Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/getprobo/awesome-compliance
A curated list of tools, frameworks, and resources for IT compliance, security standards, and regulatory requirements
https://github.com/getprobo/awesome-compliance
List: awesome-compliance
awesome awesome-list compliance cybersecurity esg fedram gouvernance grc iso2700 nist policy risk-management security soc2
Last synced: 13 days ago
JSON representation
A curated list of tools, frameworks, and resources for IT compliance, security standards, and regulatory requirements
- Host: GitHub
- URL: https://github.com/getprobo/awesome-compliance
- Owner: getprobo
- License: cc0-1.0
- Created: 2025-02-07T23:56:24.000Z (14 days ago)
- Default Branch: main
- Last Pushed: 2025-02-08T02:25:16.000Z (14 days ago)
- Last Synced: 2025-02-08T02:25:44.499Z (14 days ago)
- Topics: awesome, awesome-list, compliance, cybersecurity, esg, fedram, gouvernance, grc, iso2700, nist, policy, risk-management, security, soc2
- Homepage: https://awesome-compliance.com
- Size: 57.6 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE.md
Awesome Lists containing this project
- ultimate-awesome - awesome-compliance - A curated list of tools, frameworks, and resources for IT compliance, security standards, and regulatory requirements. (Other Lists / Julia Lists)
README
# Awesome Compliance [](https://awesome.re)
A curated list of awesome resources for Governance, Risk Management, and Compliance (GRC) professionals.
This list is intended for **compliance officers, risk managers, auditors, and cybersecurity professionals** or for **people with a compliance need** who need trusted resources for **ISO 27001, SOC 2, SOX, ESG compliance, and more**.
## Contents
- [Frameworks & standards](#frameworks--standards)
- [Tools & softwares](#tools--softwares)
- [Other ressources](#other-ressources)
## Frameworks & standards
### ESG & sustainability
- [B Corp Certification](https://www.bcorporation.net/) - B Lab's Impact Assessment (Every three year).
- [CDP](https://www.cdp.net/) - Carbon Disclosure Project (self-declarative).
- [GRI Standards](https://www.globalreporting.org/) - Global Reporting Initiative Standards (self-declarative).
- [ISO 14001](https://www.iso.org/iso-14001-environmental-management.html) - Environmental management (Annual audit).
- [ISO 45001](https://www.iso.org/iso-45001-occupational-health-and-safety.html) - Occupational health and safety (Annual audit).
- [ISO 50001](https://www.iso.org/iso-50001-energy-management.html) - Energy management (Annual audit).
- [SASB Standards](https://www.sasb.org/) - Sustainability Accounting Standards Board framework (self-declarative).
- [TCFD](https://www.fsb-tcfd.org/) - Task Force on Climate-related Financial Disclosures (self-declarative).
- [UN SDGs](https://sdgs.un.org/) - United Nations Sustainable Development Goals (self-declarative).
### Financial & corporate
- [Basel Framework](https://www.bis.org/basel_framework/) - Banking supervision standards (Regular supervisory reviews).
- [FCRA](https://www.consumerfinance.gov/) - Fair Credit Reporting Act for consumer data accuracy (Annual audit).
- [IFRS](https://www.ifrs.org/) - International Financial Reporting Standards (Annual audit).
- [OFDSS](https://www.financialdataexchange.org/) - Open Financial Data Security Standard for fintech (self-declarative).
- [PCI-DSS](https://www.pcisecuritystandards.org/) - Payment Card Industry Data Security Standard for credit card protection (Annual audit).
- [SOX ITGC](https://www.sec.gov/spotlight/sarbanes-oxley.htm) - IT General Controls under Sarbanes-Oxley (Annual audit).
### Government & risk management
- [CPS234](https://www.apra.gov.au/cps-234-information-security) - Australian Prudential Standard for financial information security.
- [ISO 42001](https://www.iso.org/standard/81278.html) - AI Management System standard.
- [NIST CSF](https://www.nist.gov/cyberframework) - Cybersecurity Framework for managing risk (self-declarative).
- [NIST SP 800-171](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final) - Security controls for protecting Controlled Unclassified Information (CUI).
- [NIST SP 800-53](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final) - Security & privacy controls for federal agencies (self-declarative).
### Quality management
- [AS9100](https://www.sae.org/standards/as9100/) - Aerospace quality management (Annual surveillance).
- [cGMP](https://www.fda.gov/drugs/pharmaceutical-quality-resources/current-good-manufacturing-practice-cgmp-regulations) - FDA inspections required.
- [ISO 9001](https://www.iso.org/iso-9001-quality-management.html) - Quality management systems (3-year certification cycle).
- [ISO 13485](https://www.iso.org/standard/59752.html) - Medical devices quality management (Annual surveillance).
- [ISO 22000](https://www.iso.org/iso-22000-food-safety-management.html) - Food safety management (Annual surveillance).
- [ISO/TS 16949](https://www.iatf.org/) - Automotive quality management (Annual surveillance).
### Security, privacy & data protection
- [CCPA](https://oag.ca.gov/privacy/ccpa) - California Consumer Privacy Act (self-declarative).
- [CMMC](https://www.acq.osd.mil/cmmc/) - Cybersecurity framework for government contractors (Annual audit).
- [CSA STAR](https://cloudsecurityalliance.org/star/) - Cloud security and compliance certification (depend on level).
- [FedRAMP](https://www.fedramp.gov/) - Federal Risk and Authorization Management Program (Annual assessment).
- [FISMA](https://www.cisa.gov/federal-information-security-modernization-act) - Federal Information Security Modernization Act (Annual audit).
- [GDPR](https://gdpr.eu/) - General Data Protection Regulation (Self-assessment with DPO) (self-declarative).
