A curated list of awesome resources for Governance, Risk Management, and Compliance (GRC) professionals.

This list is intended for compliance officers, risk managers, auditors, and cybersecurity professionals who need trusted resources for ISO 27001, SOC 2, SOX, ESG, and more.

• Frameworks & standards
• Tools & softwares
• Other ressources

• B Corp Certification - B Lab's Impact Assessment (Every three year).
• CDP - Carbon Disclosure Project (self-declarative).
• GRI Standards - Global Reporting Initiative Standards (self-declarative).
• ISO 14001 - Environmental management (Annual audit).
• ISO 45001 - Occupational health and safety (Annual audit).
• ISO 50001 - Energy management (Annual audit).
• SASB Standards - Sustainability Accounting Standards Board framework (self-declarative).
• TCFD - Task Force on Climate-related Financial Disclosures (self-declarative).
• UN SDGs - United Nations Sustainable Development Goals (self-declarative).

• Basel Framework - Banking supervision standards (Regular supervisory reviews).
• FCRA - Fair Credit Reporting Act for consumer data accuracy (Annual audit).
• IFRS - International Financial Reporting Standards (Annual audit).
• OFDSS - Open Financial Data Security Standard for fintech (self-declarative).
• PCI-DSS - Payment Card Industry Data Security Standard for credit card protection (Annual audit).
• SOX ITGC - IT General Controls under Sarbanes-Oxley (Annual audit).

• CPS234 - Australian Prudential Standard for financial information security.
• ISO 42001 - AI Management System standard.
• NIST CSF - Cybersecurity Framework for managing risk (self-declarative).
• NIST SP 800-171 - Security controls for protecting Controlled Unclassified Information (CUI).
• NIST SP 800-53 - Security & privacy controls for federal agencies (self-declarative).

• AS9100 - Aerospace quality management (Annual surveillance).
• cGMP - FDA inspections required.
• ISO 9001 - Quality management systems (3-year certification cycle).
• ISO 13485 - Medical devices quality management (Annual surveillance).
• ISO 22000 - Food safety management (Annual surveillance).
• ISO/TS 16949 - Automotive quality management (Annual surveillance).

• CCPA - California Consumer Privacy Act (self-declarative).
• CMMC - Cybersecurity framework for government contractors (Annual audit).
• CSA STAR - Cloud security and compliance certification (depend on level).
• FedRAMP - Federal Risk and Authorization Management Program (Annual assessment).
• FISMA - Federal Information Security Modernization Act (Annual audit).
• GDPR - General Data Protection Regulation (Self-assessment with DPO) (self-declarative).
• HIPAA - Health Insurance Portability and Accountability Act (Regular audits required).
• HITRUST CSF - Security framework used in healthcare (Annual audit).
• ISO 27001 - Information security management (Annual audit).
• ISO 27002 - Security controls guidance for ISO 27001 (self-declarative).
• ISO 27017 - Cloud-specific security practices (self-declarative).
• ISO 27018 - Cloud privacy controls for protecting PII (self-declarative).
• ISO 27701 - Privacy Information Management System standard (Annual audit).
• Microsoft SSPA - Microsoft's Supplier Security & Privacy Assurance (Annual audit).
• NIST AI RMF - Risk management framework for AI governance (self-declarative).
• PIPEDA - Personal Information Protection and Electronic Documents Act (self-declarative).
• SOC 1 - Reporting on internal financial controls (Annual audit).
• SOC 2 - Service Organization Control reports (Annual audit).
• SOC 3 - Public report summarizing SOC 2 compliance (Annual audit).
• US Data Privacy (USDP) - Generalized US data privacy regulations (self-declarative).

• Drata - Security compliance automation for SOC 2, ISO 27001, PCI DSS.
• Fortinet - Security compliance automation platform.
• HIPAA One - HIPAA compliance for healthcare businesses.
• Oneleet - End-to-end security compliance automation for SOC 2, ISO 27001, and more.
• Probo - Compliance automation platform for SOC 2, ISO 27001 & more.
• Secureframe - Automated security compliance for SOC 2, ISO 27001, HIPAA.
• Sprinto - Compliance automation for SOC 2, ISO 27001.
• Scrut - Compliane automation for security frameworks.
• Thoropass - Compliance automation and audit management.
• Tugboat Logic - Security assurance platform for SOC 2, ISO 27001.
• Vanta - Automated security monitoring and SOC 2, ISO 27001, HIPAA compliance.

• Benchmark ESG - ESG performance management.
• Diligent ESG - ESG and board governance.
• Locus Technologies - ESG reporting and EHS compliance.
• Novata - ESG solution.
• Novisto - ESG data management.
• Proof - ESG data management.
• Sametrica - ESG data collection.
• Workiva - Financial and ESG reporting platform.

• AuditBoard - Audit, risk and compliance management platform.
• Archer - RSA's GRC platform.
• Hyperproof - Compliance operations platform with automated workflows.
• LogicGate - Risk Cloud platform.
• MetricStream - GRC Cloud platform.
• Onspring - Versatile GRC software.
• OneTrust - Privacy & GRC platform.
• ServiceNow GRC - Enterprise GRC platform.
• TrustCloud - GRC automation.

• GRR Rapid Response - Open-source incident response framework by Google.

• OpenVAS - Vulnerability assessment scanner.
• OSSEC - Host-based Intrusion Detection System.
• Trivy - Vulnerability and compliance scanner for containers and infrastructure.
• Wazuh - Security monitoring platform.

• Iso 27001 Forum - ISO27K forum.
• r/Compliance - Reddit compliance community.

• ISO27001.zip - Implementation guide for ISO 27001.
• MITRE ATT&CK - Open framework for understanding adversarial tactics and techniques.
• SOC2 FYI - Guide comparing available solution for SOC2.
• SOC2 reports - Conference on what to expect from SOC2 reports.

Feel free to open a pull request if you'd like to add or update resources. Please ensure your contribution follows the awesome list guidelines.

• Awesome GDPR.