Awesome Compliance

A curated list of awesome resources for Governance, Risk Management, and Compliance (GRC) professionals.

This list is intended for compliance officers, risk managers, auditors, and cybersecurity professionals or for people with a compliance need who need trusted resources for ISO 27001, SOC 2, SOX, ESG compliance, and more.

Frameworks & Standards

Security & Privacy

SOC Reports (SOC 1/2/3) - AICPA Service Organization Control reports. SOC 1 for financial reporting controls, SOC 2 for security/availability/confidentiality/processing integrity/privacy controls, SOC 3 for public distribution.
ISO/IEC 27001 - International standard for establishing an Information Security Management System (ISMS). Requires annual certification audits.
ISO/IEC 27002 - Implementation guidance for ISO 27001 controls.
ISO/IEC 27017 - Cloud security controls based on ISO 27002.
ISO/IEC 27018 - Code of practice for protecting personally identifiable information in public cloud.
ISO/IEC 27701 - Privacy Information Management System (PIMS) extension to ISO 27001.
NIST Cybersecurity Framework - Voluntary risk-based model for managing cybersecurity risk (Identify, Protect, Detect, Respond, Recover).
NIST Risk Management Framework - Framework for integrating security and risk management into system development lifecycle.
NIST SP 800-53 - Security and privacy controls for federal information systems and organizations. Widely adopted beyond government.
NIST SP 800-171 - Protecting Controlled Unclassified Information in nonfederal systems.
NIST AI RMF - AI Risk Management Framework for trustworthy AI development and deployment.
NIST SP 800-82 - Guide to Industrial Control Systems (ICS) Security for operational technology environments.
NIST SP 800-160 - Systems Security Engineering for developing trustworthy secure systems.
NIST SP 800-161 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.
NIST SP 800-172 - Enhanced Security Requirements for Protecting Controlled Unclassified Information.
NIST SP 800-218 - Secure Software Development Framework (SSDF) for integrating security into SDLC.
NIST SP 800-63B - Digital Identity Guidelines for authentication and lifecycle management.
NIST SP 800-66 - Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
NIST Privacy Framework - Tool for improving privacy risk management.
PCI DSS - Payment Card Industry Data Security Standard. Required for handling credit card data. Version 4.0 emphasizes continuous compliance.
HIPAA - US Health Insurance Portability and Accountability Act. Mandates safeguards for protected health information.
HITRUST CSF - Common certifiable framework combining HIPAA, NIST, ISO, and other requirements for healthcare.
HICP - Health Industry Cybersecurity Practices for healthcare organizations (small, medium, and large practice guidance).
FedRAMP - Federal Risk and Authorization Management Program. Required for cloud services used by US federal agencies based on NIST 800-53.
CMMC - Cybersecurity Maturity Model Certification for US DoD contractors. Version 2.0 streamlines requirements.
FISMA - Federal Information Security Modernization Act for US federal agency information security.
StateRAMP - Standardized approach to cloud security for US state and local governments.
FERPA - Family Educational Rights and Privacy Act protecting student education records.
Microsoft SSPA - Microsoft Security Software Privacy Assurance framework.
CIS Controls - Center for Internet Security 18 Critical Security Controls (formerly 20).
CIS Benchmarks - Configuration security benchmarks for systems and applications.
CSA Cloud Controls Matrix - Cloud Security Alliance control framework for cloud computing.
MITRE ATT&CK - Knowledge base of adversary tactics and techniques based on real-world observations.
OWASP ASVS - Application Security Verification Standard.
CPS234 - Australian Prudential Regulation Authority information security requirements.
CISA - Cybersecurity Information Sharing Act and CISA agency resources.
NERC CIP - North American Electric Reliability Corporation Critical Infrastructure Protection standards.
CJIS - Criminal Justice Information Services Security Policy.
Secure Control Framework - Comprehensive control framework with mappings across multiple standards and regulations.
NIST National Online Informative References Program (OLIR) - Machine-readable mappings between NIST frameworks and other standards.
Adobe Common Controls Framework - Adobe's unified control framework for compliance.
Equifax Security Controls Framework - Equifax's control framework with mappings to major standards.
CIS Controls Navigator - Tool for navigating and implementing CIS Controls.
MITRE NIST 800-53 to ATT&CK Mappings - Maps NIST security controls to adversary techniques.
NIST AI RMF Crosswalks - Mappings between AI RMF and other frameworks, standards, and regulations.
CSF Tools - Tools and resources for implementing the NIST Cybersecurity Framework.

