Skip to main content
GRC
Canada

Risk,
governed with
discipline.

PMP®-certified GRC Analyst and Risk Practitioner. ISO 27001 · NIST CSF · AI Governance · OSFI B-13 · FAIR.

Launch GRC Platform Connect →
Chris Olowo
Chris Olowo
PMP® · GRC Practitioner
Frameworks
ISO 27001
NIST CSF
SOC 2
ISO 42001 · AI
FAIR · OSFI B-13
Canada
5+
Years GRC Experience
Regulated · Operational · Advisory
9
Frameworks Assessed
ISO · NIST · SOC · GDPR · CIS · HIPAA · AI · OSFI · PIPEDA
25
Active Credentials
PMP® · GRC · AI Governance · Agile
6
Live GRC Tools
Platform + 5 standalone tools

Governance

GRC programs structured for audit from day one — policies, risk registers, SOAs, and evidence packs that hold up under scrutiny, not just on paper.

ISO 27001NIST CSFGDPR

Risk Quantification

FAIR-based risk quantification delivered in language boards act on — not heat maps that sit in a drawer.

FAIRROSIKPI Dashboards

AI Governance

AI governance that satisfies regulators and enables business — ISO 42001 aligned, operationally grounded, not just checkbox compliance.

ISO 42001AI RiskResponsible AI

Operational Resilience

Business continuity and crisis governance built on operational experience — BCP and incident response that functions under pressure, not just in the plan.

BCP / BIAISO 22301Incident Response
Frameworks & Bodies
PMI · PMP® ISO 27001 NIST CSF OSFI B-13 ISO 42001 SOC 2 GDPR · PIPEDA FAIR
Live GRC Platform

Platform
Capabilities

Every module demonstrates a real GRC capability — risk quantification, framework assessment, evidence management, business continuity — structured the way a practitioner would deploy it in an enterprise environment.

⚠️

Risk Register

14 pre-loaded risks with FAIR quantification, likelihood × impact scoring, treatment decisions, justifications, owner assignment, and remediation due dates. Fully editable.

FAIRISO 27001NIST CSF
📊

Risk Heatmap & KPI Dashboard

Live Chart.js risk matrix, trend graphs, ROSI calculator, MTTD/MTTR tracking, and board-ready KPI metrics. All calculated dynamically from your register data.

Chart.jsROSIKPI
🔍

9 Framework Assessments

Full gap assessments across 9 frameworks — ISO 27001, NIST CSF, SOC 2, GDPR, CIS Controls, HIPAA, ISO 42001 (AI), OSFI B-13, and PIPEDA/C-27 — each with control-by-control scoring, notes, and exportable PDF reports.

ISO 27001SOC 2GDPRHIPAA
🛡️

Controls Library

Implemented, in-progress, and planned controls with framework references, effectiveness ratings, test dates, owner assignment, and linked risk mapping.

CISNIST CSFEvidence
📋

Evidence & Asset Register

Evidence repository linked to controls, asset inventory with classification and criticality ratings, and a statement of applicability for ISO 27001 Annex A.

ISO 27001 Annex ASoA
🎓

GRC Learning Lab

10 guided missions and 6 enterprise-scale practice projects — each in an isolated workspace with progress tracking, JSON export, and PDF completion report generation.

ProjectsGuided Missions
Launch GRC Platform → No login required · All data stays in your browser · Demo mode clearly labelled The platform is architected as a single-tenant browser environment — intentionally, to keep it accessible without a login. The Production Equivalence table in the Security section documents what each component maps to in a real enterprise deployment. The platform includes an AI-powered Consulting Brief Generator that transforms GRC data into structured Big 4 engagement briefs — demonstrating AI integration as a consulting workflow capability.
Engagements

Practice Areas

Live · No login required

Enterprise GRC Platform

A fully interactive GRC command centre. Risk Register with FAIR quantification, 9 framework assessments (ISO 27001, NIST CSF, SOC 2, GDPR, CIS, HIPAA, ISO 42001, OSFI B-13, PIPEDA/C-27), Evidence repository, Statement of Applicability, Incident tracking, Business Continuity BIA, KPI & ROI calculator, and a Reporting Hub generating board-ready PDF exports.

