7 hands-on GRC projects

A Deloitte cloud security analyst published a seven-project guide on January 3, 2026 that turns Governance, Risk, and Compliance work into portfolio pieces. (artempolynko.com) Artem Polynko’s list starts with a mini compliance program and a mock-company risk register, then moves to a vendor assessment template, an incident response plan, SOC 2 cloud control mapping, a compliance dashboard, and a mock internal audit. (artempolynko.com) The post frames the projects as “beginner-to-intermediate” work that can produce screenshots, evidence, reports, and other artifacts a candidate can bring into interviews instead of relying on resume bullets alone. (artempolynko.com) Governance, Risk, and Compliance work is the part of cybersecurity that documents rules, scores risk, checks controls, and shows management what is working. Deloitte describes GRC work as improving decision-making, aligning security with enterprise risk, and standardizing reporting across the business. (deloitte.com) That makes the project list a map of common entry-level tasks: identify risks, review vendors, collect evidence, and report gaps in a format managers and auditors can use. NIST says risk assessments give leaders information needed to decide how to respond to identified risks. (csrc.nist.gov) Several of the seven ideas line up with established frameworks. The SOC 2 exercise mirrors the American Institute of Certified Public Accountants’ Trust Services Criteria, which cover security, availability, processing integrity, confidentiality, and privacy. (aicpa-cima.com) The vendor questionnaire project tracks with federal supply-chain guidance. The Cybersecurity and Infrastructure Security Agency says its small-business vendor assessment guide gives organizations standardized questions and step-by-step help for evaluating suppliers of hardware, software, and services. (cisa.gov) The incident response project also mirrors real practice more closely than a policy-only exercise. CISA’s tabletop exercise materials are built to help teams update response protocols, recovery plans, and related procedures after walking through a scenario. (cisa.gov) The mock audit project fits a profession that updated its own rulebook this year. The Institute of Internal Auditors’ new Global Internal Audit Standards took effect on January 9, 2025, replacing the older 2017 framework for active internal audit functions. (iia.org.sg) Polynko’s list does not promise a certification or a job offer, but it gives candidates seven concrete ways to show they can own controls, document evidence, and walk into an interview with work already done. (artempolynko.com)