A reference library you can cite, not just read.
The GRC Library is a complete, cross-referenced set of governance, risk, and compliance documentation, charters, policies, procedures, standards, registers, and templates, written to be adopted and adapted by any organization. It is not advice or a product; it is a public corpus, released under CC BY-SA 4.0, that enterprises, Crown and public-sector bodies, regulated institutions, security and compliance teams, auditors, and startups can adopt from directly and tailor to their own context.
Every document is a controlled artefact
Each one carries the same 13-field metadata block, version, owner, approving authority, classification, review cadence, and a fixed section model, so it reads and audits consistently.
Nothing stands alone
Documents reference each other and map to external frameworks, so a control in one domain traces to its obligations, registers, and standards in the others.
Built to be adopted
Adopter guides, decision trees, quick-start and maturity-roadmap templates, and a worked example turn the corpus into a programme you can stand up, not a shelf reference.
Machine-auditable by construction.
What makes the library different is the toolchain behind it. The corpus is governed by a stdlib-only Python audit programme: a detailed, continuously-expanding suite of automated quality gates that run in CI on every change and keep the documentation internally consistent, citable, and free of drift.
Nothing ships unchecked
Broken-link checks, cross-reference integrity, version monotonicity, and secret- and PII-scanning gates block a change before it can merge.
Verified, not asserted
External-standard references are checked against a canonical citations register and flagged when a cited standard goes stale or names a superseded edition.
Mapped to the frameworks
Controls and citations cross-walk to the recognized standards, ISO, NIST, CSA, and OWASP among them, and a gate checks that every control code an alignment table cites is a real identifier in the framework it names.
Indexes derive from the source
The taxonomy, the document portal, and the maturity scorecard are generated from each document’s own metadata, never hand-maintained, so they cannot silently drift.
One consistent voice
A prose linter enforces house style across the whole corpus, so hundreds of documents from many sittings read as one coherent body of work.
The gates are tested too
Every gate ships with regression fixtures, worked examples of what should pass and what should fail, so the checks that guard the corpus are themselves held to a test suite.
For AI-assisted teams
The governance pack behind it, open for reuse.
This corpus is maintained largely by an AI assistant, working under a compact pack of governance rules that keep it honest: evidence before assertion, no quality gate weakened to force a pass, ambiguity surfaced before action, and integrity ahead of speed. Those rules are library-original content, ship under the same CC BY-SA 4.0 licence as the corpus, and are written to be lifted straight into any AI-assisted project, not only this one.
Quality outranks speed and cost
A fixed, lexicographic priority the assistant cannot trade away: correctness first, then speed, then cost. Nothing ships worse to ship it faster or cheaper.
A failing check is fixed, never silenced
When a quality gate fails, the artefact that tripped it is fixed. Disabling, downgrading, or bypassing a check to force a pass is off the table.
Nothing is called done without proof
Every completion or state claim rests on a re-read and a check, not on assumption. What has not been verified is labelled unverified, not asserted as fact.
Ambiguity is surfaced, not guessed
When a request has more than one reasonable reading, the assistant asks with named options rather than silently picking, so work is not built on the wrong one.
Assumptions are checked before they drive work
Before an action depends on a claim about the current state, that claim is confirmed with a concrete check, so one wrong premise cannot cascade into wrong work.
High-stakes changes get independent review
For a change no automated check can fully judge, independent adversarial verifiers and a deterministic, re-checked apply carry the correctness, not a single pass.
The corpus, by domain.
| § | Domain | Scope | Documents |
|---|---|---|---|
| 01 | privacy | Data protection, privacy engineering, and multi-jurisdiction obligations | |
| 02 | ai | AI governance, assurance, and lifecycle risk controls | |
| 03 | compliance | Regulatory mapping, control frameworks, and sector audit readiness | |
| 04 | governance | Charters, policies, registers, and the programme operating model | |
| 05 | security | Information-security controls, architecture, and operations | |
| 06 | operations | Operational security, monitoring, and IT service management | |
| 07 | resilience | Business continuity, disaster recovery, and incident response | |
| 08 | supply-chain | Third-party, vendor, and supply-chain security management | |
| 09 | dev-security | Secure development lifecycle, CI/CD, and pipeline controls | |
| 10 | risk | Risk methodology, assessment, and treatment | |
| 11 | architecture | Reference architectures and secure-design control patterns |
Domain counts total 310; a further 2 programme-level specification documents sit at the corpus root, for 312 in all.
By document type
Standards & frameworks it maps to.
The library maps its controls and citations to the recognized standards, regulations, and frameworks below. Each is recorded, with its current edition, in a canonical citations register that the toolchain checks for currency, so a citation cannot silently name a superseded edition.
