Ready to Step-Up from Compliance to Risk?
What You'll Learn
Competencies
✓ Understand the foundations of risk management and its importance in cybersecurity
✓ Identify, assess, and prioritize risks using established frameworks like the NIST Risk Management Framework (RMF)
✓ Apply basic risk mitigation strategies to protect organizational assets
✓ Recognize the role of governance, compliance, and regulatory requirements in managing cyber risks
✓ Communicate foundational risk management concepts effectively to stakeholders
What to Expect 👇
Includes 3 Hours with Dr. Gerald Auger! ⭐
Including exclusive content only in Simply Cyber Academy
Steve's 4th and Most Value Packed Course Yet! 💎
Building on the success of his popular GRC courses, Steve delivers his most comprehensive training yet. At 14 hours with 100+ videos, learn to develop comprehensive risk strategies, implement ongoing monitoring, conduct security audits and align cybersecurity with business objectives.
About Your Instructor, Steve McMichael, CRMP
Instructor Steve McMichael is committed to helping YOU accelerate your cybersecurity career.
Steve is passionate about guiding students, from backgrounds as diverse as accounting, into cybersecurity GRC. He successfully made this transition himself and shares how you can do it too in the popular blog, CPA to Cybersecurity. Exam prep courses for the AKYLADE Certified Cyber Resilience Fundamentals (A/CCRF), AKYLADE Certified Cyber Resilience Practitioner (A/CCRP) and AKYLADE Cyber Risk Management Foundations (A/CRMF) can help accelerate that journey.
Steve holds advanced degrees in business (BBA, MBA), along with top cybersecurity certifications (CCRP, CRMP, CISSP, CISA), and is a Chartered Professional Accountant (CPA). With nearly 20 years of experience in tech, he currently serves as Director of Governance, Risk, and Compliance at BlackBerry.
Curriculum
INTRODUCTION
Available in
days
days
after you enroll
- 0.1 Course Trailer: The REAL Value of GRC and Why It's Never Boring (2:16)
- 0.2 Course Overview: Building Risk Management Skills that Open Doors (5:54)
- 0.3 Risk is the Heart and Center of GRC -⭐ ft. Dr. Gerald Auger (61:30)
- 0.4 Cover Your Asse(t)s! Due Diligence and Due Care -⭐ ft. Dr. Gerald Auger (6:17)
- 0.5 Your Opportunity to Network in Simply Cyber Discord (1:36)
- 0.6 Resume Bullets Unlocked
DOMAIN 1: Risk Management Concepts | 1.1 Risk Management Lifecycles, Frameworks and Processes
Available in
days
days
after you enroll
- Module Summary
- 1.1.0 Introduction -⭐ ft. Dr. Gerald Auger (4:30)
- 1.1.1 Risk Management Lifecycle (7:05)
- 1.1.2 Who's Using What Framework? (3:38)
- 1.1.3 Risk Management Process (NIST SP 800-39) (5:42)
- 1.1.4 Risk Management Framework (NIST SP 800-37) Part 1 (9:02)
- 1.1.5 Risk Management Framework Part 2: Authority to Operate -⭐ ft. Dr. Gerald Auger (2:44)
- 1.1.6 ISO/IEC 27001 (2:57)
- 1.1.7 Case Study: 300 Drinking Water Systems Exposed to Attacks -⭐ ft. Dr. Gerald Auger (9:58)
- 1.1.8 Key Takeaways (2:02)
- Quiz
DOMAIN 1: Risk Management Concepts | 1.2 Explain the types of risk and risk responses which can be utilized by an organization
Available in
days
days
after you enroll
DOMAIN 1: Risk Management Concepts | 1.3 Given a scenario, conduct a qualitative, quantitative, or hybrid risk analysis
Available in
days
days
after you enroll
- Module Summary
- 1.3.0 Introduction -⭐ ft. Dr. Gerald Auger (6:23)
- 1.3.1 Hybrid Risk Analysis -⭐ ft. Richard Seiersen (5:03)
- 1.3.2 Qualitative Risk Analysis Concepts (5:50)
- 1.3.3 Qualitative Risk Analysis Techniques (16:00)