ISO 27001NIST CSFSOC 2 GDPRFAIRKPIRisk Register
Launch Platform →
Interactive · Learning

GRC Learning Lab

Guided missions and enterprise-scale practice projects inside the live platform. Complete full projects in isolated workspaces with JSON export and PDF completion reports.

Guided MissionsPractice Projects
Open Lab →
Framework · Resilience

Business Continuity & Resilience Program

Live BCP and incident management module — Business Impact Analysis with RTO/RPO/Max Tolerance, criticality ratings, dependency mapping, and annual impact costing. Full incident lifecycle tracking from detection through root cause and lessons learned.

BIA / RTO / RPOIncident LifecycleOperational RiskCrisis Governance
View BCP →
Framework · AI

AI Governance Risk Model

Risk framework for enterprise AI deployments — model security, regulatory mapping, and governance controls aligned to ISO 42001.

ISO 42001AI Risk
View AI Framework →
Toolkit · Compliance

Compliance Audit Toolkit

Centralised toolkit for regulatory compliance audits — evidence collection, control testing, and audit-ready reporting across frameworks.

AuditEvidenceCompliance
Open Toolkit →
Open Source · Live

Standalone
GRC Tools

Five production-grade GRC tools built and deployed independently — each a standalone application with its own GitHub repository, Cloudflare deployment, and security architecture. No login required. All data stays in your browser.

Third-Party Risk · ISO 27001 · NIST CSF

Vendor Security Risk Assessment

Interactive vendor onboarding and ongoing security assessment tool. 29 weighted questions across 6 security domains — Data Security, Access Controls, Incident Response, Business Continuity, Compliance, and Sub-processors. Generates a risk-rated report (Critical/High/Medium/Low) with prioritized risk treatments and ISO 27001 control references.

ISO 27001NIST CSFSOC 2GDPR Art. 28PIPEDA
IAM · UAR · SoD · ISO 27001 · SOC 2

User Access Review (UAR) Tracker

Quarterly user access review and certification workflow with an automated Segregation of Duties (SoD) conflict matrix. Add users, assign roles, certify or revoke access, and detect SoD conflicts across 11 role combinations. Generates a quarterly UAR report with risk ratings, SoD flags, and ISO 27001 / NIST CSF control references.

ISO 27001 A.8.2NIST PR.AC-04SOC 2 CC6.2RBACSoD
SOC 2 · Audit Readiness · Evidence Management

SOC 2 Type II Evidence Tracker

Complete evidence collection tracker for SOC 2 Type II audits. Covers all 37 Trust Service Criteria controls across 12 TSC categories. Assign evidence owners, track due dates, monitor collection status, and generate a live Audit Readiness Score. Load all 37 TSC controls as placeholders instantly and export a board-ready audit report.

SOC 2 Type II37 TSC ControlsISO 27001AICPA 2017
NIST AI RMF · ISO 42001 · EU AI Act · AI Governance

NIST AI RMF Gap Assessment

Interactive AI governance maturity assessment across all four NIST AI RMF 1.0 core functions — Govern, Map, Measure, Manage. Rates 59 practices on a 0–4 maturity scale, identifies gaps against target state, and generates a prioritized remediation roadmap with ISO 42001:2023 and EU AI Act 2024 control references per gap.

NIST AI RMF 1.0ISO 42001:2023EU AI Act 202459 Practices
Security Assurance · Questionnaire · Response Library

GRC Interview Prep & Security Questionnaire Library

Structured library of 30+ pre-written, audit-quality responses to the most common enterprise security questionnaire categories. Every response maps to ISO 27001, SOC 2, NIST CSF, GDPR, and PIPEDA with evidence suggestions. Search by keyword, filter by framework or category, and copy any response to clipboard instantly.

