A curated set of resources for IT and cybersecurity professionals working on GRC topics, covering frameworks, standards, templates, tools, and learning materials.
Last updated: 25th January, 2026
Standards and frameworks 📘
Global
- NIST SP 800-53 (my personal favorite reference for security controls ❤️ ) – A comprehensive catalog of security and privacy controls primarily for US federal systems.
- NIST Cybersecurity Framework (CSF) 2.0 – A voluntary framework for managing and reducing cybersecurity risk across any industry. This is becoming pretty popular and a lot of companies use this framework to benchmark themselves. See NIST CSF’s popularity
- ISO 27001 – The certifiable standard for for building an Information Security Management System (ISMS). This standard has an Annex which contains a list of security controls
- ISO 27002 – To be used along with ISO 27001, this is like an implementation guide providing best-practice details for the controls listed in ISO 27001’s Annex A.
- CIS Critical Security Controls – A prioritized set of best-practice cybersecurity actions designed to help organizations reduce the most common attacks and improve overall security.
- PCI-DSS – Mandatory security standards for companies that stores, processes, or transmits payment card data from the major card brands like Visa, Mastercard, AmEx, Discover and JCB
- SOC 2 Trust Services Criteria – The auditing standard for service organizations to prove security, availability, and confidentiality to clients. SOC 2 Type 2 is a popular assurance framework used by many product companies where an independent audit that verifies your controls based on the Trust Services Criteria.
- CSA Cloud Controls Matrix (CCM) – A security control framework specifically designed for cloud computing environments.
- ITGC – Information Technology General Controls – Foundational IT controls that ensure the reliability of data, systems, and financial reporting across the enterprise. This is used mainly as part of annual financial audits and for SOX compliance.
United States
- NIST SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations)
- Cybersecurity Maturity Model Certification (CMMC) Program
- CMMC Resources list: https://dowcio.war.gov/CMMC/Resources-Documentation/
United Kingdom
- UK Cyber Essentials
- Cyber Assessment Framework (CAF) – for organisations operating essential services
Australia
- Essential Eight – Australian Signals Directorate’s prioritized list of eight mitigation strategies to prevent malware and data recovery incidents.
- Essential Eight Maturity Model – A maturity model to be used along with the Essential Eight framework.
- ACSC Information Security Manual (ISM) – The Cyber security framework for Australian government agencies, outlining risk-based controls and guidelines.
Germany
- IT-Grundschutz (IT Baseline Protection) English version
- IT-Grundschutz-Compendium (IT Baseline Protection Compendium) English version
European Union
- NIS2
- Directive https://eur-lex.europa.eu/eli/dir/2022/2555
- ENISA’s NIS2 Technical Implementation Guidance. This page also includes a spreadsheet showing the mapping between NIS2 and other frameworks such as ISO 27001, NIST CSF 2 etc.
- NIS2 Awareness Materials
- CRA (Cyber Resilience Act)
- DORA (Digital Operational Resilience Act)
- Official homepage
- Germany’s financial sector regulator BaFin has some good templates for use with DORA:
GRC Engineering
- GRC Engineering Manifesto
- GRC Engineering is an emerging approach uses automation and good technical design so risk, compliance, and governance happen continuously and reliably. In this approach there is an emphasis on proactively managing risk and compliance (using code) and real-time monitoring rather than relying on manual audits.
Risk Management
- NIST’s Risk Management resources. I consider NIST to be the best resource for security folks on the topic of risk management
- NIST Risk Management Framework RMF
- Guide for Conducting Risk Assessments
- Cybersecurity Supply Chain Risk Management Practices
- Integrating with Enterprise Risk Management
- FAIR Methodology – the most popular approach for Quantitative Risk Assessement
- FAIR Institute
- OpenFAIR – Open Group publishes OpenFAIR as an open vendor-neutral standard
Templates and Practical aids 📋
- Eramba’s GRC Templates – Eramba has an excellent set of free templates covering various frameworks, policies, examples of internal controls and Questionnaires you can use.
- Andrey Prozorov’s Patreon site – has a number of templates and ready to use resources you could buy.
- GitHub repo for the GRC Engineering For AWS Book – has code examples used in the book. Its great if you want to try some examples of GRC Engineering and to get an idea of how to practically implement some of these.
- European Court of Auditors’ Guideline for Audit of IT Environment
- European Court of Auditors’ https://methodology.eca.europa.eu/aware/Documents/IT-general-controls-checklist.docx
I have shared many templates on this site:
- NIST CSF 2.0 Maturity Assessment Template
- ISO 27001 Gap and Maturity Assessment Templates
- Risk Register Template for Information Security
- Risk Assessment Template
- DORA Gap Assessment Template
Tools and Solutions 🛠️
- G2.com’s list of Governance, Risk and Compliance solutions – https://www.g2.com/categories/governance-risk-compliance
- My own compilation of GRC tools – https://allaboutgrc.com/grc-tools/
Influencers to follow👨💻
- AJ Yawn
- Chris Hall
- Jacob Horne
- Ayoub Fandi
- Jacob Hill
- Aron Lange
- Andrey Prozorov
- Ross Young
- Linda Tuck Chapman
- Tony Martin Vegue
- Christophe Foulon
- Henrik Parkkinen
- Jane Frankland
- Gerald Auger
- Michael Rasmussen
- Prabh Nair (his CISSP course and videos are pretty popular in India)
Communities to follow👨💻
- ISO 27001 Security Google Group – the best place to ask your questions about ISO 27001.
- GRC Engineering Club (paid) run by AJ Yawn.
- GRC subreddit
- NIST Controls subreddit
- Cybersecurity subreddit
- ISACA online forums
Podcasts 🎧
- Security and GRC Decoded from ComplianceCow. Host: Raj Krishnamurthy
- Summit 7 live streams for all things CMMC
- GRC Academy
- Risk Is Our Business Host: Michael Rasmussen
- The Hitchhiker’s Guide to the GRC Technology Galaxy also hosted by Michael Rasmussen
- GRC Uncensored
- GRC Engineer
- GRC & ME
- TrustTalks – Podcasts on security and GRC
- Risk Management Show
Certifications 📜
- CISSP – Certified Information Systems Security Professional
- CISM – Certified Information Security Manager
- CISA – Certified Information Systems Auditor
- ISO 27001 Lead Auditor
- ISO 27001 Lead Implementor
- CRISC – Certified in Risk and Information Systems Control
- CCSK – Certificate of Cloud Security Knowledge
CMMC Certifications
- CMMC Certified Professional (CCP)
- CMMC Certified Assessor (CCA)
- CMMC Certified Instructor (CCI)
- Lead CMMC Certified Assessor (LCCA)
CyberAB’s official page about these certifications – https://cyberab.org/CMMC-Ecosystem/Ecosystem-Roles/Assessing-and-Certification
Courses
ISO 27001
- MasterMind’s self-paced course: https://learn.mastermindassurance.com/products/courses/iso-27001-lead-auditor
DORA
Others
- Cybersecurity Foundations: Governance, Risk, and Compliance (GRC)
- Tekfused has a number of PECB accredited courses including Lead Auditor and Lead Implementor courses on ISO 27001, ISO 42001, GDPR etc: https://tekfused.com/marketplace/
- GRC Lab offers courses on ISO 27001 and NIST CSF: https://grclab.com/courses
- The Definitive GRC Analyst Program
- CSA has a course on STAR Lead Auditor Training
Similar resources
- Awesome Security GRC repo on GitHub is a really cool collection of GRC resources
