Implementing Security Frameworks in Practice – From Gap Assessment to Roadmap (ISO 27001, NIST CSF, SOC 2)
Enroll any time. Learn at your own pace.
Implementing Security Frameworks in Practice: From Gap Assessment to Roadmap (ISO 27001, NIST CSF, SOC 2) is a 10-hour micro-credential for experienced cyber and GRC professionals who need to turn framework knowledge into real implementation. You will learn how to apply ISO 27001, the NIST Cybersecurity Framework, and SOC 2 within organizations, run structured, multi-framework gap assessments, rationalize overlapping controls, and build prioritized, multi-year roadmaps that reflect mission, regulatory, and contractual realities across portfolios of federal and defense contracts.
Implementing Security Frameworks in Practice – From Gap Assessment to Roadmap (ISO 27001, NIST CSF, SOC 2)
Audience
This micro-credential is designed for GRC analysts and senior GRC analysts; GRC leads and managers; IT and cybersecurity risk analysts; IT compliance analysts and security compliance specialists focused on NIST, ISO 27001, and SOC 2; security policy and governance analysts; ISSOs and ISSMs; cybersecurity and information security managers; security and cybersecurity program managers overseeing framework adoptions and audits; security and IT audit managers; security and enterprise architects; cybersecurity GRC architects; senior cyber risk and compliance consultants; lead governance specialists; and deputy CISOs or directors of information security still hands-on with frameworks and roadmaps.
What This Course Covers
Module 1
Frameworks in Context — ISO 27001, NIST CSF, SOC 2
Establish a practical understanding of ISO 27001, NIST CSF, and SOC 2 and how they appear together in regulated and GovCon environments. Compare scope, assurance models, and how these frameworks show up in RFPs, contracts, and customer expectations so you can position them effectively.
Module 2
Scoping and Gap Assessment Across Frameworks
Learn to define a defensible scope and conduct structured gap assessments that support one or more frameworks at once. Identify in-scope systems, services, and contracts; design assessment plans; and collect reusable evidence across people, process, and technology.
Module 3
Control Mapping and Rationalization
Practice mapping and rationalizing controls across ISO 27001, NIST CSF, and SOC 2 to avoid duplication and confusion. Build a unified control set and controls register that supports “single control, multiple obligations” thinking and simplifies implementation and governance.
Module 4
From Findings to Roadmap — Prioritization and Sequencing
Translate assessment findings and mappings into realistic, funded roadmaps. Use risk reduction, mission criticality, compliance obligations, feasibility, and dependencies to structure near-, mid-, and long-term roadmap phases aligned with existing security and IT plans.
Module 5
Communicating Progress and Sustaining Framework Adoption
Design metrics, reporting, and governance mechanisms that keep frameworks alive beyond initial projects. Create dashboards and communication artifacts for executives, customers, and auditors, and embed framework requirements into policies, procedures, and operating rhythms for continuous improvement.
Skills and Learning Outcomes
By the end of this micro-credential, participants will be able to:
01
Explain the purpose, scope, and practical use of ISO 27001, NIST CSF, and SOC 2 in government and regulated environments.
02
Define scope and conduct structured, multi-framework gap assessments, collecting evidence that can be reused across frameworks.
03
Map and rationalize controls between ISO 27001, NIST CSF, and SOC 2 to build a unified, efficient control set and controls register.
04
Develop prioritized, phased implementation roadmaps that convert findings into actionable initiatives grounded in risk, mission, and compliance priorities.
05
Design metrics, governance practices, and communication approaches that communicate framework progress and embed frameworks into ongoing operations and decision-making.
Optional Live Sessions
There is an optional two-hour live session with JHU Cybersecurity Subject Matter Experts. See the schedule HERE.
Built for Working Professionals
On-Demand Learning
Complete this micro-credential entirely on your own schedule. An optional 2-hour live session with Johns Hopkins Subject Matter Experts is offered at the end of the month you enroll. See the schedule here.
Scenario-Based Exercises
Videos, activities, templates, reflections, low-stakes assessments, case studies, and facilitated discussion in the live section grounded in government, defense, and contracting environments.
Recognized Credential
Earn a certificate of completion upon completing this micro-credential from the Johns Hopkins Whiting School of Engineering. Use this micro-credential for 10 CPEs for certification maintenance.
Subject Matter Experts
A micro-credential designed and taught by Johns Hopkins subject matter experts with real-world experience in government and defense contracting.