- 1.3.4 Cyber Risk Quantification (CRQ) Introduction: SLE, ALE, ARO -⭐ ft. Richard Seiersen (13:17)
- 1.3.5 Loss Distribution Approach (LDA) (7:08)
- 1.3.6 Executive Metrics: Value At Risk (VaR), Conditional Value at Risk (CVaR) (5:16)
- 1.3.7 Factor Analysis of Information Risk (FAIR) (6:29)
- Quiz
DOMAIN 1: Risk Management Concepts | 1.4 Explain the importance of training and awareness programs to mitigate risk within an organization
Available in
days
days
after you enroll
- Module Summary
- 1.4.0 Introduction -⭐ ft. Dr. Gerald Auger (6:43)
- 1.4.1 Training and Awareness Programs Part 1 w/ Example End User Training (14:53)
- 1.4.2 Training and Awareness Part 2 w/ Phishing Campaign Results Executive Briefing (5:08)
- 1.4.3 Secure Software Development Lifecycle (SDLC) Training: Underneath the Waterline (14:14)
- Quiz
DOMAIN 2: Risk Strategy and Governance | 2.1 Given a scenario, explain how common threats and vulnerabilities may affect an organization’s risk posture
Available in
days
days
after you enroll
- Module Summary
- 2.1.0 Introduction (1:10)
- 2.1.1 New Mirai botnet infect TBK DVR devices via command injection flaw -⭐ ft. Dr. Gerald Auger in DCTB (6:29)
- 2.1.2 StealC malware enhanced with stealth upgrades and data theft tools -⭐ ft. Dr. Gerald Auger in DCTB (6:03)
- 2.1.3 Alleged 'Scattered Spider' Member Extradited to U.S. -⭐ ft. Dr. Gerald Auger in DCTB (7:00)
- 2.1.4 Russian army targeted by new Android malware hidden in mapping app -⭐ ft. Dr. Gerald Auger in DCTB (9:16)
- 2.1.5 Thailand cuts power supply to Myanmar scam hubs. -⭐ ft. Dr. Gerald Auger in DCTB (6:44)
- 2.1.6 Despite ransom payment, PowerSchool hacker now extorting individual school districts -⭐ ft. Dr. Gerald Auger in DCTB (5:42)
- Quiz
DOMAIN 2: Risk Strategy and Governance | 2.2 Given a scenario, identify assumptions that affect how risk is assessed, responded to, and monitored within the organization
Available in
days
days
after you enroll
- Module Summary
- 2.2.1 Business Impact Analysis (BIA) (11:33)
- 2.2.2 Financial Analysis: Total Cost of Ownership (TCO) (4:18)
- 2.2.3 Return on Investment (ROI) (2:06)
- 2.2.4 Return On Assets (ROA) (3:16)
- 2.2.5 Net Present Value (NPV), Internal Rate of Return (IRR) (3:50)
- 2.2.6 Cost Benefit Analysis (CBA) and Payback Period (2:12)
- Quiz
DOMAIN 2: Risk Strategy and Governance | 2.3 Summarize constraints on the conduct of risk assessment, risk response, and risk monitoring activities within the organization
Available in
days
days
after you enroll
DOMAIN 2: Risk Strategy and Governance | 2.4 Given a scenario, identify the level of risk tolerance for an organization
Available in
days
days
after you enroll
DOMAIN 2: Risk Strategy and Governance | 2.5 Given a scenario, consider the priorities and trade-offs considered by an organization when managing risk
Available in
days
days
after you enroll
DOMAIN 2: Risk Strategy and Governance | 2.6 Explain how a comprehensive organizational risk management strategy is developed
Available in
days
days
after you enroll
DOMAIN 3: Risk Identification and Analysis | 3.1 Given a scenario, identify threats and vulnerabilities in organizational information systems and the environments in which they operate
Available in
days
days
after you enroll
- Module Summary
- 3.1.0 Introduction -⭐ ft. Dr. Gerald Auger (9:14)
- 3.1.1 Threat Modeling -⭐ ft. Dr. Gerald Auger (10:55)
- 3.1.2 MITRE ATT&CK Framework (10:17)
- 3.1.3 STRIDE (4:13)
- 3.1.4 AI Augmented STRIDE Risk Assessment (3:02)
- 3.1.5 PASTA (4:14)
- 3.1.6 OCTAVE (5:35)
