Seed Content Registry

This page contains a registry of all content currently available in ZenGRC.

Importing Content

Please contact Reciprocity to schedule a consultation if you'd like to import any of this content into your ZenGRC app. Also contact us if you need a standard or framework not on this page, and we'll schedule a consultation to see how we can support it!

Our seed content comes with two levels of support, described below:

  • Basic Support: The content is transcribed in ZenGRC, and available for your use.

  • Advanced Support: The content is available in ZenGRC, and our staff of GRC Experts is experienced implementing the framework and managing it in ZenGRC. We can offer basic consulting to help you get up and running using the tool, and we provide a set of documented best practices here on our Wiki to help guide you. Our GRC Experts proactively monitor the source content for changes, such as updates or revisions, and publish a notification memo and guidance to help ease your transition.
    • Note: For select frameworks and standards, Illustrative Control and Risk templates are available. If you have questions, please contact your Customer Success Manager or contact Reciprocity support.

FrameworkUse Case / DescriptionUseful Links

Contact us about this!

Common Control Mapping Available
California Consumer Privacy Act (CCPA)The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States.Official legislative informationGet help with CCPAYes!
Compliance Controls Catalogue (C5)The Cloud Computing Compliance Controls Catalogue (abbreviated "C5") is intended primarily for professional cloud service providers, their auditors and customers of the cloud service providers. It is defined which requirements (also referred to as controls in this context) the cloud providers have to comply with or which minimum requirements the cloud providers should be obliged to meet.Official Policy PageGet help with C5



The Criminal Justice Information Services (CJIS) Security Policy provides requirements for criminal justice and associated agencies to use when accessing Criminal Justice Information (CJI). This Policy is also applicable to service providers who process CJI on behalf of criminal justice agencies.

The policy prescribes safeguards that must be in place to secure CJI at rest and in transit. The policy integrates guidance from NIST with presidential and FBI directives, along with federal law and is audited periodically by the FBI for compliance. Failure to adhere to the policy may result in sanctions against non-compliant agencies.

Official Policy Page

Get help with CJISYes!
COBIT*COBIT v5 (Control Objectives for Information and Related Technologies) is a framework created by international professional association ISACA for IT management and governance. It is generic and useful for enterprises of all sizes and across sectors, including commercial, not-for-profit, and the public sector. The framework incorporates the latest thinking in enterprise governance and management techniques, and provides globally accepted principles, practices, analytical tools and models to help increase the trust in, and value from, information systems. It is meant to be a supportive tool for managers to bridge gaps among technical issues, business risks and control requirements.

General Info

Get help with COBIT v5Yes!
COSO Internal Control–Integrated Framework*The Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides non-prescriptive guidance on internal controls, enterprise risk management, and fraud deterrence. COSO 2013 Intergrated Control-Integrated Framework is recognized as leading guidance for designing and implementing internal controls and assessing their effectiveness.

This framework is commonly used as basis for management's evaluation of its internal controls over financial reporting for compliance with the Sarbanes-Oxley Act of 2002 ("SOX").

General Info

Get help with COSOYes!
CSA Cloud Controls MatrixThe Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The CSA CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains.

General Info

Get help with CSA CCMYes!
CIS ControlsThe CIS Controls are a prioritized set of Safeguards to mitigate the most prevalent cyber-attacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory, and policy frameworks. CIS Controls v8 has been enhanced to keep up with modern systems and software. Movement to cloud-based computing, virtualization, mobility, outsourcing, Work-from-Home, and changing attacker tactics prompted the update and supports an enterprise's security as they move to both fully cloud and hybrid environments.CIS General Info Page

SANS General Info Page
Get help with CSC-CIS/SANS 20Yes!
Cybersecurity Maturity Model Certification (CMMC)The Cybersecurity Maturity Model Certification (CMMC) framework consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references, as well as inputs from the Defense Industrial Base (DIB) and Department of Defense (DoD) stakeholders. The model framework organizes these processes and practices into a set of domains and maps them across five levels. In order to provide additional structure, the framework also aligns the practices to a set of capabilities within each domain. The ensuing subsections provide additional information regarding each element of the model.Office of the Under Secretary of Defense for Acquisition & SustainmentGet Help with CMMCYes!
EU/US Privacy Shield

The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.

The Privacy Shield program enables U.S.-based organizations to join one or both of the Privacy Shield Frameworks in order to benefit from the adequacy determinations. To join either Privacy Shield Framework, a U.S.-based organization will be required to self-certify to the Department of Commerce (via this website) and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law. All organizations interested in self-certifying to the EU-U.S. Privacy Shield Framework or Swiss-U.S. Privacy Shield Framework should review the requirements in their entirety.

General Info

Get help with Privacy ShieldYes!
FedRAMP Low / Moderate / High

"The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a 'do once, use many times' framework..." FedRAMP offers significant cost savings for US Federal Government agencies when using and securing of cloud services, and supports the compliance requirements in the Federal Information Security Management Act (FISMA).

