Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

awesome-grc-engineering

Curated resources for GRC engineering: automation, policy as code, and continuous compliance
https://github.com/ethanolivertroy/awesome-grc-engineering

Last synced: 1 day ago
JSON representation

    • Infrastructure & Automation

    • Security & Compliance

  • Evidence Automation

  • Policy as Code

  • Learning Resources

    • Books & Courses

      • How to Measure Anything in Cybersecurity Risk - **Audience: Both** - Learn quantitative risk analysis using FAIR (Factor Analysis of Information Risk) methodology. For GRC professionals: move beyond qualitative heat maps to data-driven measurement. For engineers: translate security metrics into business risk language with statistical rigor. Foundational text for modern risk quantification.
      • GRC Engineering for AWS - **Audience: Both** - Hands-on guidance for implementing governance, risk, and compliance engineering in AWS environments. Learn to translate SOC2, ISO 27001, and FedRAMP requirements into AWS services, infrastructure-as-code, and automated evidence pipelines. Written by LinkedIn Learning instructor AJ Yawn with 180K+ course completions.
      • Cybersecurity Foundations: GRC by AJ Yawn - **Audience: technical→GRC** - LinkedIn Learning course teaching foundational GRC concepts (SOC2, ISO 27001, NIST frameworks) for engineers. Learn how engineering teams contribute to compliance programs and why certain controls exist from business perspective.
      • GRC Training Courses by Ayoub Fandi - **Audience: Both** - LinkedIn Learning courses covering GRC implementation patterns, risk management frameworks, and bridging compliance with platform engineering teams. Practical focus on real-world implementation challenges.

    • Blogs & Newsletters

      • The GRC Engineer Newsletter - Ayoub Fandi's newsletter featuring practitioner stories from Netflix, Zoom, IKEA, and other organizations implementing GRC engineering principles. Learn from peer implementations, automation strategies, and how leading GRC teams collaborate with platform engineering. 40 posts in 2025 with 67,500 words of content covering frameworks, real-world challenges, and hands-on case studies.
      • blog.grc.engineering - Implementation guides and case studies for GRC automation and continuous compliance. Learn about SOC2 continuous assurance (ALCOVE framework), framework automation trends, and GRC's evolution into platform engineering collaboration. Practitioner-focused content moving GRC from theory to engineering practice.
      • Cloud Security Guy on GRC Engineering - Substack newsletter covering why GRC engineering is the future of compliance, bridging cloud security and governance practices. Learn how security engineering and compliance converge in cloud-native environments.

    • GRC Engineering Fundamentals

      • GRC Engineering Manifesto - Core principles of treating compliance as engineering problems to solve. Learn the philosophy behind automation, continuous compliance, and replacing compliance theater with measurable outcomes. Essential reading for understanding the mindset shift from checkbox auditing to engineering-driven GRC.
      • GRC Engineering Learning Hub - Community-developed knowledge base with curated books, courses, podcasts, and blogs. Navigate from foundational concepts through hands-on implementation resources. Central starting point for both GRC professionals learning technical skills and engineers learning compliance frameworks.

  • Security Scanners

  • GRC Platforms

  • Frameworks

    • NIST (OSCAL, CSF, 800-53)

      • GitHub: usnistgov/OSCAL - OSCAL models, schemas, validation tools, and developer resources. Core repository for implementing OSCAL in security automation workflows.
      • GitHub: usnistgov/oscal-content - NIST SP 800-53 Rev 5 security control catalog and baselines in OSCAL formats (XML/JSON/YAML). Official machine-readable versions of federal security controls.
      • OSCAL Project - Official NIST documentation, getting started guides, and learning materials for the Open Security Controls Assessment Language.
      • CSWP 53: Charting the Course for NIST OSCAL - NIST's strategic roadmap (December 2025) for OSCAL's future, including AI agent integration, digital twins for security modeling, and autonomous risk reasoning capabilities.