ESG & Sustainability

B Corp Certification - Certification for companies meeting high standards of social and environmental performance.
CDP - Carbon Disclosure Project for environmental impact reporting.
GRI Standards - Global Reporting Initiative for sustainability reporting.
ISO 14001 - Environmental Management Systems.
ISO 45001 - Occupational Health and Safety Management Systems.
ISO 50001 - Energy Management Systems.
SASB Standards - Sustainability Accounting Standards Board standards for ESG disclosure.
TCFD - Task Force on Climate-related Financial Disclosures recommendations.
UN SDGs - United Nations Sustainable Development Goals.

Financial & Corporate

SOX - Sarbanes-Oxley Act for financial reporting and corporate governance.
SOX ITGC - IT General Controls for Sarbanes-Oxley compliance.
Basel Framework - International banking regulations on capital adequacy, stress testing, and market liquidity.
FCRA - Fair Credit Reporting Act regulating credit information collection and use.
IFRS - International Financial Reporting Standards for accounting and financial reporting.
GLBA - Gramm-Leach-Bliley Act requiring financial institutions to protect customer information.
NYDFS - New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500).
SWIFT CSF - SWIFT Customer Security Controls Framework for financial messaging and payment systems.
FFIEC - Federal Financial Institutions Examination Council cybersecurity assessment tool.
FINRA - Financial Industry Regulatory Authority cybersecurity requirements for broker-dealers.
SAMA CSF - Saudi Arabian Monetary Authority Cyber Security Framework for financial sector.
EBA ICT Guidelines - European Banking Authority ICT and security risk management guidelines.
OFDSS - Office of Federal Student Aid Security Standards.

Quality & Assurance

ISO 9001 - Quality Management Systems standard.
AS9100 - Quality management for aerospace industry.
ISO 13485 - Quality management for medical devices.
ISO 22000 - Food Safety Management Systems.
ISO/TS 16949 - Quality management for automotive industry (superseded by IATF 16949).
ISO 22301 - Security and resilience business continuity management systems requirements.
cGMP - Current Good Manufacturing Practice for pharmaceuticals.
FDA 21 CFR Part 11 - Electronic records and electronic signatures in FDA-regulated industries.
IEC TR 60601-4-5 - Medical electrical equipment cybersecurity requirements.
IEC 62443-4-2 - Security for industrial automation and control systems technical requirements.
ISO/SAE 21434 - Road vehicles cybersecurity engineering standard.
UN R155 - UN Regulation cybersecurity and cyber security management system for vehicles.
TISAX - Trusted Information Security Assessment Exchange for automotive industry information security assessment.
ITIL - Information Technology Infrastructure Library for IT service management.
COBIT - Control Objectives for Information and Related Technologies governance framework.
ISO 42001 - AI Management System standard.

Risk Management

COSO ERM - Committee of Sponsoring Organizations Enterprise Risk Management framework.
FAIR - Factor Analysis of Information Risk, quantitative risk analysis framework.
ISO 27005 - Information security risk management.
ISO 31000 - Risk management guidelines and principles.
NIST SP 800-37 - Risk Management Framework for Information Systems.
NIST SP 800-39 - Managing Information Security Risk: Organization, Mission, and Information System View.
OCTAVE - Operationally Critical Threat, Asset, and Vulnerability Evaluation by Carnegie Mellon.
Rapid Risk Assessment - Mozilla's lightweight risk assessment methodology.
TARA - Threat Assessment and Remediation Analysis by MITRE.

Legislative & Regulatory

Privacy Legislation

IAPP US Federal Privacy Legislation Tracker - Comprehensive tracking of 50+ federal privacy bills in the 118th Congress (2023-2024).
IAPP US State Privacy Legislation Tracker - Comprehensive tracking of state privacy legislation across all US states.
CCPA/CPRA - California Consumer Privacy Act and California Privacy Rights Act. Comprehensive consumer privacy rights including data deletion, opt-out, and transparency requirements.
Virginia CDPA - Virginia Consumer Data Protection Act establishing consumer privacy rights and business obligations.
Colorado CPA - Colorado Privacy Act providing consumer data privacy rights similar to CCPA.
GDPR - EU General Data Protection Regulation governing personal data protection. Self-attestation via Data Protection Officer with demonstrated compliance.
- GDPR-info.eu - Complete GDPR text with recitals and commentary.
- GDPR Expert - GDPR compliance resources.
- GDPRhub - Free and open database of GDPR case law.

