Overview
IT governance shapes every technology decision you make at work — which projects get funded, how changes are approved, why auditors want evidence of your controls. This by-example guide teaches IT Governance, Risk and Compliance through 85 annotated real-world scenarios, built for software engineers without prior GRC experience.
Why Software Engineers Need This
Every engineer eventually encounters IT governance:
- An architect review board rejects your design — governance
- A CAB blocks your deployment — change governance
- An auditor asks for evidence of access reviews — compliance
- A compliance questionnaire lands on your team — regulatory governance
- A vendor is onboarded and you need a security assessment — third-party governance
Understanding how these systems work makes you a faster, more credible contributor in every one of these situations — and a stronger candidate for tech lead, staff engineer, and platform roles.
What Is IT-GRC By-Example Learning?
IT-GRC by-example uses the Scenario By-Example format —
each example is an annotated governance artifact (risk register, policy excerpt, COBIT objective,
audit finding, board report) with # => comments explaining the reasoning, trade-off, and
decision rationale behind every element.
This is not code. The artifacts are:
- YAML-formatted governance documents (risk registers, maturity assessments, charters)
- Markdown tables (RACI matrices, compliance mappings, KPI dashboards)
- Policy excerpts (IT policies, SLAs, treatment plans)
Learning Progression
| Level | Engineer Context | What You Learn |
|---|---|---|
| Beginner | "I want to understand what IT governance is" | Governance vs management, COBIT 2019, ISO 38500, risk basics, control types, policy hierarchy, audit fundamentals |
| Intermediate | "I need to apply frameworks in my org" | COBIT objectives, ITIL 4/V5, ISO 27001 SoA, NIST CSF 2.0, FAIR quantification, DORA basics, board reporting |
| Advanced | "I lead or influence governance programs" | Operating model design, AI governance (ISO 42001, EU AI Act), DORA compliance, ERM integration, continuous compliance, transformation programs |
Prerequisites
- Basic familiarity with organizational structures (you have worked in a company)
- No prior GRC, audit, or compliance background required
- No coding or technical setup needed
Frameworks Covered
| Framework | Version | Domain |
|---|---|---|
| COBIT 2019 | Current (ISACA) | IT governance and management |
| ISO/IEC 38500 | 2024 edition | IT governance principles |
| ISO 31000 | 2018 edition | Risk management |
| ITIL 4 / ITIL V5 | V5 launched Feb 2026 | IT service management governance |
| NIST CSF | 2.0 (Govern function) | Cybersecurity governance |
| ISO/IEC 42001 | 2023 edition | AI management system |
| NIST AI RMF | 1.0 | AI governance |
| DORA | In force Jan 2025 | EU financial sector resilience |
| COSO ICIF | 2013 + Feb 2026 AI supplement | Internal control |
Structure of Each Example
Every example follows the five-part scenario-by-example format:
- What This Covers — what governance concept and why it matters (2-3 sentences)
- Scenario — fictional organization type, size, and decision-maker role
- Annotated Artifact — YAML, table, or policy excerpt with
# =>annotations explaining reasoning - Key Takeaway — core governance insight (1-2 sentences)
- Why It Matters — production relevance (50-100 words)
Examples by Level
Beginner (Examples 1–28)
- Example 1: What Is IT Governance
- Example 2: Governance vs Management — The COBIT Distinction
- Example 3: COBIT 2019 — Six Governance Principles
- Example 4: COBIT 2019 — Five Domains
- Example 5: ISO/IEC 38500:2024 — Six Principles of IT Governance
- Example 6: ISO 31000:2018 — Risk Management Lifecycle
- Example 7: ITIL 4 Service Value System Overview
- Example 8: IT Governance Committee Structure
- Example 9: IT Governance Roles — RACI Matrix
- Example 10: IT Policy Hierarchy