Information security & management systems
- ISO/IEC 27001:2022Information security management
- ISO/IEC 27002:2022Information security controls
- ISO/IEC 27005:2022Information security risk management
- ISO/IEC 27017:2015Cloud service security controls
- ISO/IEC 27018:2025PII protection in public clouds
- ISO/IEC 27701:2025Privacy information management
- ISO 22301:2019Business continuity management
- ISO 31000:2018Risk management
- ISO/IEC 38500:2024Governance of IT
- ISO 37301:2021Compliance management
- ISO 28000:2022Supply-chain security management
AI governance & assurance
- ISO/IEC 42001:2023AI management systems
- ISO/IEC 42005:2025AI system impact assessment
- ISO/IEC 23894:2023AI risk management
- ISO/IEC 5259:2024Data quality for AI / ML
- NIST AI RMF 1.0AI Risk Management Framework
- NIST AI 600-1Generative AI profile
- EU AI ActRegulation (EU) 2024/1689
- OECD AI Principles2019, updated 2024
- CSA AICM v1.1AI Controls Matrix
- OWASP LLM Top 10 (2025)LLM application risks
- MITRE ATLASAdversarial threats to AI
NIST cybersecurity
- NIST CSF 2.0Cybersecurity Framework
- NIST SP 800-53 Rev. 5Security & privacy controls
- NIST SP 800-63B Rev. 4Digital identity / authentication
- NIST SP 800-61 Rev. 3Incident response
- NIST SP 800-207Zero Trust Architecture
- NIST SP 800-218Secure software development (SSDF)
- NIST SP 800-161 Rev. 1Supply-chain risk management
- NIST SP 800-82 Rev. 3Operational technology (OT) security
- NIST SP 800-88 Rev. 2Media sanitization
Global data-protection law
- EU GDPRRegulation (EU) 2016/679
- UK GDPR / DPA 2018UK data protection
- US CCPA / CPRACalifornia consumer privacy
- Brazil LGPDLei Geral de Proteção de Dados
- Canada PIPEDAFederal privacy law
- Australia Privacy Act 1988as amended 2024
- Singapore PDPAPersonal Data Protection Act
- India DPDPA 2023Digital Personal Data Protection Act
- China PIPLPersonal Information Protection Law
- Switzerland nFADPrevised Federal Act on Data Protection
EU digital & sector regulation
- EU NIS2Directive (EU) 2022/2555
- EU DORARegulation (EU) 2022/2554
- EU Data ActRegulation (EU) 2023/2854
- EU eIDAS 2Regulation (EU) 2024/1183
- US HIPAAHealth information privacy & security
- US SOXSarbanes-Oxley Act
- PCI DSS 4.0.1Payment card data security
- Basel IIIBanking regulation framework
Security frameworks & threat models
- OWASP Top 10 (2025)Web application risks
- OWASP ASVS 5.0App security verification
- OWASP SAMM 2.0Software assurance maturity
- CSA CCM v4.1Cloud Controls Matrix
- COBIT 2019IT governance & management
- MITRE ATT&CKAdversary tactics & techniques
- STRIDEThreat-modeling taxonomy
- LINDDUN v3.0Privacy threat modeling
- IEC 62443Industrial / OT security series
Use it, adapt it, cite it.
Everything here is released under Creative Commons Attribution-ShareAlike 4.0 (CC BY-SA 4.0). Enterprises, Crown and public-sector bodies, regulated institutions, and smaller teams alike can adopt any part of it, adapt it to their own context, and put it to work internally and commercially. When you redistribute the material or an adaptation of it, you attribute the GRC Library as the source.
What ShareAlike means for you
The ShareAlike term applies when you publicly redistribute an adapted version of the corpus itself: that redistributed adaptation carries the same CC BY-SA 4.0 licence, so the shared commons stays open for everyone. It does not reach the internal, proprietary policies, systems, or content your organization derives from the corpus for its own use and does not publish. Those remain entirely yours.
The intent
ShareAlike exists here for one reason: so that broadly-useful improvements to this neutral, organization-agnostic corpus can flow back and benefit everyone who adopts it. If you develop general enhancements to the library itself, contributing them back is warmly encouraged. The organization-specific work you build on top, for your own operations, is yours to keep.
A plain-language summary, not a substitute for the licence, which governs.
Start from a template
Pick the quick-start, implementation-roadmap, or maturity self-assessment template and tailor it to your context.
Map your obligations
Follow the compliance matrices and framework alignments to trace a control to the standards and regulations it satisfies.
Adopt the whole programme
Use the adopter guide and decision tree to stand up a coherent GRC programme across every governance domain.