- [HIPAA](https://www.hhs.gov/hipaa/index.html) - Health Insurance Portability and Accountability Act (Regular audits required).
- [HITRUST CSF](https://hitrustalliance.net/) - Security framework used in healthcare (Annual audit).
- [ISO 27001](https://www.iso.org/isoiec-27001-information-security.html) - Information security management (Annual audit).
- [ISO 27002](https://www.iso.org/isoiec-27002-information-security.html) - Security controls guidance for ISO 27001 (self-declarative).
- [ISO 27017](https://www.iso.org/standard/43757.html) - Cloud-specific security practices (self-declarative).
- [ISO 27018](https://www.iso.org/standard/76559.html) - Cloud privacy controls for protecting PII (self-declarative).
- [ISO 27701](https://www.iso.org/standard/71670.html) - Privacy Information Management System standard (Annual audit).
- [Microsoft SSPA](https://www.microsoft.com/en-us/trust-center/privacy/data-protection-requirements) - Microsoft's Supplier Security & Privacy Assurance (Annual audit).
- [NIST AI RMF](https://www.nist.gov/itl/ai-risk-management-framework) - Risk management framework for AI governance (self-declarative).
- [PIPEDA](https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/) - Personal Information Protection and Electronic Documents Act (self-declarative).
- [SOC 1](https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-1) - Reporting on internal financial controls (Annual audit).
- [SOC 2](https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2) - Service Organization Control reports (Annual audit).
- [SOC 3](https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-3) - Public report summarizing SOC 2 compliance (Annual audit).
- [US Data Privacy (USDP)](https://iapp.org/) - Generalized US data privacy regulations (self-declarative).
## Tools & softwares
### Compliance automation
- [Drata](https://drata.com/) - Security compliance automation for SOC 2, ISO 27001, PCI DSS.
- [Fortinet](https://www.fortinet.com/) - Security compliance automation platform.
- [HIPAA One](https://www.hipaaone.com/) - HIPAA compliance for healthcare businesses.
- [Oneleet](https://oneleet.com/) - End-to-end security compliance automation for SOC 2, ISO 27001, and more.
- [Probo](https://github.com/getprobo/probo) - Compliance automation platform for SOC 2, ISO 27001 & more - **Open source**.
- [Secureframe](https://secureframe.com/) - Automated security compliance for SOC 2, ISO 27001, HIPAA.
- [Sprinto](https://sprinto.com/) - Compliance automation for SOC 2, ISO 27001.
- [Scrut](https://www.scrut.io/) - Compliane automation for security frameworks.
- [Thoropass](https://www.thoropass.com/) - Compliance automation and audit management.
- [Tugboat Logic](https://tugboatlogic.com/) - Security assurance platform for SOC 2, ISO 27001.
- [Vanta](https://www.vanta.com/) - Automated security monitoring and SOC 2, ISO 27001, HIPAA compliance.
### ESG & sustainability platforms
- [Benchmark ESG](https://www.benchmarkdigital.com/) - ESG performance management.
- [Diligent ESG](https://www.diligent.com/solutions/esg/) - ESG and board governance.
- [Locus Technologies](https://locustec.com/) - ESG reporting and EHS compliance.
- [Novata](https://novata.com/) - ESG solution.
- [Novisto](https://novisto.com/) - ESG data management.
- [Proof](https://proof.io/) - ESG data management.
- [Sametrica](https://sametrica.com/) - ESG data collection.
- [Workiva](https://www.persefoni.com/partners/workiva) - Financial and ESG reporting platform.
### GRC
- [AuditBoard](https://www.auditboard.com/) - Audit, risk and compliance management platform.
- [Archer](https://www.archerirm.com/) - RSA's GRC platform.
- [Hyperproof](https://hyperproof.io/) - Compliance operations platform with automated workflows.
- [LogicGate](https://www.logicgate.com/) - Risk Cloud platform.
- [MetricStream](https://www.metricstream.com/) - GRC Cloud platform.
- [Onspring](https://www.onspring.com/) - Versatile GRC software.
- [OneTrust](https://www.onetrust.com/) - Privacy & GRC platform.
- [ServiceNow GRC](https://www.servicenow.com/products/governance-risk-and-compliance.html) - Enterprise GRC platform.
- [TrustCloud](https://www.trustcloud.ai/) - GRC automation.
### Risk & compliance management
- [GRR Rapid Response](https://github.com/google/grr) - Open-source incident response framework by Google. - **Open source**.
### Security assessment
- [OpenVAS](https://github.com/greenbone/) - Vulnerability assessment scanner - **Open source**.
- [OSSEC](https://github.com/ossec/ossec-hids) - Host-based Intrusion Detection System - **Open source**.
- [Trivy](https://github.com/aquasecurity/trivy) - Vulnerability and compliance scanner for containers and infrastructure - **Open source**.
- [Wazuh](https://github.com/wazuh) - Security monitoring platform - **Open source**.
## Other ressources
### Community
- [Iso 27001 Forum](https://www.iso27001security.com/) - ISO27K forum.
- [r/Compliance](https://www.reddit.com/r/Compliance/) - Reddit compliance community.
### Content
- [ISO27001.zip](https://www.iso27001.zip/) - Implementation guide for ISO 27001.
- [MITRE ATT&CK](https://attack.mitre.org/) - Open framework for understanding adversarial tactics and techniques.
- [SOC2 FYI](https://www.soc2.fyi/) - Guide comparing available solution for SOC2.
## Contributing
Feel free to open a pull request if you'd like to add or update resources. Please ensure your contribution follows the [awesome list guidelines](https://github.com/sindresorhus/awesome/blob/main/contributing.md).
## Related
- [Awesome GDPR](https://github.com/oppoverbakke/awesome-gdpr).