Risk and Compliance Frameworks

OneTrust GRC supports a variety of leading industry risk and compliance frameworks. Streamline data set up and ongoing maintenance by leveraging pre-seeded control records from leading risk and compliance frameworks. Organizations can build a risk management program in line with their GRC strategy and business objectives.



Managing digital risk continues to expand and be a top-line initiative for organizations, and the amount of data and digital assets expand with operations.

Leverage OneTrust GRC to support security, risk, and compliance frameworks across a flexible control structure that is integrated across departments and risk domains including IT & Security Risk Management as well as Vendor Risk Management. Classify your critical assets, track data exchanges, as well as map your threats and vulnerabilities to identify risk across IT systems and vendor relationships. Link control records to your security policy and integrate them into internal audits to measure the effectiveness and propose recommendations including corrective action plans.

Operationalize Your Security Program OneTrust GRC Solutions for Infomation Security.

ISO 27001 & ISO 27002

Published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC) ISO 27001, one of the most widely known and globally adopted standards within the ISO catalog of frameworks, 27001 provides specific guidance and security controls for processing financial information, intellectual property, employee details or information entrusted to you by third parties.

ISO 27002 a variation of 27001 for institutions to implement select controls to establish an Information Security Management System (ISMS) based on ISO/IEC 27001; ISO 27002 provides in-depth detail around control objectives to help organizations best implement the framework within their unique operations.

Learn more about OneTrust GRC for ISO Compliance.

Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) published, in January 2020 by the United States Department of Defense, establishes a new method to evaluate vendor cybersecurity programs by measuring both technical controls in place as well as ongoing processes to review and improve practices in place.  

Learn more about OneTrust and The CMMC

NIST 800-53 & NIST CSF

NIST 800-53 is published by the National Institute of Standards and Technology (NIST). NIST 800-53 documents a robust catalog of security and privacy controls and objectives designated for U.S. federal information systems,  to support best in class cybersecurity standards.

Learn more about Securing Information Systems with NIST 800-53.

NIST Cybersecurity Framework (CSF) consists of standards, guidelines, and practices NIST CSF builds on existing frameworks (including NIST 800-53, ISO 27000) but offers a focused scope of controls alongside a thorough explanation written in common language suited for non-technical executives or line of business individuals.

Learn more about Improving Cybersecurity Posture with the NIST Cybersecurity Framework.


Expression des Besoins et Identification des Objectifs de Sécurité (EBIOS)

EBIOS (Expression des Besoins et Identification des Objectifs de Sécurité – Expression of Needs and Identification of Security Objectives) is a French information security framework that is published and maintained by Agence nationale de la sécurité des systèmes d’information – The National Cybersecurity Agency of France (ANSSI) under the French Prime Minister. The EBIOS framework was primarily developed for organizations working directly with the Defense Ministery to reduce risk and secure the handling of confidential or sensitive information. Today, the risk and compliance framework can be applied to any public or private organization as a core framework or in conjunction with existing information security programs.


Developed and published by the American Institute of CPAs (AICPA), SOC 2 defines criteria for managing customer data based on five core principles security, availability, processing integrity, confidentiality, and privacy.

Organizations can define their set of Service and Organization Controls (SOC), embed controls into their corporate policies, audit effectiveness as well as design to evaluate how well the control model meets the five principals according to business operations.


Cloud Computing

Enterprise operations have a significant digital footprint, and it is more important now than ever to ensure your SaaS hosting providers and vendors support best in class cloud practices.

Leverage OneTrust to document and track data flows across your cloud and SaaS providers to identify your regulatory obligations and leverage automated assessment technology to engage and confirm controls are executed through your third party relationships.


Federal Risk and Authorization Management Program work towards keeping cloud services and the data that those agencies use secure for any vendor doing business with the United States Government.

Learn more about Securing Cloud Products and Services with FedRAMP.

Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ)

Consensus Assessments Initiative Questionnaire (CAIQ) is a survey provided by the Cloud Security Alliance (CSA) for cloud consumers and auditors to assess the security capabilities of a cloud service provider. The Assessment aims to standardize documented security controls in IaaS, PaaS, and SaaS solutions.

Organizations can leverage OneTrusts automated assessment technology to survey cloud providers and dynamically validate control records or flag risk based on real-time responses.

ISO 27018

ISO 27018 builds on the foundational controls of ISO 27002 specific to personal data in the cloud and provides guidance on best practices to secure information. 


Privacy regulations and compliance frameworks have created new processes and considerations for business on a global scale to ensure that personal data protected.

OneTrust Privacy Management encompasses a suite of products to help privacy programs comply with global privacy regulations. Realize the extent of your privacy risk through thorough OneTrust DataDiscovery,  classification, and tracking data flows inside and outside of the organization. Uphold individual privacy rights and manage consent across all channels with up to date privacy policies, dynamic cookie banners, centralized preference centers, and detailed consent profiles.



The Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities (i.e., health care providers, health plans, and health care clearinghouses). HIPPA mandates specific controls for privacy and security practices to safeguard individuals’ protected health information (PHI) the regulation also details requirements for notification in the event that PHI is compromised by a data breach.