- 3.1.7 Attack Trees (7:23)
- 3.1.8 Analyzing Network Traffic (4:57)
- 3.1.9 Analyzing Security Log Data -⭐ ft. Dr. Gerald Auger (18:02)
- 3.1.10 Policy Review (6:11)
- 3.1.11 Identify Operational Technology (OT) and Information Technology (IT) Interconnections (7:18)
- Quiz
DOMAIN 3: Risk Identification and Analysis | 3.2 Given a scenario, determine the risk to organizational operations, assets, and personnel when a threat exploits a vulnerability
Available in
days
days
after you enroll
DOMAIN 3: Risk Identification and Analysis | 3.3 Summarize the use of vulnerability assessment and penetration testing to validate the potential threats against known vulnerabilities
Available in
days
days
after you enroll
- Module Summary
- 3.3.0 Introduction -⭐ ft. Dr. Gerald Auger (7:28)
- 3.3.1 Vulnerability Scanners, Network Analyzers, and Automated Exploitation Toolsets (6:55)
- 3.3.2 Web Application Scanners - ZAP (7:29)
- 3.3.3 Configuration Management Toolsets - AWS Config (6:36)
- 3.3.4 Social Engineering and Phishing (10:56)
- 3.3.5 Manual Code Reviews (3:43)
- 3.3.6 Custom Exploit Development (11:07)
- 3.3.7 Physical Security Testing (8:59)
DOMAIN 3: Risk Identification and Analysis | 3.4 Given a scenario, analyze and prioritize security risks based on their likelihood of occurrence and impact to the organization’s operations
Available in
days
days
after you enroll
- Module Summary
- 3.4.0 Introduction -⭐ ft. Dr. Gerald Auger (3:37)
- 3.4.1 Enterprise Networks and Defense in Depth of Controls (4:53)
- 3.4.2 Mobile Device Risk Management (BYOD, CYOD, COPE, COBO) (11:04)
- 3.4.3 IoT, OT, ICS, SCADA (12:53)
- 3.4.4 Remote Access Technologies (9:13)
- 3.4.5 Cloud Computing (8:11)
- 3.4.6 Single Vendor Cloud Environments -⭐ ft. Dr. Gerald Auger in DCTB (5:07)
- 3.4.7 Multi Cloud Environments -⭐ ft. Dr. Gerald Auger in DCTB (8:58)
- 3.4.8 Virtualized and Containerized Systems (4:42)
DOMAIN 3: Risk Identification and Analysis | 3.5 Given a scenario, conduct assessments for new and existing systems
Available in
days
days
after you enroll
- Module Summary
- 3.5.0 Introduction -⭐ ft. Dr. Gerald Auger (3:52)
- 3.5.1 Asset Inventory Assessment (14:32)
- 3.5.2 Privacy Impact Assessment (PIA) (7:53)
- 3.5.3 Security Risk Assessment (16:03)
- 3.5.4 Physical Security Assessment (8:47)
- 3.5.5 OT Risk Assessment (8:01)
- 3.5.6 Cloud Migration Assessment (9:45)
- 3.5.7 SOC 2 Assessment: Description of a System (9:03)
- 3.5.8 ISO/IEC 27001 Assessment: Statement of Applicability (4:28)
- 3.5.9 Biometric Implementation Assessment: FRR, FAR, CER (9:19)
- 3.5.10 Third-Party Vendor Assessment (14:31)
DOMAIN 3: Risk Identification and Analysis | 3.6 Given a scenario, assess an organization’s data loss prevention strategy and systems
Available in
days
days
after you enroll
DOMAIN 4: Risk Response and Mitigation
Available in
days
days
after you enroll
- Module Summary
- 4.1-4.4 Given a scenario, develop and implement an appropriate risk response strategy including evaluation of alternatives, selection of measures and controls, and execution of the chosen course of action (10:27)
- 4.5 Develop an Incident Response Plan, Business Continuity Plan, or Continuity of Operations Plan to address potential incidents - ⭐ ft. Dr. Gerald Auger (10:24)
- 4.6 Evaluate the effectiveness of current risk mitigation measures and controls - ⭐ ft. Dr. Gerald Auger (17:10)
DOMAIN 5: Risk Monitoring and Communication | 5.1 Given a scenario, develop a risk monitoring strategy for an organization that includes the purpose, type, and frequency of monitoring activities
