Free GRC Resources
Practical guides, templates and webinars to help you build your GRC program — whether you use CapGRC or not.
All resources
Search our guides, articles, webinars and templates
Zero Trust: why zero-trust architecture is becoming essential in Canada
The traditional perimeter security model has reached its limits. With the proliferation of remote work, cloud services and third-party access, Canadian organizations must adopt a r
Security incident management under Law 25: obligations and best practices
Since September 2023, Law 25 has imposed strict obligations on Quebec organizations regarding privacy incident notification. An unreported or poorly managed incident can result in
ISO 27001 vs SOC 2: which certification should your Canadian organization choose?
Facing increasing security requirements, many Canadian organizations must choose between ISO 27001 and SOC 2. Both certifications address similar objectives but target different ma
How to map your information assets in compliance with Law 25
Information asset mapping is the foundation of any effective GRC program and a Law 25 requirement to demonstrate that you know what personal information you hold.
DORA: how Canadian companies with European operations must prepare
The European DORA regulation came fully into force on January 17, 2025. Canadian financial institutions offering services in Europe or collaborating with European entities are dire
The 10 essential risk indicators for your CISO dashboard
An effective GRC dashboard is not measured by the number of indicators displayed, but by their relevance to decision-making. Here are the 10 KRIs that every CISO should monitor as
NIS2 and the Canadian public sector: anticipating new digital resilience requirements
The European NIS2 directive came into application in October 2024. Its implications affect Canadian organizations partnering with European entities in critical sectors.
Artificial intelligence and GRC internal audit: opportunities and risks for Canadian organizations
Artificial intelligence is profoundly transforming internal audit practices. AI tools enable analysis of massive data volumes and anomaly detection, but also introduce new risks.
Complete Guide to Law 25: Obligations and Compliance
Everything you need to know about Quebec's Law 25: obligations, timelines and practical steps to bring your organization into compliance.
How to Conduct a Risk Assessment for an SME
Practical method to identify, assess and treat security risks in a small or medium-sized enterprise.
DPIA: Practical Guide for Privacy Officers
How to conduct a Privacy Impact Assessment compliant with Law 25, step by step.
5 Common Mistakes in GRC Internal Auditing
The most frequent pitfalls in internal audit programs and how to avoid them to gain efficiency.
Managing Multiple GRC Frameworks Simultaneously
Strategies to align ISO 27001, Law 25 and PCI-DSS in a unified GRC program without duplicating efforts.
ISO 27001 Certification in 6 Months: Lessons Learned
How a Quebec SME obtained its ISO 27001 certification in 6 months with CapGRC.
PCI-DSS v4.0: What You Need to Know
Analysis of the major changes in PCI-DSS version 4.0 and their impact on Canadian organizations.
Understanding DORA: The European Digital Resilience Regulation
Complete guide to the Digital Operational Resilience Act (DORA): scope, obligations and impact on Canadian financial institutions.
Understanding PIPEDA: Canada's Federal Privacy Law
Complete guide to the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada.
Risk register template
Pre-configured Excel spreadsheet to start your security risk register.
Law 25 PIA template
Structured Word template for your privacy impact assessments.
Law 25 compliance checklist
Complete checklist of Law 25 obligations by implementation phase.
Internal audit plan template
Template to structure your annual risk-based audit plan.
Law 25 — Phase 3: what changes in September 2024
Analysis of phase 3 obligations and action plan for your organization.
How to choose your first GRC framework
Decision guide: ISO 27001, SOC 2, or start with Law 25?
Articles and guides
Zero Trust: why zero-trust architecture is becoming essential in Canada
The traditional perimeter security model has reached its limits. With the proliferation of remote work, cloud services and third-party access, Canadian organizations must adopt a r
9 min de lecture
Security incident management under Law 25: obligations and best practices
Since September 2023, Law 25 has imposed strict obligations on Quebec organizations regarding privacy incident notification. An unreported or poorly managed incident can result in
10 min de lecture
ISO 27001 vs SOC 2: which certification should your Canadian organization choose?
Facing increasing security requirements, many Canadian organizations must choose between ISO 27001 and SOC 2. Both certifications address similar objectives but target different ma
11 min de lecture
How to map your information assets in compliance with Law 25
Information asset mapping is the foundation of any effective GRC program and a Law 25 requirement to demonstrate that you know what personal information you hold.
8 min de lecture
DORA: how Canadian companies with European operations must prepare
The European DORA regulation came fully into force on January 17, 2025. Canadian financial institutions offering services in Europe or collaborating with European entities are dire
10 min de lecture
The 10 essential risk indicators for your CISO dashboard
An effective GRC dashboard is not measured by the number of indicators displayed, but by their relevance to decision-making. Here are the 10 KRIs that every CISO should monitor as
7 min de lecture
NIS2 and the Canadian public sector: anticipating new digital resilience requirements
The European NIS2 directive came into application in October 2024. Its implications affect Canadian organizations partnering with European entities in critical sectors.
9 min de lecture
Artificial intelligence and GRC internal audit: opportunities and risks for Canadian organizations
Artificial intelligence is profoundly transforming internal audit practices. AI tools enable analysis of massive data volumes and anomaly detection, but also introduce new risks.
11 min de lecture
Complete Guide to Law 25: Obligations and Compliance
Everything you need to know about Quebec's Law 25: obligations, timelines and practical steps to bring your organization into compliance.
12 min de lecture
How to Conduct a Risk Assessment for an SME
Practical method to identify, assess and treat security risks in a small or medium-sized enterprise.
8 min de lecture
DPIA: Practical Guide for Privacy Officers
How to conduct a Privacy Impact Assessment compliant with Law 25, step by step.
10 min de lecture
5 Common Mistakes in GRC Internal Auditing
The most frequent pitfalls in internal audit programs and how to avoid them to gain efficiency.
7 min de lecture
Managing Multiple GRC Frameworks Simultaneously
Strategies to align ISO 27001, Law 25 and PCI-DSS in a unified GRC program without duplicating efforts.
9 min de lecture
ISO 27001 Certification in 6 Months: Lessons Learned
How a Quebec SME obtained its ISO 27001 certification in 6 months with CapGRC.
11 min de lecture
PCI-DSS v4.0: What You Need to Know
Analysis of the major changes in PCI-DSS version 4.0 and their impact on Canadian organizations.
8 min de lecture
Understanding DORA: The European Digital Resilience Regulation
Complete guide to the Digital Operational Resilience Act (DORA): scope, obligations and impact on Canadian financial institutions.
14 min de lecture
Understanding PIPEDA: Canada's Federal Privacy Law
Complete guide to the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada.
12 min de lecture
Templates
Free to download, no registration required.
Risk register template
Pre-configured Excel spreadsheet to start your security risk register.
Law 25 PIA template
Structured Word template for your privacy impact assessments.
Law 25 compliance checklist
Complete checklist of Law 25 obligations by implementation phase.
Internal audit plan template
Template to structure your annual risk-based audit plan.
Want to go further?
See how CapGRC can help you structure your GRC program and automate your compliance.