Why Choose Johns Hopkins
Johns Hopkins University Whiting School of Engineering is recognized for its strengths in cybersecurity, systems engineering, and applied research that supports U.S. government and defense missions. This micro-credential offers a rigorous, practice-focused path from framework familiarity to implementation leadership in multi-framework, multi-contract GovCon environments, giving you concrete methods and artifacts to align ISO 27001, NIST CSF, and SOC 2 initiatives with mission, compliance, and business goals.
Pricing and Continuing Education
Program Cost
$338
If you register by July 30
Continuing Education
Eligible for up to 10 CPEs
Includes 10 contact hours of learning
Partnership Discounts
Members of our partnership organizations always receive membership discounts of 10-20%! These discounts do not apply in addition to the early bird rate.
Log in to the membership portal of your association to get your JHU discount codes to use at checkout!
- Information Systems Security Association (ISSA)
- ISC2 Northern Virginia Chapter
- DC Cyber Professionals and the Cover6 Community
Group Enrollment For Your Team
Looking to upskill your team? We offer group enrollment options and discounts to make it simple and cost-effective for organizations of any size. Get in touch, and we will help you get started!
Frequently Asked Questions (FAQ)
Yes. Many learners receive employer support for professional development. Payment options depend on the course type and how the organization plans to pay.
For Executive and Professional Education courses, learners should register as usual and select “Other Method” during checkout if their employer cannot pay by credit card. An EPE team member will follow up within three business days to coordinate payment, such as ACH transfer, employer voucher, or another approved payment arrangement.
For Great Learning courses, learners should contact the EPE team at engineeringexeced@jhu.edu or speak directly with the Great Learning admissions team. The teams will coordinate payment and enrollment.
Organizations interested in enrolling multiple employees or requesting custom education or workforce training solutions should contact the EPE team directly to discuss enrollment options, program needs, and payment arrangements.
Tuition remission is currently available only to eligible full-time Johns Hopkins faculty and staff and applies to a limited number of EPE courses. If a course qualifies, eligible learners who register using their Johns Hopkins email address will automatically have tuition remission applied as their payment method.
Tuition remission does not currently apply to asynchronous (self-paced) online courses or programs taken through our partners such as Great Learning or AIAA. The Johns Hopkins Provost’s Office is reviewing tuition remission policies, including the possibility of extending benefits to asynchronous courses, but no timeline is currently available.
Johns Hopkins alumni receive a 15% discount, which is automatically applied during checkout when they indicate they are alumni.
Eligible Johns Hopkins faculty, staff, students, and Applied Physics Laboratory employees receive a 20% discount on qualifying EPE courses when they register with a Johns Hopkins email address.
Eligible Johns Hopkins faculty and staff receive a 15% discount on Great Learning courses. To receive the discount, learners should identify themselves during the enrollment process and register using a Johns Hopkins email address. Eligibility will be verified before enrollment is finalized.
Select programs may also offer discount codes through partner organizations or special promotions. When available, discount codes can be entered during checkout.
Meet the Johns Hopkins Executive and Professional Education Cybersecurity Instructors
Andrea Molina, PhD, CISM, ITIL, CEH, PMP
Dr. Andrea Molina is a U.S. Coast Guard officer and senior technical program leader with 19+ years of experience delivering cybersecurity, AI-enabled systems, and enterprise platforms across federal and defense environments. She leads Command & Control and Navigation requirements for a $150M+ C5I portfolio supporting 40K+ users and also founded the Coast Guard’s Cyber Mission Capabilities Branch, delivering deployable cyber operations, threat hunting, and incident response capabilities nationwide. Dr. Molina teaches at Johns Hopkins Engineering for Professionals, where she advises doctoral students in Cyber Analytics and AI/ML. She holds a Doctor of Engineering in Cyber Analytics and specializes in aligning cyber strategy, risk, and AI to mission-critical federal operations.
Caleb Havens, OSCP, CISSP, CRTO, GCPN, eJPT, Security+
Caleb Havens is a Principal Security Consultant at NetSPI, specializing in Red Team Operations and Social Engineering. A former Marine Corps Intelligence and Reconnaissance Officer, he supported the Missile Defense Agency’s Test and Cyber Engineering Directorates and later served as a Red Team Operator for the US Army’s Threat Systems Management Office, conducting adversarial assessments of DoD systems. Caleb now leads Red Team Operations for Fortune 500 organizations across defense, finance, healthcare, and critical infrastructure, bringing real-world operational tradecraft from military intelligence and corporate security to the classroom.
Jay Ferron, CEH, CISM, CISSP, C)PTE, C)ISSM CRISC, CVEi, MCITP, MCSE, MCT, MVP, NSA-IAM
Jay Ferron is a multi-certified information security subject-matter expert with over 30 years of experience in cybersecurity, compliance, systems integration, and IT transformation. He has led initiatives to design and implement secure architectures, define IT management processes, and establish meaningful operational metrics for organizations across multiple industries.
Throughout his career, Jay has been deeply involved in both the strategic and hands-on aspects of information security, advising leadership while also working directly with technical teams to improve security posture and resilience. He has authored more than 19 technical courses for Microsoft, Global Knowledge, and other training providers, helping thousands of IT professionals advance their skills in security and related technologies. In addition to his technical and teaching work, Jay founded Interactive Security Training, LLC, a firm dedicated to helping organizations secure and manage their data through consulting, implementation, and training services.
Matthew Burch, M.S., CISSP, CEH, Security+, CCIE (R&S), CCIE (SP), CCDS, AWS SAP, AWS SAA, AWS DVA, AWS MLS, AWS Security, PCEP
Matthew Burch is a cybersecurity and cloud computing leader with over 20 years of experience in highly regulated enterprise environments, including financial services and critical infrastructure. He has led large-scale technology, cloud, and AI initiatives aligned with strict governance, risk, and compliance requirements. Matthew has partnered with federal organizations and contractors through workforce development programs, including Department of Defense–aligned initiatives, helping build certification pathways in cybersecurity and cloud technologies. He currently serves as faculty in cloud and AI programs, preparing professionals to operate effectively in secure, mission-critical environments.
Henry Bromley III, MBA, PMP, CISSP-CCSP, CSEP, CEH, CHFI, SEC+
Henry Bromley brings over 30 years of engineering and cybersecurity experience supporting federal missions, spanning nuclear systems, systems engineering, and information systems security. He serves in a lead security engineering role supporting government and commercial cloud-based programs. As an adjunct graduate professor, he teaches Managerial Computer Forensics and has delivered CISSP Common Body of Knowledge instruction, helping to prepare information security professionals. He is committed to equipping students with practical, job-ready skills for securing high-consequence, mission-critical environments.
Farhat Shah, CISSP, PMP
Ms. Shah currently serves as the cybersecurity subject matter expert for the Department of War (DoW). Ms. Shah has worked in different capacities to launch and implement cybersecurity programs and initiatives within her organization. She provided critical cybersecurity support to systems across the U.S Army leading to successive mission completion.
Ms. Shah began her career as a software engineering intern. She graduated from the Army’s Intern Program, earning a Master’s in Software Engineering from Monmouth University. Ms. Shah holds a Bachelor’s in Electrical Engineering and a second Master’s in Technical Management from the Johns Hopkins University. Her experience entails Software development, Systems Engineering, Project Management, and Cybersecurity for information systems that she has gained over her career as an engineer with the Army.
Barry Hudson, CISSP, CGRC, SSCP, CC
Barry Hudson’s career was primarily with large contractors in the US Government sector. The last 15 years took him on an exciting journey; planning, implementing, maintaining, and managing (as ISSO/ISSM) complex cybersecurity systems for two large government facilities. These efforts include creation of policy and procedures, selecting, building and configuring technology infrastructure, production operations, and compliance monitoring prior to turnover to the Government customer.
His newly discovered energy is to share his experiences and perspective, and to grow the Cybersecurity family. Barry holds a CISSP, CGRC, SSCP, and CC is an ISC2 Authorized Instructor, and independent contractor and lecturer.
Sandra Fonseca-Lind, DBA, EdD, CISA, CISM, CRISC, CDPSE
Dr. Sandra Fonseca is an accomplished information technology professional with more than 40 years of experience in the IT industry, including 15 years serving as a Systems Security Manager, Project Manager, and Data Architect at a federal agency in Washington, D.C. She has spent more than 30 years in higher education, teaching undergraduate and graduate courses across all instructional modalities, and has also served as Program Director for IT and Cybersecurity programs.
Dr. Fonseca holds a Doctor of Business Administration (DBA) with a specialization in Management Information Systems and a Doctor of Education (EdD) with a specialization in Instructional Design. She has served as both a volunteer and board officer for several professional organizations, including ISACA, ISSA, PMI, ACFE, and ASQ. She currently serves as Associate Director of Governance for the Washington, D.C. Chapter of ISACA, Education Director for the ISSA NOVA Chapter, and a volunteer with the Washington, D.C. Chapter of PMI.
Implementing Security Frameworks in Practice – From Gap Assessment to Roadmap (ISO 27001, NIST CSF, SOC 2)