Available in
days
days
after you enroll
- Module Summary
- 5.1.0 Introduction -⭐ ft. Dr. Gerald Auger (6:51)
- 5.1.1 Risk Exposure Monitoring -⭐ ft. Richard Seiersen (5:14)
- 5.1.2 The Three Measures: Coverage, Configuration, and Capability (4:28)
- 5.1.3 Beyond the Pick List: Building Cybersecurity Metrics That Matter -⭐ ft. Richard Seiersen (5:45)
- 5.1.4 Change Monitoring (1:20)
- 5.1.5 Key Performance Indicator vs Key Risk Indicator (1:07)
DOMAIN 5: Risk Monitoring and Communication | 5.2 Given a scenario, monitor organizational information systems and environments on an ongoing basis to verify compliance, determine effectiveness of risk response measures, and identify changes
Available in
days
days
after you enroll
DOMAIN 5: Risk Monitoring and Communication | 5.3 Explain how to maintain clear communication across diverse teams and stakeholders
Available in
days
days
after you enroll
DOMAIN 5: Risk Monitoring and Communication | 5.4 Given a scenario, prepare for and conduct audits within an organization
Available in
days
days
after you enroll
DOMAIN 5: Risk Monitoring and Communication | 5.5 Given a scenario, utilize a risk-based approach to conducting the authorization and accreditation process for information systems within an organization
Available in
days
days
after you enroll
YOUR NEXT STEPS
Available in
days
days
after you enroll
PRACTICE EXAMS
Available in
days
days
after you enroll
A/CRMF Certification Domains
📡 DOMAIN 1: Risk Monitoring and Communication
Implementing continuous risk monitoring, conducting security audits, and communicating risk management findings to stakeholders
- Risk monitoring strategy development: purpose, type, frequency of monitoring activities
- Key risk indicators (KRI) and key performance indicators (KPI) implementation
- Compliance and effectiveness monitoring with change management integration
- Monitoring solutions deployment: SIEM, SOAR, EDR, physical security measures
- Organizational information systems and environments monitoring for compliance
- Clear communication maintenance across diverse teams and stakeholders
- Audit preparation and conduct: kick-off meetings, artifact requests, project planning
- Risk-based authorization and accreditation processes for information systems
- Documentation preparation: risk response activities, decisions, approved exceptions
⚠️DOMAIN 2: Risk Identification and Analysis
Identifying, assessing, and analyzing threats, vulnerabilities, and security risks affecting organizational information systems
- Threat modeling using MITRE ATT&CK, STRIDE, OCTAVE, PASTA frameworks
- Common vulnerabilities and exposures (CVE) analysis
- Network traffic and log data analysis for threat identification
- Physical security audit results analysis
- Common vulnerability scoring system (CVSS) implementation
- Vulnerability assessment and penetration testing validation
- Security risk prioritization based on likelihood and impact
- Enterprise networks, cloud computing, IoT, and OT system risk analysis
- Data loss prevention strategy and system assessment
- Assessments for new and existing systems including cloud migration
🧯DOMAIN 3: Risk Response and Mitigation
Determining appropriate risk responses, implementing security controls, and evaluating mitigation strategies to reduce cybersecurity risks
- Appropriate risk response identification: acceptance, avoidance, transference, mitigation
- Alternative courses of action evaluation: cost-benefit analysis, feasibility, resource availability