- Example 11: Writing an IT Policy — Acceptable Use Policy
- Example 12: Information Asset Classification
- Example 13: IT Risk Identification — Starter Risk Register
- Example 14: IT Risk Assessment — 5×5 Matrix
- Example 15: Risk Treatment Options
- Example 16: Writing a Risk Treatment Plan
- Example 17: Control Objectives — What They Are
- Example 18: Control Types
- Example 19: Control Testing — Design vs Effectiveness
- Example 20: IT Audit Basics — Scope, Objectives, Evidence
- Example 21: Audit Findings — The 4Cs
- Example 22: Compliance Framework Overview
- Example 23: IT Governance Metrics — KPIs
- Example 24: Service Level Agreement Writing
- Example 25: IT Governance Maturity Model
- Example 26: IT Governance Stakeholder Communication
- Example 27: IT Governance Charter
- Example 28: IT Investment Decision Framework
Intermediate (Examples 29–57)
- Example 29: COBIT 2019 Gap Analysis — EDM01
- Example 30: COBIT 2019 APO12 — Risk Management Objective
- Example 31: COBIT 2019 BAI06 — Change Management Objective
- Example 32: COBIT 2019 MEA01 — Monitoring Performance
- Example 33: ITIL 4 — Change Enablement Practice
- Example 34: ITIL 4 — Incident Management Practice
- Example 35: ITIL 4 — Service Level Management Practice
- Example 36: ITIL 4 vs ITIL V5 — What Changed in February 2026
- Example 37: ISO/IEC 38500:2024 Applied to Cloud Adoption
- Example 38: ISO 31000:2018 — Risk Treatment Plan
- Example 39: ISO 27001:2022 as a Governance Instrument
- Example 40: NIST CSF 2.0 Govern Function
- Example 41: SOC 2 Governance Requirements
- Example 42: GDPR Data Governance Obligations
- Example 43: PCI DSS v4.0 Governance Requirements
- Example 44: FAIR Risk Quantification
- Example 45: Enterprise Risk Management Integration
- Example 46: Third-Party Governance Program
- Example 47: IT Audit Program Development
- Example 48: Control Deficiency Classification
- Example 49: Remediation Tracking — Findings Management
- Example 50: Continuous Control Monitoring Program
- Example 51: Board IT Governance Reporting Dashboard
- Example 52: IT Investment Portfolio Governance
- Example 53: Data Governance Program Basics
- Example 54: Architecture Governance Review
- Example 55: Business Continuity Governance
- Example 56: Regulatory Compliance Calendar
- Example 57: GRC Tool Selection Criteria
Advanced (Examples 58–85)
- Example 58: IT Governance Operating Model Design
- Example 59: COBIT 2019 Implementation Roadmap — 7-Phase Approach
- Example 60: COBIT Focus Area — AI Governance Using COBIT 2019
- Example 61: ISO/IEC 38500:2024 — AI and Sustainability Additions
- Example 62: ITIL V5 Transition Planning
- Example 63: Cloud Governance Framework
- Example 64: AI Governance Program — ISO 42001 and NIST AI RMF Mapping
- Example 65: EU AI Act Compliance for IT Governance
- Example 66: DORA Compliance Program — ICT Risk Management Requirements
- Example 67: DORA — Incident Reporting and Resilience Testing
- Example 68: ESG Integration with IT GRC
- Example 69: Data Governance Maturity Model
- Example 70: ERM Integration — IT Risk Committee Structure
- Example 71: IT Governance During M&A
- Example 72: Regulatory Examination Preparation — Financial Services
- Example 73: Continuous Compliance Automation
- Example 74: GRC Platform Implementation — ServiceNow GRC Process Mapping
- Example 75: IT Governance Benchmarking
- Example 76: IT Governance Transformation Program
- Example 77: Third-Party Risk Governance — Advanced TPRM
- Example 78: COSO ICIF 2013 Applied to IT Controls
- Example 79: IT Governance ROI — Business Case
- Example 80: Board Technology Committee
- Example 81: IT Governance Culture and Awareness Program
- Example 82: IT Governance Annual Program Review
- Example 83: Regulatory Change Management
- Example 84: IT Governance Succession Planning
- Example 85: Building a World-Class IT Governance Program
Last updated May 20, 2026