The easiest way to get into an ITGC / ISO 27001 / GRC job is to start doing the smallest level of activity for which there are plenty of jobs. These activities are called  1) Control testing 2) Checklist based Information security audit 3) Risk assessment. These 3 are very valuable skills and if one can demonstrate knowledge / skill / experience on these, they are definite to land up with a job. The best part is that there are plenty of online resources available to practice these. Following are the ways how you could start doing these activities:

1. Understand the meaning of words - Information security, Cyber security, Confidentiality, Integrity, Availability, Control, Control Objective, Risk, level of risk, residual risk, risk acceptance, risk assessment, risk treatment, Vulnerability, threat, Impact, Likelihood, audit, audit scope, access control, first party, second party, third party, Conformity, Non conformity, Documented information, information security incident, outsource, Policy, Process. ISO 27000 standard may be referred or simple internet research can help understand these. 

2. Draft a few controls on Information security / Cyber security to understand the meaning of Control. Make a document and start writing controls to feel how it is to write an appropriate control. Make sure the language is such that it should appear like a control. You may refer the standards ISO 27001 or NIST 800-53 or NIST CSF for identifying some controls

3. Understand what is a checklist and the importance of a checklist in control testing / information security audit / cyber security audit / risk assessment 

4. Prepare an excel / google sheet based checklist of controls including columns for how to test, what evidence to see for particular control, a column to mark conformity or nonconformity, a column for comments. Controls may be referred from various International Information security / Cyber security standards such as ISO 27001 or NIST 800-53 or NIST CSF

5. Prepare an excel / google sheet based checklist of all controls from ISO 27001 and NIST CSF  including columns for how to test, what evidence to see for particular control, a column to mark conformity or nonconformity, a column for comments. Please pay attention to the controls, their meaning and objective. 

6. Read and understand the standards such as ISO 27001 and NIST CSF to whatever best extent you can

7. Read some Information security policies available online. Draft an Information security policy for your college since you may know about the information in your college and would be in a position to draft an appropriate policy. Pay attention particularly to the use of terms “shall”, “should”, “must” etc. and understand what a Policy is meant to achieve for an organization / institution

8. Read some Information security procedures / processes online. Draft one Information security procedure for your college for one of the Information security aspects. Pay attention to the use of terms such as “should”, “must”, “shall” etc.

9. Use the checklist you have created and try to conduct a sample audit making assumptions about your college even if you may not know the details. Make sure you mention against each checkpoint what you checked, what evidence you observed, is it a conformity or nonconformity and put some comments to give details. 

10. Write a few risk statements (risk assessment) in google sheets /excel to understand how to draft risks, how to identify vulnerability, likelihood, impact, risk level, existing controls, residual risk. Try to give ratings to likelihood, impact, risk level and residual risk.. Research on internet for sample risk assessments

11. Understand what are possible risk treatment options such as mitigate, avoid, transfer, accept and apply these risk treatment options in your risk statements to reduce the risk

12. Write as many risks and policies as possible and conduct as many control testing as possible 

Sample Controls: 

1. The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change. 

2. Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy. 

Sample checklist:

Sample audit:

Sample risk assessment for secure teleworking:

Sample risk treatment: