Frameworks
Every major framework you'll encounter in an entry-level GRC role, taught in plain English first and then in professional terms.
Think of CSF as the table of contents for a cybersecurity program. It does not tell you exactly how to do anything — it tells you the outcomes you should be able to demonstrate, grouped into six themes.
RMF is the recipe a federal system follows to legally turn on. Each step produces a document. The whole package proves that someone with authority looked at the risk and accepted it.
ISO 27001 cares as much about how you manage security as what controls you have. The ISMS is the engine; Annex A is the parts list you choose from.
SOC 2 is not certification — it is an opinion letter from an auditor. The audit is mostly about producing evidence that you actually do what your policies say.
PCI DSS is a long checklist that protects credit card numbers. The smartest thing you can do is keep card data out of your systems entirely — that shrinks your audit dramatically.
HIPAA Security Rule is about protecting health data in electronic form. It is principles-based — there is no checklist of 'these 50 controls' — so risk analysis is the centerpiece.
GDPR is about respecting individuals' control over their own personal data. Every processing activity needs a documented reason, and individuals have rights you must honor.
CMMC is the DoD's way of making sure its suppliers actually do the security they claim to do. It rides on NIST SP 800-171.
COBIT zooms out further than CSF — it covers IT as a whole (cost, value, performance), not just cybersecurity. You will see it more in audit and board-level work.