A curated list of awesome resources for Governance, Risk Management, and Compliance (GRC) professionals.
This list is intended for compliance officers, risk managers, auditors, and cybersecurity professionals or for people with a compliance need who need trusted resources for ISO 27001, SOC 2, SOX, ESG compliance, and more.
- B Corp Certification - B Lab's Impact Assessment (Every three year).
- CDP - Carbon Disclosure Project (self-declarative).
- GRI Standards - Global Reporting Initiative Standards (self-declarative).
- ISO 14001 - Environmental management (Annual audit).
- ISO 45001 - Occupational health and safety (Annual audit).
- ISO 50001 - Energy management (Annual audit).
- SASB Standards - Sustainability Accounting Standards Board framework (self-declarative).
- TCFD - Task Force on Climate-related Financial Disclosures (self-declarative).
- UN SDGs - United Nations Sustainable Development Goals (self-declarative).
- Basel Framework - Banking supervision standards (Regular supervisory reviews).
- FCRA - Fair Credit Reporting Act for consumer data accuracy (Annual audit).
- IFRS - International Financial Reporting Standards (Annual audit).
- OFDSS - Open Financial Data Security Standard for fintech (self-declarative).
- PCI-DSS - Payment Card Industry Data Security Standard for credit card protection (Annual audit).
- SOX ITGC - IT General Controls under Sarbanes-Oxley (Annual audit).
- CPS234 - Australian Prudential Standard for financial information security.
- ISO 42001 - AI Management System standard.
- NIST CSF - Cybersecurity Framework for managing risk (self-declarative).
- NIST SP 800-171 - Security controls for protecting Controlled Unclassified Information (CUI).
- NIST SP 800-53 - Security & privacy controls for federal agencies (self-declarative).
- AS9100 - Aerospace quality management (Annual surveillance).
- cGMP - FDA inspections required.
- ISO 9001 - Quality management systems (3-year certification cycle).
- ISO 13485 - Medical devices quality management (Annual surveillance).
- ISO 22000 - Food safety management (Annual surveillance).
- ISO/TS 16949 - Automotive quality management (Annual surveillance).
- CCPA - California Consumer Privacy Act (self-declarative).
- CMMC - Cybersecurity framework for government contractors (Annual audit).
- CSA STAR - Cloud security and compliance certification (depend on level).
- FedRAMP - Federal Risk and Authorization Management Program (Annual assessment).
- FISMA - Federal Information Security Modernization Act (Annual audit).
- GDPR - General Data Protection Regulation (Self-assessment with DPO) (self-declarative).
- HIPAA - Health Insurance Portability and Accountability Act (Regular audits required).
- HITRUST CSF - Security framework used in healthcare (Annual audit).
- ISO 27001 - Information security management (Annual audit).
- ISO 27002 - Security controls guidance for ISO 27001 (self-declarative).
- ISO 27017 - Cloud-specific security practices (self-declarative).
- ISO 27018 - Cloud privacy controls for protecting PII (self-declarative).
- ISO 27701 - Privacy Information Management System standard (Annual audit).
- Microsoft SSPA - Microsoft's Supplier Security & Privacy Assurance (Annual audit).
- NIST AI RMF - Risk management framework for AI governance (self-declarative).
- PIPEDA - Personal Information Protection and Electronic Documents Act (self-declarative).
- SOC 1 - Reporting on internal financial controls (Annual audit).
- SOC 2 - Service Organization Control reports (Annual audit).
- SOC 3 - Public report summarizing SOC 2 compliance (Annual audit).
- US Data Privacy (USDP) - Generalized US data privacy regulations (self-declarative).
- Drata - Security compliance automation for SOC 2, ISO 27001, PCI DSS.
- Fortinet - Security compliance automation platform.
- HIPAA One - HIPAA compliance for healthcare businesses.
- Oneleet - End-to-end security compliance automation for SOC 2, ISO 27001, and more.
- Probo - Compliance automation platform for SOC 2, ISO 27001 & more - Open source.
- Secureframe - Automated security compliance for SOC 2, ISO 27001, HIPAA.
- Sprinto - Compliance automation for SOC 2, ISO 27001.
- Scrut - Compliane automation for security frameworks.
- Thoropass - Compliance automation and audit management.
- Tugboat Logic - Security assurance platform for SOC 2, ISO 27001.
- Vanta - Automated security monitoring and SOC 2, ISO 27001, HIPAA compliance.
- Benchmark ESG - ESG performance management.
- Diligent ESG - ESG and board governance.
- Locus Technologies - ESG reporting and EHS compliance.
- Novata - ESG solution.
- Novisto - ESG data management.
- Proof - ESG data management.
- Sametrica - ESG data collection.
- Workiva - Financial and ESG reporting platform.
- AuditBoard - Audit, risk and compliance management platform.
- Archer - RSA's GRC platform.
- Hyperproof - Compliance operations platform with automated workflows.
- LogicGate - Risk Cloud platform.
- MetricStream - GRC Cloud platform.
- Onspring - Versatile GRC software.
- OneTrust - Privacy & GRC platform.
- ServiceNow GRC - Enterprise GRC platform.
- TrustCloud - GRC automation.
- GRR Rapid Response - Open-source incident response framework by Google. - Open source.
- OpenVAS - Vulnerability assessment scanner - Open source.
- OSSEC - Host-based Intrusion Detection System - Open source.
- Trivy - Vulnerability and compliance scanner for containers and infrastructure - Open source.
- Wazuh - Security monitoring platform - Open source.
- Iso 27001 Forum - ISO27K forum.
- r/Compliance - Reddit compliance community.
- ISO27001.zip - Implementation guide for ISO 27001.
- MITRE ATT&CK - Open framework for understanding adversarial tactics and techniques.
- SOC2 FYI - Guide comparing available solution for SOC2.
- SOC2 reports - Conference on what to expect from SOC2 reports.
Feel free to open a pull request if you'd like to add or update resources. Please ensure your contribution follows the awesome list guidelines.