  • The Low/Moderate baselines are appropriate for systems with public or sensitive information, where a breach or loss of availability would have a limited, non-catastrophic impact.
  • The High baseline is appropriate for systems with highly sensitive information, where a breach or loss of availability would have a severe and/or catastrophic impact.

General Info

Official templates

Official documentation

System classification information (FIPS 199)

Get help with FedRAMPYes!
General Data Protection Regulation (GDPR)The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas.
Get help with GDPRYes!

The Health Insurance Portability and Accountability act (HIPAA) defines rules for the security and privacy of healthcare information, called Protected/Personal Health Information (PHI). The US Department of Health & Human Services (HHS) is responsible for enforcement.

You may be subject to HIPAA if you are a:

  • Covered Entity: a business that generates or processes PHI
  • Business Associate: a business supporting a Covered Entity

HIPAA for Professionals

Covered Entities and Business Associates

Get help with HIPAAYes!
ISO 27001 Annex A with guidance from ISO 27002*The ISO/IEC 27000 family of standards helps organizations keep information assets secure.

ISO IEC 27001:2013 includes Annex A, which lists illustrative information security control objectives and information security controls. It is taken directly from ISO IEC 27002 2013 sections 5 to 18, which provides additional guidance on the implementation, operation, and maintenance of security controls. However, using this framework in not obligatory in order to be ISO 27001 certified.

ISO IEC 27001:2013 section 6.1.3 enables organizations to use Annex A, and/or any other suitable resources, to "produce a Statement of Applicability that contains the necessary controls".

ISO 27000 Family of Standards

ISO 27001 Wikipedia entry

ISO Store

Get help with ISO 27001 Appendix AYes!

ISO 27001/2, 27017, 27018, 27701*

The ISO/IEC 27000 family of standards helps organizations keep information assets secure.

Within the ISO 27000 family of standards there are a variety of frameworks which focus on specific areas of information security.

  • 27001:2013 is the best-known standard in the family providing requirements for an information security management system (ISMS).
  • 27002:2013 contains guidelines for organizational information security standards and information security management practices. This includes the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s).
  • 27017:2015 provides guidance for information security controls applicable to the provision and use of cloud services
  • 27018:2019 establishes control objectives, controls and guidelines for protecting Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment
  • 27701:2019 specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

ISO 27000 Family of Standards

ISO 27000 Family Wikipedia entry

ISO Store

Get help with ISO 


*ISO 27017 not included

NIST CSFIn response to Executive Order 13636, “Improving Critical Infrastructure Cybersecurity," the National Institute of Standards and Technology (NIST) published the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework or CSF). The CSF is designed to drive an organization's cybersecurity efforts through a risk-based management process. It contains a set of requirements hierarchically structured into Functions, Categories, and Subcategories, as well as Informative References which point to other security frameworks such as ISO 27001, NIST SP 800-53, and COBIT.

The overall franework is structured into three parts:
  1. The Framework Core: A set of cybersecurity requirements, desired outcomes, and the Informative References which guide implementation of security controlsFramework
  2. Implementation Tiers: Describe a level of achievement in an organization's approach to cybersecurity risk assessment and management, representing maturation from informal, reactive processes to risk-driven proactive ones. They range from Partial (Tier 1) to Adaptive (Tier 4).
  3. Framework Profile: Represents the state of an organization's cybersecurity efforts based on analysis against the Framework Categories and Subcategories. A Current Profile is created to judge the organizations as-is state, and a Target Profile is created to identify gaps, opportunites, and the desired outcome of cybersecurity improvement efforts.


NIST CSF Reference Tool (desktop app)

NIST SP 800-53The Federal Information Security Modernization Act (FISMA) requires civilian agencies of the US Federal Government to report on the security posture of their information systems. Businesses supporting these government agencies may also be required to implement such controls, if they interconnect with or operate systems on behalf of the government.

There are a variety of documents which guide the implementation and management of security controls for such systems, including the Federal Information Processing Standards (FIPS) and National Institute of Standards and Technology Special Publications (NIST SP).
  • FIPS 199 & 200: Describes the security categorization of systems and controls needed based on that categorization
  • NIST SP 800-53: The catalog of controls to choose from

NIST SP 800-53 has three risk-based baselines for controls: Low, Moderate, and High. Higher-risk systems require more controls, while lower-risk systems require less stringent levels of protection.