EU Cybersecurity & AI Regulations

NIS2 Directive - EU Network and Information Security Directive establishing cybersecurity requirements for critical infrastructure and digital services.
EU DORA - Digital Operational Resilience Act for financial sector ICT risk management in the EU.
ePrivacy Directive - EU directive on privacy and electronic communications (under revision).
ENISA Guidelines - European Union Agency for Network and Information Security technical guidelines and security measures.
EU AI Act - Comprehensive AI regulation with risk-based approach, prohibitions on high-risk uses, and transparency requirements. First comprehensive AI law globally.
Systima Comply - Open-source EU AI Act compliance scanner for CI/CD pipelines. AST-based detection of 37+ AI/ML frameworks with call-chain tracing and obligation checking against Articles 5-50. Ships as CLI, GitHub Action, and TypeScript API. Apache 2.0 licensed.
AIR Blackbox - Open-source EU AI Act compliance scanner and runtime trust layer for Python AI agents. 39 checks across Articles 9-15 with HMAC-SHA256 tamper-evident audit chains, PII detection, and prompt injection blocking. Trust layers for LangChain, CrewAI, AutoGen, OpenAI, Google ADK, and Claude Agent SDK. Ships as CLI, MCP server, and GitHub Action. Apache 2.0 licensed. (Website | PyPI)

Tools & Platforms

Open Source Platforms

Openlane - Comprehensive compliance automation platform for SOC 2, ISO 27001, and custom frameworks (Apache-2.0). Transforms compliance from static annual process to continuous collaborative workflow with risk register, policy management, evidence lifecycle, and control validation. (GitHub | Docs)
SOC 2 Reliability Guild - A community creating standardized evaluation criteria to help GRC and TPRM practitioners assess how much weight to give a SOC 2 report when making vendor trust decisions. (GitHub)
Comply - SOC 2 compliance automation framework by StrongDM (Apache-2.0). Provides markdown-based policy templates and document pipeline for auditor-ready policies.
Compliance Masonry - CLI tool to build compliance documentation using OpenControl YAML schema. Supports FedRAMP, NIST, and other frameworks.
Auditree Framework - IBM's framework for automated evidence collection and verification (Apache-2.0). Treats compliance checks as code with version-controlled evidence locker.
Trestle - IBM's compliance-as-code toolset using NIST's OSCAL format. Manages compliance catalogs and automates documentation generation.
InSpec - Chef's compliance and security testing framework. Write automated compliance tests in Ruby DSL with pre-built profiles for CIS, DISA STIGs.
OpenSCAP - Security Content Automation Protocol toolset for automated system scanning against SCAP benchmarks (Red Hat sponsored).
Lynis - Security auditing tool for Unix/Linux systems. Performs host configuration scans and generates hardening reports.
Cloud Custodian - CNCF Sandbox rules engine for cloud compliance. Write policies in YAML to enforce and remediate violations in AWS, Azure, GCP.
Prowler - AWS security and compliance scanner. Checks against AWS CIS Benchmark, GDPR, HIPAA, PCI DSS, SOC 2.
ScoutSuite - Multi-cloud security auditing tool by NCC Group. Detects misconfigurations in AWS, Azure, GCP.
Steampipe - Query cloud and SaaS APIs as SQL tables. Includes compliance mod packs for CIS AWS Foundations, HIPAA, PCI.
PacBot - T-Mobile's cloud compliance platform. Continuously monitors AWS for violations with auto-remediation capabilities.
OSQuery - Endpoint monitoring using SQL queries (Linux Foundation). Query running processes, configurations, and compliance-related data across fleet.
Wazuh - Open source security platform with SIEM and HIDS capabilities. Provides compliance rule sets for PCI DSS, GDPR, HIPAA with reporting.
CISO Assistant - Open-source GRC app supporting 40+ frameworks. Manages risks, controls, audits with one-click audit reports.
Comp AI - Open source compliance platform (AGPL-3.0) for SOC 2, ISO 27001, HIPAA, GDPR.
Eramba - Enterprise GRC platform with free Community Edition. Modules for compliance, risk management, incidents, vendor assessments.
Trivy - Comprehensive security scanner for containers and IaC. Detects vulnerabilities, misconfigurations, secrets.
kube-bench - Checks Kubernetes clusters against CIS Kubernetes Benchmark.
Kyverno - Kubernetes-native policy management. Enforce, validate, and mutate configurations.
OPA Gatekeeper - Policy controller for Kubernetes using Open Policy Agent.
Havengrc - Open-source GRC platform for compliance management.
GGRC Core - Google's governance, risk, and compliance platform (archived but historically significant).
Govready - Open-source GRC platform for automated compliance assessments.
Probo - Open source compliance automation focused on continuous integration workflows.