ISO 27001SOC 2NIST CSFGDPRPIPEDA30+ Responses
View All on GitHub → All tools are open source · MIT licensed · No login required · All data stays in your browser Pro bono ISO 42001 AI governance consulting provided to non-profit organizations in Calgary — operationalizing responsible AI frameworks for community-serving organizations.
Free · Sign In with Google or GitHub · Progress Saved Across Devices

GRC Learning
Academy

Two structured 12-week curricula — one for beginners entering GRC, one for practitioners deepening their expertise. Every week links directly to real exercises inside the live ShomriTech GRC Platform and the 5 standalone tools. Sign in with Google or GitHub and your progress is saved to the cloud — pick up exactly where you left off from any device.

🌱 Beginner Track

From Zero to GRC Practitioner

Designed for career changers and those new to GRC. No prior experience required. Build foundational skills week by week — from risk registers through ISO 27001, incident response, vendor risk, privacy, and a full capstone.

12 WeeksDuration
48 ExercisesHands-on tasks
3–4 hrs/weekCommitment
ISO 27001 NIST CSF SOC 2 GDPR · PIPEDA
Start Beginner Track →
⚡ Practitioner Track

From Practitioner to GRC Leader

For working GRC professionals who want to go deeper. Tackle FAIR quantification, ISO 42001, EU AI Act, OSFI B-13, PIPEDA, SOC 2 audit programs, and an AI governance leadership capstone.

12 WeeksDuration
52 ExercisesHands-on tasks
4–6 hrs/weekCommitment
ISO 42001 NIST AI RMF OSFI B-13 FAIR · EU AI Act
Start Practitioner Track →
24
Total Weeks
100+
Exercises
9
Frameworks
Free
Cloud Sync
Launch GRC Academy → Progress saved to the cloud · Sign in with Google or GitHub · Free forever · Links directly into the live GRC Platform and all 5 standalone tools
25 Credentials — Core & Selected
Security Architecture

Security Architecture.
By Design.

✓ OWASP Top 10 Assessed ✓ Static Secure Hosting ✓ CSP Enforced ✓ No Backend Attack Surface ✓ SRI on External Scripts ✓ Responsible Disclosure Policy

Security controls on this platform are implemented where the static architecture permits and documented honestly where they are not — including known limitations and accepted risks.

🛡️

Secure Static Hosting

Deployed on Cloudflare Pages with HTTPS enforced. No server-side runtime eliminates the infrastructure-layer attack surface — no SQL injection, no RCE, no auth bypass possible at the server level.

Cloudflare Pages HTTPS Only No Backend TLS 1.3
📋

Content Security Policy

A Content Security Policy is enforced on every page via Cloudflare Pages HTTP response headers — not meta tags. Restricts script execution to self and trusted CDNs only. Inline styles are scoped; connect-src is restricted to trusted endpoints only — Anthropic API (AI-powered Consulting Brief Generator) and Google Analytics (privacy-respecting visitor analytics).

CSP Level 3 frame-ancestors: none base-uri: self
🔗

Dependency Security

All external scripts (Chart.js) are loaded from cdnjs with Subresource Integrity (SRI) hashes, ensuring tampered CDN files are blocked by the browser before execution.

SRI Hashes Pinned Versions CDN Integrity
🔒

XSS Prevention

All user-supplied data is HTML-encoded via a purpose-built esc() sanitizer before any DOM insertion. URL inputs are validated to block javascript: and data: URI injection.

HTML Encoding URL Validation OWASP A03
📦

Data Protection

The GRC Platform stores all data in browser localStorage only — scoped entirely to the user's own session. Exports are rate-limited (5/min) and audit-logged. Internal platform datasets are never included in user exports.

Client-Scoped Data Rate Limiting Audit Logging
🔍

DevSecOps Practices

Repository is configured for secret scanning (GitHub Advanced Security). All commits are reviewed for accidental credential exposure. Security headers, responsible disclosure policy (security.txt), and clickjacking prevention (X-Frame-Options: DENY) are implemented.

Secret Scanning security.txt X-Frame-Options
⚔️ STRIDE Threat Model

Methodology: STRIDE (Microsoft SDL) · Assets in scope: portfolio source code, GitHub repository, CDN dependencies, client browser session · Review date: March 2026

S
Spoofing
Identity spoofing / impersonation of portfolio owner
No authentication surface exists. LinkedIn/GitHub accounts protected with 2FA. OSINT exposure is intentional and managed.
Accepted · Monitored
T
Tampering
CDN script replacement / supply chain compromise
Subresource Integrity (SRI) hashes on all CDN scripts. Tampered files are rejected by the browser before execution.
Mitigated · SRI
R
Repudiation
Denial of data export actions in GRC platform
Client-side audit log records export events with timestamps within the session. Controls are localStorage-scoped and cannot prevent a determined user from clearing them — accepted as a limitation of static architecture with no server-side enforcement available.
Accepted · Client-scoped
I
Information Disclosure
Source code exposure / console data leakage / OSINT
No secrets or credentials in source. console.warn() calls removed. No backend = no server-side data to leak. Public OSINT is intentional portfolio exposure.
Mitigated · Reviewed
D
Denial of Service
GitHub Pages availability disruption
GitHub Pages infrastructure handles availability — static files have no compute layer to exhaust. DoS risk accepted; mitigated by GitHub's platform SLA.
Accepted · GitHub SLA
E
Elevation of Privilege
XSS → session hijack / privilege escalation
CSP blocks inline script injection. All user input HTML-encoded via esc(). URL inputs validated to block javascript: injection. No privilege levels exist to escalate to.
Mitigated · CSP + esc()
🗂️ GRC Control Mapping

Portfolio security controls mapped to NIST Cybersecurity Framework and ISO/IEC 27001:2022 Annex A. Methodology aligns with NIST SP 800-30.

Control NIST CSF Ref ISO 27001 Ref Implementation Evidence Status
HTTPS Enforcement
 PR.DS-02 A.8.24 GitHub Pages HTTPS enforced (infrastructure level) · Cloudflare Always Use HTTPS enabled · HSTS header set by GitHub Pages infrastructure Browser padlock · HSTS header Implemented
XSS Prevention
 PR.DS-02 A.8.28 HTML encoding via esc() · URL validation via escUrl() · CSP script-src Source code review · HTTP response header via Cloudflare Pages Implemented
Clickjacking Prevention
 PR.AC-04 A.8.28 X-Frame-Options: DENY · CSP frame-ancestors: none X-Frame-Options: DENY + CSP frame-ancestors: 'none' delivered as HTTP response headers via Cloudflare Pages _headers file · Verified: securityheaders.com Grade A · DevTools Network tab Implemented
Dependency Integrity
 ID.SC-04 A.12.6 SRI sha512 hash on Chart.js CDN · Version pinned to 4.4.4 integrity= attribute in source Implemented
Content Security Policy
 PR.AC-04 A.8.28 CSP Level 3 · script-src, style-src, connect-src: api.anthropic.com, base-uri, form-action HTTP response header via Cloudflare Pages _headers file · DevTools verification · securityheaders.com Grade A Implemented
Secure External Links
 PR.AC-04 A.8.28 All target=_blank links include rel="noopener noreferrer" Source code audit · tab-nabbing test Implemented
Secret Scanning
 ID.SC-04 A.12.6 GitHub Advanced Security secret scanning enabled on repository GitHub Security tab · gitleaks recommended Partial
Responsible Disclosure
 RS.CO-01 A.6.8 RFC 9116 security.txt published at /.well-known/security.txt security.txt file · LinkedIn contact Implemented
Export Rate Limiting
 PR.AC-04 A.8.20 5 exports per 60s enforced client-side · Excess blocked with user notice · localStorage-scoped; bypassable via DevTools — acceptable given no server-side attack surface Source code · checkExportRateLimit() Implemented (client-scoped)
Audit Logging
 DE.CM-03 A.8.15 All data export events timestamped and stored in grc_export_log · localStorage-scoped; bypassable via DevTools — accepted limitation of static client-only architecture localStorage audit trail · export functions Implemented (client-scoped)
⚙️ DevSecOps Controls

Repository-level and pipeline security controls in effect for this portfolio.

Repository Security

GitHub Secret Scanning — automatic detection of credentials in commits
Branch Protection — main branch protected against force-push
No Runtime Dependencies — zero npm packages, zero supply chain risk at build time
gitleaks recommended — run against full commit history to verify no historical secret exposure

Dependency Security

SRI Hashes — all CDN scripts pinned with sha512 integrity attributes
Version Pinning — Chart.js 4.4.4 explicitly versioned, not loaded via "latest"
No eval() — no dynamic code execution in any script block
CDN Fallback — Chart.js stub prevents crash if CDN is unavailable

Static Security Testing

Manual code review — full HTML/CSS/JS audit performed against OWASP Top 10
OWASP ZAP — recommended passive scan against live Cloudflare Pages URL
CSP Evaluator — Google CSP Evaluator tool used to validate policy strength
securityheaders.com — header analysis recommended post-deployment

Infrastructure Security

Cloudflare Pages HTTPS — TLS enforced, HSTS supported, Cloudflare enterprise DDoS protection
Zero server attack surface — static files only, no compute layer to exploit
security.txt (RFC 9116) — responsible disclosure policy published
X-Frame-Options: DENY — clickjacking prevention via HTTP response header (Cloudflare Pages _headers file)

🔟 OWASP Top 10 — Mitigation Map

A01

Broken Access Control

No backend = no access control layer to break. All data is user-scoped to localStorage.

A02

Cryptographic Failures

HTTPS enforced on all pages. No sensitive data transmitted or stored server-side.

A03

Injection (XSS)

All user input is HTML-encoded via esc(). URL inputs validated to block protocol injection.

A04

Insecure Design

Threat-modelled as a static portfolio — minimal attack surface by architecture. Demo banner prevents misrepresentation of capabilities.

A05

Security Misconfiguration

CSP, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers applied. HTTPS enforced.

A06

Vulnerable Components

Chart.js pinned to version 4.4.4 with sha512 SRI hash — not tracking latest. No npm runtime dependencies.

A07

Auth & Session Failures

No authentication system = no session tokens to hijack. Portfolio is intentionally public-read-only.

A08

Software & Data Integrity

SRI hashes on all CDN scripts. GitHub secret scanning enabled. No CI/CD pipelines with unverified dependencies.

A09

Logging & Monitoring

Client-side export audit log maintained. All data export events are timestamped and stored in localStorage.

A10

SSRF

No server-side requests possible — static hosting eliminates SSRF attack surface entirely.

Demo vs. Production

Architecture Equivalence

Every design decision in this platform maps to a production-grade equivalent. The table below documents those mappings — showing architectural awareness beyond what the demo itself can enforce.

This Platform Production Equivalent GRC Consideration
localStorage data storage Encrypted backend database with RBAC and access logging Data classification · A.8.3 ISO 27001 · NIST PR.DS-01
Client-side activity trace Tamper-evident SIEM ingestion (Splunk / Microsoft Sentinel) Log integrity · A.8.15 ISO 27001 · NIST DE.CM-03
Client-side rate limiting API gateway throttling / WAF rate rules (server-enforced) Access control · A.8.20 ISO 27001 · NIST PR.AC-04
Static hosting + CDN headers Secure cloud architecture with WAF, runtime protection, and IDS Network security · A.8.20–22 ISO 27001 · NIST PR.AC
No authentication layer Identity provider (Okta / Entra ID) with MFA and RBAC IAM design · A.5.15–18 ISO 27001 · NIST PR.AC-01
SRI on CDN scripts Software composition analysis (Snyk / Dependabot) + verified build pipeline Supply chain · A.12.6 ISO 27001 · NIST ID.SC-04
Contact

Let's
Talk
Risk.

Looking to stand up a GRC function, strengthen a compliance program, or bring structured risk management to a new initiative? I'd like to hear about the challenge.

Connect on LinkedIn → Explore the GRC Platform →
Primary Contact — LinkedIn
Chris Olowo, PMP® · Connect or send a message
/in/chris-o-742316135
Source Code — GitHub
All 6 repositories · Open source · MIT licensed
/chrisolowolafe-sys