- Security controls implementation: administrative, technical, physical, deterrent, preventative, detective
- Incident response plan development: purpose, roles, lifecycle, containment, recovery
- Business continuity planning: BIA, backup strategies, recovery strategies, alternative sites
- Continuity of operations planning (COOP): hot, warm, cold, mobile, cloud sites
- Risk mitigation measure effectiveness evaluation
- Standard processes and procedures establishment
- Vulnerability management and patch management programs
- Physical security controls and penetration testing implementation
📚 DOMAIN 4: Risk Management Concepts
Understanding fundamental risk management frameworks, lifecycles, and processes used to assess and mitigate cybersecurity risks
- Risk management lifecycle: Identify, Analyze, Prioritize, Treat, Monitor, Communicate, Document
- Risk management frameworks: NIST 800-37, ISO 27001
- Risk management processes: NIST SP 800-39 (Frame, Assess, Respond, Monitor)
- Types of risk: Inherent, Residual, Control, Systemic, Operational, Strategic, Compliance
- Risk responses: Acceptance, Avoidance, Transference, Mitigation, Exploitation, Enhancement, Sharing, Escalation
- Risk analysis methods: Qualitative, Quantitative, and Hybrid approaches
- Training and awareness programs for cybersecurity risk mitigation
🧭 DOMAIN 5: Risk Strategy and Governance
Developing risk management strategies, assessing organizational risk posture, and applying governance frameworks to align cybersecurity with business objectives
- Common threats and vulnerabilities affecting organizational risk posture
- Hostile cyber and physical attack risks: DDoS, malware, APTs, ransomware
- Human errors and omissions risks: accidental data deletion, misconfigurations
- Environmental and natural disaster risks: earthquakes, floods, fires, hurricanes
- Supply chain risks: counterfeit hardware/software, tampering, poor manufacturing practices
- Technical risks: software bugs, hardware failures, network failures, outdated software
- Political, legal, and regulatory risks: non-compliance, penalties, law changes
- Risk tolerance identification and organizational risk appetite assessment
- Comprehensive organizational risk management strategy development
Where These Skills Can Take You
Job Roles
Disclaimer: Salary ranges represent estimates based on current market data. Individual compensation may vary based on experience, location, and economic factors. This information alone does not guarantee specific salary levels or employment.
Source: Indeed.com Cybersecurity Salary Guide
A/CRMF (This Course)
💼 Junior Risk Analyst $50,000 - $80,000 View job listings 🔗
💼 IT Compliance Specialist $55,000 - $90,000 View job listings 🔗
💼 Incident Response Analyst $60,000 - $95,000 View job listings 🔗
💼 Security Awareness Trainer $55,000 - $85,000 View job listings 🔗
💼 GRC Analyst $65,000 - $100,000 View job listings 🔗
And A/CRMF is a prerequisite for 👇
A/CRMP
(AKYLADE Cyber Risk Management Practitioner)
⤷ Coming later this year to Simply Cyber Academy
💼 Cyber Risk Analyst $85,000 - $135,000 View job listings 🔗
💼 IT Compliance Lead $95,000 - $150,000 View job listings 🔗
💼 Risk Management Consultant $100,000 - $165,000 View job listings 🔗
💼 IT Audit Manager $115,000 - $175,000 View job listings 🔗
💼 Chief Risk Officer $180,000 - $400,000 View job listings 🔗
Even More Simply Cyber Academy GRC Courses
Simply Cyber Academy is tailored to empower those seeking a rewarding career in cybersecurity GRC
Check your inbox to confirm your subscription