ISO 27701

ISO 27701 is an extension of security frameworks ISO/IEC 27001 and ISO/IEC 27002 . The extension provides general guidance that can be applied to any type or size of business. The standard outlines requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS)

NIST Privacy Framework V1.0

The NIST Privacy Framework is a voluntary tool developed as a companion control framework to NIST cybersecurity intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy.

General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR), the most comprehensive privacy law to date institutes data protections for all EU residents to limit the use and ensure transparent processes businesses processing  

California Consumer Protection Act

California Consumer Protection Act, the first large scale privacy legislation in the United States aimed at regulating how businesses use personal data to target and sell to California consumer residents.   

Regional Privacy Laws

OneTrust support Privacy legislation on a global scale including:

  • General Data Protection Regulation (EU GDPR)
  • Thailand’s Personal Data Protection Act (PDPA)
  • Brazil’s General Data Protection Law (LGPD)
  • California Consumer Protection Act (CCPA)
  • Nevada’s Privacy Law

To learn more about how the OneTrust platform support localized Privacy regulations visit OneTrust.com to learn more about our Privacy solutions.

SCHREMS II Solutions

On July 16, 2020, the Court of Justice of the European Union invalidated the EU-US Privacy Shield as a lawful mechanism to transfer personal data and determined that Standard Contractual Clauses (SCC) will require stricter considerations of the destination jurisdictions moving forward. The additional SCC-related obligations will also apply to binding corporate rules (BCRs) according to the European Data Protection Board.

OneTrust SCHREMS II Solutions

Ethics & Corporate Compliance

In recent years a number of regulations have been published to protect employees and public interest, establish channels of accountability, and promote positive cultural impacts. These frameworks and best practices are supported by OneTrust GRC through control frameworks, whistleblower hotlines, policy management, awareness training, and more.

UK Anti-Bribery Act

The UK’s Anti-Bribery Act 2010 has a broad application across companies incorporated in the United Kingdom as well as individuals who are British citizens or primarily reside in the United Kingdom. The regulation designates increased liability for companies, and leadership – outlining four primary offenses, organizations can leverage OneTrust’s Policy Management and dynamic control records to ensure sure that they have strong, up-to-date, and effective anti-bribery policies and practices.

EU Whistleblower Directive

The EU whistleblower directive outlines a consolidated guideline for companies to provide the proper channels to both internal resources and external (public) authorities as well as support or protections to individual reporters and stakeholders who support reporting activities. The scope of the directive expands previous regulation protection in both who and what categories of reporting qualify for protection.

U.S. Department of Justice: Evaluation of Corporate Compliance Programs

The U.S. Department of Justice (DOJ) Criminal Division updated its Evaluation of Corporate Compliance Programs guidelines in June 2020. While these guidelines are intended for use by DOJ prosecutors, many corporations can and should leverage the insights to evaluate and assess their compliance programs’ adequacy and effectiveness. OneTrust helps operationalize these best practices across policy management, Third-Party Risk, IT & Security Risk Management, Awareness Training, and Audit Management.

Learn more about OneTrust GRC and DOJ’s Corporate Compliance Guidelines.

Financial Services

Financial services are among the most heavily regulated industries from both government authorities and industry associations instituting best practices.

OneTrust supports the implementation of the following control frameworks through control management, embedding into your corporate policies and testing through audit projects.

Download the OneTrust GRC for Finance Datasheet.

Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry Data Security Standard designates requirements to process, store, or transmit credit card data. The PCI Security Standards Council maintains and updates the standard in line with feedback from key industry members. The council was founded and is managed by leading credit card brands including American Express, Discover, JCB International, MasterCard, and Visa Inc.  

PCI DSS outlines the technical and operational requirements for businesses accepting or processing payment transactions, as well as for technology companies such as software developers and manufacturers of processing hardware used in those transactions.

Learn more about Securing Cardholder Data Environments with PCI DSS.

Sarbanes-Oxley Act (SOX)

Sarbanes-Oxley Act (SOX) one of the initial regulatory frameworks that defined and helped institute GRC as a discipline, is designed to provide transparency and reduce the chance or opportunity for fraud in the public sector for companies operating in the United States.

Senior Managers Certificate and Regime

Senior Managers & Certification Regime expanded to apply to a broader scope of financial service firms. The regulation requires documentation and approval for senior management roles and designates personal accountability for wrongdoing and malicious behavior.

Cross-Framework Support

Leverage controls from providers who continuously maintain and update records based on the latest versions and information across leading industry and compliance frameworks. OneTrust supports any licensed content pack that your organization subscribes to.

Control Objectives for Information Technologies (COBIT)

Control Objectives for Information Technologies (COBIT 5), a framework developed by ISACA (Information Systems Audit and Control Association) used to support proper governance across IT Risk and Assurance. COBIT aims to go beyond just control management by providing the control framework, process descriptions common terminology translations for non-technical stakeholderscontrol objectivesmaturity models to identify gaps, and management guidelines to support the distribution of best practices across your organization.  

Athena AI-Driven Control Management

Powered by Athena AI, OneTrust GRC’s flexible control structure enables businesses to track control practices across risk domains and frameworks for holistic compliance reporting.

  • Leverage out-of-the-box control frameworks from ISO, NIST, & more
  • Map controls across leading frameworks and policy requirements
  • Track control maturity and distribution across your organization
  • Audit control implementations against master control record

OneTrust Control Management 

Onetrust All Rights Reserved