Commercial Platforms

Drata - Cloud platform for continuous compliance monitoring and automation. Connects to tech stack for evidence collection. Supports SOC 2, ISO 27001, PCI DSS.
Vanta - Compliance automation platform for SOC 2, ISO 27001. Continuous monitoring with AI-powered questionnaire responses.
Secureframe - End-to-end compliance platform for SOC 2, ISO 27001, HIPAA. Includes policy templates, evidence collection, training, auditor coordination.
Tugboat Logic - Security assurance platform now part of OneTrust. Automated evidence collection and audit project management.
Tenable - Cloud-based and On-prem vulnerability and exposure management.
Hyperproof - Compliance operations platform for ongoing risk and compliance management. Workflow automation and continuous control monitoring.
Sprinto - Automated compliance platform for SOC 2, ISO 27001, GDPR, HIPAA.
Oneleet - Continuous compliance monitoring and automation platform.
Scrut - Automated compliance platform with integrations for real-time monitoring.
Thoropass - Information security and compliance software.
AuditBoard - Leading platform for audit and compliance management. One-stop solution for managing audits, controls, risks, and reporting.
Archer - RSA's GRC platform widely used in enterprises.
LogicGate - Risk Cloud platform tailored for IT Risk, Compliance, Third-Party Risk.
MetricStream - Enterprise GRC platform for integrated risk management.
Onspring - No-code GRC platform for risk, compliance, and audit management.
OneTrust - Privacy, security, and data governance platform. Extensive GRC suite including Vendorpedia.
ServiceNow GRC - Integrated risk and compliance management on ServiceNow platform.
TrustCloud - GRC platform with free trust center offering. Compliance tracking with integrations. (Freemium)
Benchmark ESG - ESG data management and reporting platform.
Diligent ESG - ESG governance and reporting solution.
Locus Technologies - Environmental, health, safety, and sustainability management software.
Novata - ESG data management for private markets.
Novisto - ESG reporting automation platform.
Proof - ESG performance management platform.
Sametrica - ESG impact measurement software.
Workiva - Cloud platform for ESG, financial, and compliance reporting.

Compliance Specifications & Resources

AWS Artifact - Access AWS compliance reports (SOC, ISO, PCI, etc.).
Azure Compliance - Microsoft Azure compliance documentation and reports.
GCP Compliance - Google Cloud compliance resources and certifications.
Unified Compliance Framework - Common Controls Hub with 1000+ mapped authorities (Commercial).
NIST OSCAL - Open Security Controls Assessment Language for machine-readable compliance.
OpenControl - YAML-based compliance documentation framework.
ComplianceForge - Commercial policy libraries and toolkits for multiple frameworks.
Regulations.gov - US federal regulations repository.

Name		Name	Last commit message	Last commit date
Latest commit History 29 Commits
.github		.github
docs		docs
.pre-commit-config.yaml		.pre-commit-config.yaml
.typos.toml		.typos.toml
.yamlfmt		.yamlfmt
LICENSE.md		LICENSE.md
README.md		README.md
Taskfile.yaml		Taskfile.yaml
renovate.json		renovate.json

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Awesome Compliance

Contents

Frameworks & Standards

Security & Privacy

ESG & Sustainability

Financial & Corporate

Quality & Assurance

Risk Management

Legislative & Regulatory

Privacy Legislation

EU Cybersecurity & AI Regulations

Tools & Platforms

Open Source Platforms

Commercial Platforms

Compliance Specifications & Resources

About

Uh oh!

Releases

Packages

Uh oh!

Uh oh!

Contributors

Uh oh!

Folders and files

Latest commit

History

Repository files navigation

Awesome Compliance

Contents

Frameworks & Standards

Security & Privacy

ESG & Sustainability

Financial & Corporate

Quality & Assurance

Risk Management

Legislative & Regulatory

Privacy Legislation

EU Cybersecurity & AI Regulations

Tools & Platforms

Open Source Platforms

Commercial Platforms

Compliance Specifications & Resources

About

Topics

Resources

License

Code of conduct

Contributing

Security policy

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Uh oh!

Contributors

Uh oh!

Packages