under: artifacts/14_Evidence/2026-02/ and tracked in:

  • artifacts/11_GRC_Tooling/Evidence_Tracker.csv
  • artifacts/11_GRC_Tooling/GRC_Master.xlsx

Open: docs/CONTROL_TESTS_SUMMARY.md

Repository map (what’s inside)

  • artifacts/01_Governance/ — charter, RACI, cadence, KPIs/KRIs, change review checklist
  • artifacts/05_Risk_ISO31000_27005/ — risk methodology, risk register, treatment plan
  • artifacts/04_ISO27001_27002/ — ISMS scope, SoA, control mapping matrix
  • artifacts/06_SOC2_Assurance/ — SOC 2 readiness matrix, evidence request list, workpapers
  • artifacts/08_TPRM/ — vendor risk pack + remediation tracker
  • artifacts/07_ISO37301_Compliance/ — CMS charter + obligations register (conditional applicability)
  • artifacts/11_GRC_Tooling/ — master workbook + evidence tracker + monthly report template
  • artifacts/14_Evidence/ — sanitized evidence with audit-friendly naming

Evidence rules (non-negotiable)

  • No secrets or OTP codes in screenshots
  • No sensitive query results in screenshots
  • All evidence named per: docs/EVIDENCE_NAMING_STANDARD.md

Connect

LinkedIn: https://www.linkedin.com/in/badrkarim/

About

Evidence-backed GRC & assurance portfolio for SDG (COBIT, NIST CSF 2.0, ISO 27001/27002/27005, ISO 31000, SOC 2, ISO 37301).

github.com/badrnkarim/SDG

Topics

audit controls grc governance iso27001 iso27005 nist-csf cobit soc2 security-assurance tprm iso31000 risk-managment iso37301

Resources

Readme

License

MIT license

Contributing

Contributing

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages