Awesome Compliance

A curated list of awesome resources for Governance, Risk Management, and Compliance (GRC) professionals.

This list is intended for compliance officers, risk managers, auditors, and cybersecurity professionals or for people with a compliance need who need trusted resources for ISO 27001, SOC 2, SOX, ESG compliance, and more.

Contents

• Frameworks & Standards
  • Security & Privacy
  • ESG & Sustainability
  • Financial & Corporate
  • Quality & Assurance
  • Risk Management
• Legislative & Regulatory
  • Privacy Legislation
  • EU Cybersecurity & AI Regulations
• Tools & Platforms
  • Open Source Platforms
  • Commercial Platforms
  • Compliance Specifications & Resources

Frameworks & Standards

Security & Privacy

• SOC Reports (SOC 1/2/3) - AICPA Service Organization Control reports. SOC 1 for financial reporting controls, SOC 2 for security/availability/confidentiality/processing integrity/privacy controls, SOC 3 for public distribution.
• ISO/IEC 27001 - International standard for establishing an Information Security Management System (ISMS). Requires annual certification audits.
• ISO/IEC 27002 - Implementation guidance for ISO 27001 controls.
• ISO/IEC 27017 - Cloud security controls based on ISO 27002.
• ISO/IEC 27018 - Code of practice for protecting personally identifiable information in public cloud.
• ISO/IEC 27701 - Privacy Information Management System (PIMS) extension to ISO 27001.
• NIST Cybersecurity Framework - Voluntary risk-based model for managing cybersecurity risk (Identify, Protect, Detect, Respond, Recover).
• NIST Risk Management Framework - Framework for integrating security and risk management into system development lifecycle.
• NIST SP 800-53 - Security and privacy controls for federal information systems and organizations. Widely adopted beyond government.
• NIST SP 800-171 - Protecting Controlled Unclassified Information in nonfederal systems.
• NIST AI RMF - AI Risk Management Framework for trustworthy AI development and deployment.
• NIST SP 800-82 - Guide to Industrial Control Systems (ICS) Security for operational technology environments.
• NIST SP 800-160 - Systems Security Engineering for developing trustworthy secure systems.
• NIST SP 800-161 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.
• NIST SP 800-172 - Enhanced Security Requirements for Protecting Controlled Unclassified Information.
• NIST SP 800-218 - Secure Software Development Framework (SSDF) for integrating security into SDLC.
• NIST SP 800-63B - Digital Identity Guidelines for authentication and lifecycle management.
• NIST SP 800-66 - Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
• NIST Privacy Framework - Tool for improving privacy risk management.
• PCI DSS - Payment Card Industry Data Security Standard. Required for handling credit card data. Version 4.0 emphasizes continuous compliance.
• HIPAA - US Health Insurance Portability and Accountability Act. Mandates safeguards for protected health information.
• HITRUST CSF - Common certifiable framework combining HIPAA, NIST, ISO, and other requirements for healthcare.
• HICP - Health Industry Cybersecurity Practices for healthcare organizations (small, medium, and large practice guidance).
• FedRAMP - Federal Risk and Authorization Management Program. Required for cloud services used by US federal agencies based on NIST 800-53.
• CMMC - Cybersecurity Maturity Model Certification for US DoD contractors. Version 2.0 streamlines requirements.
• FISMA - Federal Information Security Modernization Act for US federal agency information security.
• StateRAMP - Standardized approach to cloud security for US state and local governments.
• FERPA - Family Educational Rights and Privacy Act protecting student education records.
• Microsoft SSPA - Microsoft Security Software Privacy Assurance framework.
• CIS Controls - Center for Internet Security 18 Critical Security Controls (formerly 20).
• CIS Benchmarks - Configuration security benchmarks for systems and applications.
• CSA Cloud Controls Matrix - Cloud Security Alliance control framework for cloud computing.
• MITRE ATT&CK - Knowledge base of adversary tactics and techniques based on real-world observations.
• OWASP ASVS - Application Security Verification Standard.
• CPS234 - Australian Prudential Regulation Authority information security requirements.
• CISA - Cybersecurity Information Sharing Act and CISA agency resources.
• NERC CIP - North American Electric Reliability Corporation Critical Infrastructure Protection standards.
• CJIS - Criminal Justice Information Services Security Policy.
• Secure Control Framework - Comprehensive control framework with mappings across multiple standards and regulations.
• NIST National Online Informative References Program (OLIR) - Machine-readable mappings between NIST frameworks and other standards.
• Adobe Common Controls Framework - Adobe's unified control framework for compliance.
• Equifax Security Controls Framework - Equifax's control framework with mappings to major standards.
• CIS Controls Navigator - Tool for navigating and implementing CIS Controls.
• MITRE NIST 800-53 to ATT&CK Mappings - Maps NIST security controls to adversary techniques.
• NIST AI RMF Crosswalks - Mappings between AI RMF and other frameworks, standards, and regulations.
• CSF Tools - Tools and resources for implementing the NIST Cybersecurity Framework.

ESG & Sustainability

• B Corp Certification - Certification for companies meeting high standards of social and environmental performance.
• CDP - Carbon Disclosure Project for environmental impact reporting.
• GRI Standards - Global Reporting Initiative for sustainability reporting.
• ISO 14001 - Environmental Management Systems.
• ISO 45001 - Occupational Health and Safety Management Systems.
• ISO 50001 - Energy Management Systems.
• SASB Standards - Sustainability Accounting Standards Board standards for ESG disclosure.
• TCFD - Task Force on Climate-related Financial Disclosures recommendations.
• UN SDGs - United Nations Sustainable Development Goals.

Financial & Corporate

• SOX - Sarbanes-Oxley Act for financial reporting and corporate governance.
• SOX ITGC - IT General Controls for Sarbanes-Oxley compliance.
• Basel Framework - International banking regulations on capital adequacy, stress testing, and market liquidity.
• FCRA - Fair Credit Reporting Act regulating credit information collection and use.
• IFRS - International Financial Reporting Standards for accounting and financial reporting.
• GLBA - Gramm-Leach-Bliley Act requiring financial institutions to protect customer information.
• NYDFS - New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500).
• SWIFT CSF - SWIFT Customer Security Controls Framework for financial messaging and payment systems.
• FFIEC - Federal Financial Institutions Examination Council cybersecurity assessment tool.
• FINRA - Financial Industry Regulatory Authority cybersecurity requirements for broker-dealers.
• SAMA CSF - Saudi Arabian Monetary Authority Cyber Security Framework for financial sector.
• EBA ICT Guidelines - European Banking Authority ICT and security risk management guidelines.
• OFDSS - Office of Federal Student Aid Security Standards.

Quality & Assurance

• ISO 9001 - Quality Management Systems standard.
• AS9100 - Quality management for aerospace industry.
• ISO 13485 - Quality management for medical devices.
• ISO 22000 - Food Safety Management Systems.
• ISO/TS 16949 - Quality management for automotive industry (superseded by IATF 16949).
• ISO 22301 - Security and resilience business continuity management systems requirements.
• cGMP - Current Good Manufacturing Practice for pharmaceuticals.
• FDA 21 CFR Part 11 - Electronic records and electronic signatures in FDA-regulated industries.
• IEC TR 60601-4-5 - Medical electrical equipment cybersecurity requirements.
• IEC 62443-4-2 - Security for industrial automation and control systems technical requirements.
• ISO/SAE 21434 - Road vehicles cybersecurity engineering standard.
• UN R155 - UN Regulation cybersecurity and cyber security management system for vehicles.
• TISAX - Trusted Information Security Assessment Exchange for automotive industry information security assessment.
• ITIL - Information Technology Infrastructure Library for IT service management.
• COBIT - Control Objectives for Information and Related Technologies governance framework.
• ISO 42001 - AI Management System standard.

Risk Management

• COSO ERM - Committee of Sponsoring Organizations Enterprise Risk Management framework.
• FAIR - Factor Analysis of Information Risk, quantitative risk analysis framework.
• ISO 27005 - Information security risk management.
• ISO 31000 - Risk management guidelines and principles.
• NIST SP 800-37 - Risk Management Framework for Information Systems.
• NIST SP 800-39 - Managing Information Security Risk: Organization, Mission, and Information System View.
• OCTAVE - Operationally Critical Threat, Asset, and Vulnerability Evaluation by Carnegie Mellon.
• Rapid Risk Assessment - Mozilla's lightweight risk assessment methodology.
• TARA - Threat Assessment and Remediation Analysis by MITRE.

Legislative & Regulatory

Privacy Legislation

• IAPP US Federal Privacy Legislation Tracker - Comprehensive tracking of 50+ federal privacy bills in the 118th Congress (2023-2024).
• IAPP US State Privacy Legislation Tracker - Comprehensive tracking of state privacy legislation across all US states.
• CCPA/CPRA - California Consumer Privacy Act and California Privacy Rights Act. Comprehensive consumer privacy rights including data deletion, opt-out, and transparency requirements.
• Virginia CDPA - Virginia Consumer Data Protection Act establishing consumer privacy rights and business obligations.
• Colorado CPA - Colorado Privacy Act providing consumer data privacy rights similar to CCPA.
• GDPR - EU General Data Protection Regulation governing personal data protection. Self-attestation via Data Protection Officer with demonstrated compliance.
  • GDPR-info.eu - Complete GDPR text with recitals and commentary.
  • GDPR Expert - GDPR compliance resources.
  • GDPRhub - Free and open database of GDPR case law.

EU Cybersecurity & AI Regulations

• NIS2 Directive - EU Network and Information Security Directive establishing cybersecurity requirements for critical infrastructure and digital services.
• EU DORA - Digital Operational Resilience Act for financial sector ICT risk management in the EU.
• ePrivacy Directive - EU directive on privacy and electronic communications (under revision).
• ENISA Guidelines - European Union Agency for Network and Information Security technical guidelines and security measures.
• EU AI Act - Comprehensive AI regulation with risk-based approach, prohibitions on high-risk uses, and transparency requirements. First comprehensive AI law globally.

Tools & Platforms

Open Source Platforms

• Openlane - Comprehensive compliance automation platform for SOC 2, ISO 27001, and custom frameworks (Apache-2.0). Transforms compliance from static annual process to continuous collaborative workflow with risk register, policy management, evidence lifecycle, and control validation. (GitHub | Docs)
• Comply - SOC 2 compliance automation framework by StrongDM (Apache-2.0). Provides markdown-based policy templates and document pipeline for auditor-ready policies.
• Compliance Masonry - CLI tool to build compliance documentation using OpenControl YAML schema. Supports FedRAMP, NIST, and other frameworks.
• Auditree Framework - IBM's framework for automated evidence collection and verification (Apache-2.0). Treats compliance checks as code with version-controlled evidence locker.
• Trestle - IBM's compliance-as-code toolset using NIST's OSCAL format. Manages compliance catalogs and automates documentation generation.
• InSpec - Chef's compliance and security testing framework. Write automated compliance tests in Ruby DSL with pre-built profiles for CIS, DISA STIGs.
• OpenSCAP - Security Content Automation Protocol toolset for automated system scanning against SCAP benchmarks (Red Hat sponsored).
• Lynis - Security auditing tool for Unix/Linux systems. Performs host configuration scans and generates hardening reports.
• Cloud Custodian - CNCF Sandbox rules engine for cloud compliance. Write policies in YAML to enforce and remediate violations in AWS, Azure, GCP.
• Prowler - AWS security and compliance scanner. Checks against AWS CIS Benchmark, GDPR, HIPAA, PCI DSS, SOC 2.
• ScoutSuite - Multi-cloud security auditing tool by NCC Group. Detects misconfigurations in AWS, Azure, GCP.
• Steampipe - Query cloud and SaaS APIs as SQL tables. Includes compliance mod packs for CIS AWS Foundations, HIPAA, PCI.
• PacBot - T-Mobile's cloud compliance platform. Continuously monitors AWS for violations with auto-remediation capabilities.
• OSQuery - Endpoint monitoring using SQL queries (Linux Foundation). Query running processes, configurations, and compliance-related data across fleet.
• Wazuh - Open source security platform with SIEM and HIDS capabilities. Provides compliance rule sets for PCI DSS, GDPR, HIPAA with reporting.
• CISO Assistant - Open-source GRC app supporting 40+ frameworks. Manages risks, controls, audits with one-click audit reports.
• Comp AI - Open source compliance platform (AGPL-3.0) for SOC 2, ISO 27001, HIPAA, GDPR.
• Eramba - Enterprise GRC platform with free Community Edition. Modules for compliance, risk management, incidents, vendor assessments.
• Trivy - Comprehensive security scanner for containers and IaC. Detects vulnerabilities, misconfigurations, secrets.
• kube-bench - Checks Kubernetes clusters against CIS Kubernetes Benchmark.
• Kyverno - Kubernetes-native policy management. Enforce, validate, and mutate configurations.
• OPA Gatekeeper - Policy controller for Kubernetes using Open Policy Agent.
• Havengrc - Open-source GRC platform for compliance management.
• GGRC Core - Google's governance, risk, and compliance platform (archived but historically significant).
• Govready - Open-source GRC platform for automated compliance assessments.
• Probo - Open source compliance automation focused on continuous integration workflows.

Commercial Platforms

• Drata - Cloud platform for continuous compliance monitoring and automation. Connects to tech stack for evidence collection. Supports SOC 2, ISO 27001, PCI DSS.
• Vanta - Compliance automation platform for SOC 2, ISO 27001. Continuous monitoring with AI-powered questionnaire responses.
• Secureframe - End-to-end compliance platform for SOC 2, ISO 27001, HIPAA. Includes policy templates, evidence collection, training, auditor coordination.
• Tugboat Logic - Security assurance platform now part of OneTrust. Automated evidence collection and audit project management.
• Tenable - Cloud-based and On-prem vulnerability and exposure management.
• Hyperproof - Compliance operations platform for ongoing risk and compliance management. Workflow automation and continuous control monitoring.
• Sprinto - Automated compliance platform for SOC 2, ISO 27001, GDPR, HIPAA.
• Oneleet - Continuous compliance monitoring and automation platform.
• Scrut - Automated compliance platform with integrations for real-time monitoring.
• Thoropass - Information security and compliance software.
• AuditBoard - Leading platform for audit and compliance management. One-stop solution for managing audits, controls, risks, and reporting.
• Archer - RSA's GRC platform widely used in enterprises.
• LogicGate - Risk Cloud platform tailored for IT Risk, Compliance, Third-Party Risk.
• MetricStream - Enterprise GRC platform for integrated risk management.
• Onspring - No-code GRC platform for risk, compliance, and audit management.
• OneTrust - Privacy, security, and data governance platform. Extensive GRC suite including Vendorpedia.
• ServiceNow GRC - Integrated risk and compliance management on ServiceNow platform.
• TrustCloud - GRC platform with free trust center offering. Compliance tracking with integrations. (Freemium)
• Benchmark ESG - ESG data management and reporting platform.
• Diligent ESG - ESG governance and reporting solution.
• Locus Technologies - Environmental, health, safety, and sustainability management software.
• Novata - ESG data management for private markets.
• Novisto - ESG reporting automation platform.
• Proof - ESG performance management platform.
• Sametrica - ESG impact measurement software.
• Workiva - Cloud platform for ESG, financial, and compliance reporting.

Compliance Specifications & Resources

• AWS Artifact - Access AWS compliance reports (SOC, ISO, PCI, etc.).
• Azure Compliance - Microsoft Azure compliance documentation and reports.
• GCP Compliance - Google Cloud compliance resources and certifications.
• Unified Compliance Framework - Common Controls Hub with 1000+ mapped authorities (Commercial).
• NIST OSCAL - Open Security Controls Assessment Language for machine-readable compliance.
• OpenControl - YAML-based compliance documentation framework.
• ComplianceForge - Commercial policy libraries and toolkits for multiple frameworks.
• Regulations.gov - US federal regulations repository.