awesome-compliance

Awesome Compliance

A curated list of awesome resources for Governance, Risk Management, and Compliance (GRC) professionals.

This list is intended for compliance officers, risk managers, auditors, and cybersecurity professionals or for people with a compliance need who need trusted resources for ISO 27001, SOC 2, SOX, ESG compliance, and more.

Contents

• Frameworks & standards
• Tools & softwares
• Other ressources

Frameworks & standards

ESG & sustainability

• B Corp Certification - B Lab’s Impact Assessment (Every three year).
• CDP - Carbon Disclosure Project (self-declarative).
• GRI Standards - Global Reporting Initiative Standards (self-declarative).
• ISO 14001 - Environmental management (Annual audit).
• ISO 45001 - Occupational health and safety (Annual audit).
• ISO 50001 - Energy management (Annual audit).
• SASB Standards - Sustainability Accounting Standards Board framework (self-declarative).
• TCFD - Task Force on Climate-related Financial Disclosures (self-declarative).
• UN SDGs - United Nations Sustainable Development Goals (self-declarative).

Financial & corporate

• Basel Framework - Banking supervision standards (Regular supervisory reviews).
• FCRA - Fair Credit Reporting Act for consumer data accuracy (Annual audit).
• IFRS - International Financial Reporting Standards (Annual audit).
• OFDSS - Open Financial Data Security Standard for fintech (self-declarative).
• PCI-DSS - Payment Card Industry Data Security Standard for credit card protection (Annual audit).
• SOX ITGC - IT General Controls under Sarbanes-Oxley (Annual audit).

Government & risk management

• CPS234 - Australian Prudential Standard for financial information security.
• ISO 42001 - AI Management System standard.
• NIST CSF - Cybersecurity Framework for managing risk (self-declarative).
• NIST SP 800-171 - Security controls for protecting Controlled Unclassified Information (CUI).
• NIST SP 800-53 - Security & privacy controls for federal agencies (self-declarative).

Quality management

• AS9100 - Aerospace quality management (Annual surveillance).
• cGMP - FDA inspections required.
• ISO 9001 - Quality management systems (3-year certification cycle).
• ISO 13485 - Medical devices quality management (Annual surveillance).
• ISO 22000 - Food safety management (Annual surveillance).
• ISO/TS 16949 - Automotive quality management (Annual surveillance).

Security, privacy & data protection

• CCPA - California Consumer Privacy Act (self-declarative).
• CMMC - Cybersecurity framework for government contractors (Annual audit).
• CSA STAR - Cloud security and compliance certification (depend on level).
• FedRAMP - Federal Risk and Authorization Management Program (Annual assessment).
• FISMA - Federal Information Security Modernization Act (Annual audit).
• GDPR - General Data Protection Regulation (Self-assessment with DPO) (self-declarative).
• HIPAA - Health Insurance Portability and Accountability Act (Regular audits required).
• HITRUST CSF - Security framework used in healthcare (Annual audit).
• ISO 27001 - Information security management (Annual audit).
• ISO 27002 - Security controls guidance for ISO 27001 (self-declarative).
• ISO 27017 - Cloud-specific security practices (self-declarative).
• ISO 27018 - Cloud privacy controls for protecting PII (self-declarative).
• ISO 27701 - Privacy Information Management System standard (Annual audit).
• Microsoft SSPA - Microsoft’s Supplier Security & Privacy Assurance (Annual audit).
• NIST AI RMF - Risk management framework for AI governance (self-declarative).
• PIPEDA - Personal Information Protection and Electronic Documents Act (self-declarative).
• SOC 1 - Reporting on internal financial controls (Annual audit).
• SOC 2 - Service Organization Control reports (Annual audit).
• SOC 3 - Public report summarizing SOC 2 compliance (Annual audit).
• US Data Privacy (USDP) - Generalized US data privacy regulations (self-declarative).

Tools & softwares

Compliance automation

• Drata - Security compliance automation for SOC 2, ISO 27001, PCI DSS.
• Fortinet - Security compliance automation platform.
• HIPAA One - HIPAA compliance for healthcare businesses.
• Oneleet - End-to-end security compliance automation for SOC 2, ISO 27001, and more.
• Probo - Compliance automation platform for SOC 2, ISO 27001 & more - Open source.
• Secureframe - Automated security compliance for SOC 2, ISO 27001, HIPAA.
• Sprinto - Compliance automation for SOC 2, ISO 27001.
• Scrut - Compliane automation for security frameworks.
• Thoropass - Compliance automation and audit management.
• Tugboat Logic - Security assurance platform for SOC 2, ISO 27001.
• Vanta - Automated security monitoring and SOC 2, ISO 27001, HIPAA compliance.

ESG & sustainability platforms

• Benchmark ESG - ESG performance management.
• Diligent ESG - ESG and board governance.
• Locus Technologies - ESG reporting and EHS compliance.
• Novata - ESG solution.
• Novisto - ESG data management.
• Proof - ESG data management.
• Sametrica - ESG data collection.
• Workiva - Financial and ESG reporting platform.

GRC

• AuditBoard - Audit, risk and compliance management platform.
• Archer - RSA’s GRC platform.
• Hyperproof - Compliance operations platform with automated workflows.
• LogicGate - Risk Cloud platform.
• MetricStream - GRC Cloud platform.
• Onspring - Versatile GRC software.
• OneTrust - Privacy & GRC platform.
• ServiceNow GRC - Enterprise GRC platform.
• TrustCloud - GRC automation.

Risk & compliance management

• GRR Rapid Response - Open-source incident response framework by Google. - Open source.

Security assessment

• OpenVAS - Vulnerability assessment scanner - Open source.
• OSSEC - Host-based Intrusion Detection System - Open source.
• Trivy - Vulnerability and compliance scanner for containers and infrastructure - Open source.
• Wazuh - Security monitoring platform - Open source.

Other ressources

Community

• Iso 27001 Forum - ISO27K forum.
• r/Compliance - Reddit compliance community.

Content

• ISO27001.zip - Implementation guide for ISO 27001.
• MITRE ATT&CK - Open framework for understanding adversarial tactics and techniques.
• SOC2 FYI - Guide comparing available solution for SOC2.
• SOC2 reports - Conference on what to expect from SOC2 reports.

Contributing

Feel free to open a pull request if you’d like to add or update resources. Please ensure your contribution follows the awesome list guidelines.

Related

• Awesome GDPR.

This site is open source. Improve this page.