    • FedRAMP

      • GitHub: GSA/fedramp-automation - Official FedRAMP OSCAL templates in XML, JSON, and YAML formats. Includes System Security Plans, Security Assessment Plans/Reports, and POA&M templates with FedRAMP extensions.
      • FedRAMP OSCAL Templates - Official FedRAMP OSCAL templates including System Security Plans, POA&M, SAP, and SAR in XML, JSON, and YAML formats.
      • OSCAL and FedRAMP Automation Guide - Implementation guidance for July 2026 OSCAL mandate: converting existing documentation, validation workflows, and automation strategies.

    • SOC 2

      • SOC 2 is dead, long live SOC 2! - Learn the ALCOVE framework for continuous SOC 2 assurance: Automated control monitoring, continuous evidence collection, and real-time compliance visibility. Practitioner guide to modernizing SOC 2 from point-in-time to continuous.
      • The Complete Guide to SOC 2 Automation - Platform-agnostic automation patterns: evidence collection pipelines, continuous monitoring architectures, and control mapping to infrastructure.

    • ISO 27001

  • Community

    • Communities & Forums

      • GRC, Audit and Compliance Discord - Text and voice chat for GRC, audit, and compliance topics with channels for InfoSec, IT Audit, and Risk Management. Active community for real-time discussion and peer support.
      • SAHL GRC Community - Compliance professionals discussing automation, continuous controls monitoring, and GRC-as-code patterns. Community launched 2025 focused on modern compliance approaches.

    • Conferences & Events

      • ISACA GRC Conference - Annual joint ISACA/IIA event (August timeframe) with 40+ expert sessions on governance, risk management, and control. Offers up to 28 CPE credits and covers both traditional GRC practices and emerging automation approaches.
      • #RISK Europe - Europe's leading Risk, GRC, Security & RegTech Expo held annually in London. Features 5 content stages covering GRC, InfoSec, third-party risk, and regulatory technology.
      • Compliance Week National - Annual conference for 500+ compliance, ethics, legal, and audit professionals. Focus on regulatory compliance and ethics programs with networking opportunities across industries.
Programming Languages
Go 7 Python 4 XSLT 2 Shell 2 PHP 1 TypeScript 1 OCaml 1
Categories
Frameworks 11 Learning Resources 9 Policy as Code 8 Security Scanners 6 GRC Platforms 6 Related Awesome Lists 5 Evidence Automation 5 Community 5
Sub Categories
NIST (OSCAL, CSF, 800-53) 4 Books & Courses 4 FedRAMP 3 Security & Compliance 3 Conferences & Events 3 Blogs & Newsletters 3 Infrastructure & Automation 2 OPA Gatekeeper 2 Communities & Forums 2 Kyverno 2 Checkov 2 SOC 2 2 AWS CloudTrail 2 OpenGRC 2 CISO Assistant 2 GRC Engineering Fundamentals 2 Syft 2 HashiCorp Sentinel 2 ISO 27001 2 GovReady-Q 1 OPA (Open Policy Agent) 1 Grype 1 Eramba 1 Drata (Commercial) 1 Trivy 1 Semgrep 1 Cloud Custodian 1 Prowler 1
Keywords
security 8 kubernetes 6 docker 5 compliance 5 aws 4 azure 4 go 4 static-analysis 4 golang 3 containers 3 oscal 3 infrastructure-as-code 3 gcp 3 policy 3 opa 3 json 3 authorization 3 awesome-list 3 awesome 2 tool 2 oci 2 cyclonedx 2 vulnerability 2 security-tools 2 devsecops 2 python 2 cloud 2 validation 2 policy-engine 2 mutation 2 gatekeeper 2 cncf 2 admission 2 terraform 2 devops 2 xml 2 automation 2 c 1 ssp 1 java 1 javascript 1 security-assessment-report 1 r2c 1 ruby 1 sast 1 semgrep 1 security-assessment-plan 1 static-code-analysis 1 typescript 1 sar 1