Phase 0 · Self-assessment — Where would you start? · Lesson 2 of 2
Reading Your Results
Article
·
10 min
·
+10 pts
Reading Your Results
The self-assessment is not a test. It is a compass. Every wrong answer points you to the phase where you will get the most value.
The Five Skill Domains
Each question in the assessment maps to a skill domain that the bootcamp covers:
1. Framework knowledge (Phase 1 + Phase 8) Can you name the specific SOC 2 criterion, ISO 27001 control, or NIST CSF function that applies to a given technical control? This is the translation skill. Most IT professionals can implement MFA. A GRC Engineer can also explain why it satisfies CC6.1 and A.9.4.2.
2. Identity and access management (Phase 2) Can you write an IAM policy from scratch? Do you know the difference between RBAC and ABAC, and when to use each? Can you design an SSO architecture that satisfies both security requirements and user experience? Identity is the largest attack surface in cloud environments and the most heavily audited domain.
3. Cloud fundamentals (Phase 1) Do you understand the shared responsibility model, not just conceptually but concretely? When an auditor asks what AWS handles vs. what your team handles for a specific control, can you answer without looking it up?
4. Infrastructure as code and automation (Phase 9) Can you read a Terraform module and spot the compliance issue? Can you write a policy-as-code check in OPA or Cedar? Automation is what separates a GRC Engineer from a GRC Analyst. If you cannot read code, you cannot verify controls programmatically.
5. Audit and evidence thinking (Phase 8) Do you know the difference between control design and operating effectiveness? When an auditor asks for evidence, do you reach for a system export or a screenshot? This domain tests whether you think like someone who has been through an audit cycle.
Your Path Through the Curriculum
There is no wrong starting point
The curriculum is designed so each phase stands on its own. You can start anywhere. Starting at the right place just means you spend less time on material you already know.
If you got 16-20 right
You have strong fundamentals across all domains. Jump to Phase 2 (Identity & Access) to build depth in the most in-demand skill domain, or go straight to Phase 8 (Translation Layer) to learn the control-mapping work that is the core of the GRC Engineer role.
If you got 11-15 right
Solid foundation with some gaps. Start at Phase 1 (Foundations) to fill them, then move to Phase 2. Pay extra attention to the domains where you missed questions.
If you got 6-10 right
You know some domains well and others not at all. Start at Phase 1 and work through sequentially. The phases you are strong in will go fast.
If you got 0-5 right
Start at the beginning and work through linearly. Phase 0 (you are here) into Phase 1 into Phase 2. The bootcamp assumes zero prerequisites. Every concept is explained from first principles with concrete examples. You will not be lost.
The Most Common Profile
Most people who take this bootcamp score 6-10 on the assessment. The typical profile:
- Strong in one domain (usually cloud or IT ops)
- Weak in framework knowledge (most people have not worked with auditors before)
- Weak in audit thinking (this is a learned skill, not an obvious one)
This is expected. The bootcamp exists because GRC Engineering is a cross-domain role that no single background fully prepares you for. The assessment just tells you which gaps to close first.
One More Thing
Do not retake the assessment to get a higher score. The score does not matter. What matters is that you are honest about what you know and what you do not. The people who learn the most from this bootcamp are the ones who start where they actually are, not where they want to be.