NIST SP 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

NIST SP 800-53A - Assessing Security and Privacy Controls in Federal Information Systems and Organizations

FIPS 199 - Standards for Security Categorization of Federal Information and Information Systems

FIPS 200 - Minimum Security Requirements for Federal Information and Information Systems

Get help with NIST SP 800-53Yes!
NIST SP 800-171The purpose of NIST 800-171 is to provide agencies with recommended requirements
for protecting the confidentiality of CUI: (i) when the CUI is resident in nonfederal information
systems and organizations; (ii) when the information systems where the CUI resides are not used
or operated by contractors of federal agencies or other organizations on behalf of those agencies;
and (iii) where there are no specific safeguarding requirements for protecting the confidentiality
of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI
category or subcategory listed in the CUI Registry. The requirements apply only to components9
of nonfederal information systems that process, store, or transmit CUI, or that provide security
protection for such components. The CUI requirements are intended for use by federal agencies
in appropriate contractual vehicles or other agreements established between those agencies and
nonfederal organizations. In CUI guidance and the CUI Federal Acquisition Regulation (FAR),
the CUI Executive Agent will address determining compliance with CUI requirements.
NIST 800-171 OverviewGet help with NIST SP 800-171Yes!
NYDFS 23 NYCRR 500Effective March 1, 2017, the Superintendent of Financial Services promulgated 23 NYCRR Part 500, a regulation establishing cybersecurity requirements for financial services companies (referred to below as “the Cybersecurity Regulation” or “Part 500”). The individuals and entities required to comply with the Cybersecurity Regulation include, but are not limited to, partnerships, corporations, branches, agencies, and associations operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law (referred to below as “Covered Entities”).NYDFS 23 NYCRR 500 OverviewGet help with NYDFS 23 NYCRR 500Yes!

The Payment Card Industry Data Security Standard (PCI-DSS) was created by the major credit card brands in 2004 to encourage and enhance the security of credit card data.  The use of the DSS, which is a prescriptive set of requirements for securing credit card data at rest and in transit, is mandated by the major card brands and is required of all organizations accepting credit card payment transactions, known as merchants.  

Merchants are assigned levels based on the number of transactions they process of various brands per year.  These levels determine the type of annual compliance assessment that the merchant must perform, either a self-assessment or one by a third-party Qualified Security Assessor (QSA).  Failure to comply with the PCI-DSS may result in fines from credit card acquirers or even loss of the ability to accept credit card transactions.  The DSS and associated standards are managed by the PCI Security Standards Council and regularly updated as new threats emerge.

PCI-DSS Overview

PCI-DSS Document Download

Get help with PCI-DSS v3.2Yes!
Secure Controls Framework (SCF)

The Secure Controls Framework (SCF) is a comprehensive catalog of controls that is designed to enable companies to design, build and maintain secure processes, systems and applications. The SCF addresses both cybersecurity and privacy, so that these principles are designed to be “baked in” at the strategic, operational and tactical levels.

In developing the SCF, we identified and analyzed 100 statutory, regulatory and contractual frameworks. Through analyzing these thousands of requirements, we identified commonalities and this allows several thousand unique controls to be addressed by the less than 750 controls that makeup the SCF. For instance, a requirement to maintain strong passwords is not unique, since it is required by dozens of frameworks. This allows one well-worded SCF control to address multiple requirements. This focus on simplicity and sustainability is key to the SCF, since it can enable various teams to speak the same controls language, even though they may have entirely different statutory, regulatory or contractual obligations that they are working towards.

Secure Controls Framework PageGet help with the Secure Controls FrameworkN/A

These reports, prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 18, Reporting on Controls at a Service Organization, are specifically intended to meet the needs of the managements of user entities and the user entities’ auditors, as they evaluate the effect of the controls at the service organization on the user entities’ financial statement assertions. These reports are important components of user entities’ evaluation of their internal controls over financial reporting for purposes of comply with laws and regulations such as the Sarbanes-Oxley Act and the user entities’ auditors as they plan and perform audits of the user entities’ financial statements. There are two types of reports for these engagements:

  • Type 1 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
  • Type 2 - report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.

The use of these reports are restricted to the management of the service organization, user entities of the service organization and user auditors.

SOC 1 Information Page

Wikipedia SOC Entry

Get help with SOC 1
SOC 2SOC2 is intended to meet the needs of a broad range of users that need information and assurance about the controls at a service organization that affect the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. Examples of stakeholders who may need these reports are, management or those charged with governance of the user entities and of the service organization, customers of the service organization, regulators, business partners, suppliers, and others who have an understanding of the service organization and its controls.

SOC 2 Information Page 

Wikipedia SOC Entry

Get help with SOC 2Yes!
SOXPublicly-traded U.S. corporations must maintain compliance with provisions of the Sarbanes-Oxley Act of 2002 (SOX). The U.S. Securities and Exchange Commission (SEC) enforces this law directly and through oversight of the Public Company Accounting Oversight Board (PCAOB). Companies subject to SOX must establish and evaluate internal controls in accordance with other established controls frameworks such as COSO and COBIT.

While there are high-level requirements, SOX is not prescriptive regarding the scope and approach to conducting a SOX assessment of internal controls. Corporate management establishes the design and evaluates the effectiveness of internal controls, which are also assessed externally by public accounting firms.


SEC About Page for SOX

SEC Small Business Page for SOX


Get help with SOX
  • Licensed Content: Content that can be transcribed for license holders is denoted with an asterisk *

Licensing Details

Some of our content comes with licensing restrictions. Please contact Reciprocity if you have questions.

© 2021 Copyright Reciprocity, Inc.