Risk and Compliance Frameworks

OneTrust GRC supports a variety of leading industry risk and compliance frameworks. Streamline data set up and ongoing maintenance by leveraging pre-seeded control records from leading risk and compliance frameworks. Organizations can build a risk management program in line with their GRC strategy and business objectives.



Managing digital risk continues to expand and be a top-line initiative for organizations, and the amount of data and digital assets expand with operations.

Leverage OneTrust GRC to support security, risk, and compliance frameworks across a flexible control structure that is integrated across departments and risk domains including IT & Security Risk Management as well as Vendor Risk Management. Classify your critical assets, track data exchanges, as well as map your threats and vulnerabilities to identify risk across IT systems and vendor relationships. Link control records to your security policy and integrate them into internal audits to measure the effectiveness and propose recommendations including corrective action plans.

Operationalize Your Security Program OneTrust GRC Solutions for Infomation Security.

ISO 27001 & ISO 27002

Published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC) ISO 27001, one of the most widely known and globally adopted standards within the ISO catalog of frameworks, 27001 provides specific guidance and security controls for processing financial information, intellectual property, employee details or information entrusted to you by third parties.

ISO 27002 a variation of 27001 for institutions to implement select controls to establish an Information Security Management System (ISMS) based on ISO/IEC 27001; ISO 27002 provides in-depth detail around control objectives to help organizations best implement the framework within their unique operations.

Learn more about OneTrust GRC for ISO Compliance.

Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) published, in January 2020 by the United States Department of Defense, establishes a new method to evaluate vendor cybersecurity programs by measuring both technical controls in place as well as ongoing processes to review and improve practices in place.  

Learn more about OneTrust and The CMMC

NIST 800-53 & NIST CFS

NIST 800-53 is published by the National Institute of Standards and Technology (NIST). NIST 800-53 documents a robust catalog of security and privacy controls and objectives designated for U.S. federal information systems,  to support best in class cybersecurity standards.

NIST Cybersecurity Framework (CSF) consists of standards, guidelines, and practices NIST CSF builds on existing frameworks (including NIST 800-53, ISO 27000) but offers a focused scope of controls alongside a thorough explanation written in common language suited for non-technical executives or line of business individuals.




Developed and published by the American Institute of CPAs (AICPA), SOC 2 defines criteria for managing customer data based on five core principles security, availability, processing integrity, confidentiality, and privacy.

Organizations can define their set of Service and Organization Controls (SOC), embed controls into their corporate policies, audit effectiveness as well as design to evaluate how well the control model meets the five principals according to business operations.


Cloud Computing

Enterprise operations have a significant digital footprint, and it is more important now than ever to ensure your SaaS hosting providers and vendors support best in class cloud practices.

Leverage OneTrust to document and track data flows across your cloud and SaaS providers to identify your regulatory obligations and leverage automated assessment technology to engage and confirm controls are executed through your third party relationships.


Federal Risk and Authorization Management Program work towards keeping cloud services and the data that those agencies use secure for any vendor doing business with the United States Government.

Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ)

Consensus Assessments Initiative Questionnaire (CAIQ) is a survey provided by the Cloud Security Alliance (CSA) for cloud consumers and auditors to assess the security capabilities of a cloud service provider. The Assessment aims to standardize documented security controls in IaaS, PaaS, and SaaS solutions.

Organizations can leverage OneTrusts automated assessment technology to survey cloud providers and dynamically validate control records or flag risk based on real-time responses.

ISO 27018

ISO 27018 builds on the foundational controls of ISO 27002 specific to personal data in the cloud and provides guidance on best practices to secure information. 


Privacy regulations and compliance frameworks have created new processes and considerations for business on a global scale to ensure that personal data protected.

OneTrust Privacy Management encompasses a suite of products to help privacy programs comply with global privacy regulations. Realize the extent of your privacy risk through thorough OneTrust DataDiscovery,  classification, and tracking data flows inside and outside of the organization. Uphold individual privacy rights and manage consent across all channels with up to date privacy policies, dynamic cookie banners, centralized preference centers, and detailed consent profiles.



The Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities (i.e., health care providers, health plans, and health care clearinghouses). HIPPA mandates specific controls for privacy and security practices to safeguard individuals’ protected health information (PHI) the regulation also details requirements for notification in the event that PHI is compromised by a data breach.

ISO 27701

ISO 27701 is an extension of security frameworks ISO/IEC 27001 and ISO/IEC 27002 . The extension provides general guidance that can be applied to any type or size of business. The standard outlines requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS)

NIST Privacy Framework V1.0

The NIST Privacy Framework is a voluntary tool developed as a companion control framework to NIST cybersecurity intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy.

General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR), the most comprehensive privacy law to date institutes data protections for all EU residents to limit the use and ensure transparent processes businesses processing  

California Consumer Protection Act

California Consumer Protection Act, the first large scale privacy legislation in the United States aimed at regulating how businesses use personal data to target and sell to California consumer residents.   

Regional Privacy Laws

OneTrust support Privacy legislation on a global scale including:

  • General Data Protection Regulation (EU GDPR)
  • Thailand’s Personal Data Protection Act (PDPA)
  • Brazil’s General Data Protection Law (LGPD)
  • California Consumer Protection Act (CCPA)
  • Nevada’s Privacy Law

To learn more about how the OneTrust platform support localized Privacy regulations visit OneTrust.com to learn more about our Privacy solutions.


In recent years a number of regulations have been published to protect employees and public interest, establish channels of accountability, and promote positive cultural impacts. These frameworks and best practices are supported by OneTrust GRC through control frameworks, whistleblower hotlines, policy management, awareness training, and more.

UK Anti-Bribery Act

The UK’s Anti-Bribery Act 2010 has a broad application across companies incorporated in the United Kingdom as well as individuals who are British citizens or primarily reside in the United Kingdom. The regulation designates increased liability for companies, and leadership – outlining four primary offenses, organizations can leverage OneTrust’s Policy Management and dynamic control records to ensure sure that they have strong, up-to-date, and effective anti-bribery policies and practices.

EU Whistleblower Directive

The EU whistleblower directive outlines a consolidated guideline for companies to provide the proper channels to both internal resources and external (public) authorities as well as support or protections to individual reporters and stakeholders who support reporting activities. The scope of the directive expands previous regulation protection in both who and what categories of reporting qualify for protection.

Financial Services

Financial services are among the most heavily regulated industries from both government authorities and industry associations instituting best practices.

OneTrust supports the implementation of the following control frameworks through control management, embedding into your corporate policies and testing through audit projects.

Download the OneTrust GRC for Finance Datasheet.

Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry Data Security Standard designates requirements to process, store, or transmit credit card data. The PCI Security Standards Council maintains and updates the standard in line with feedback from key industry members. The council was founded and is managed by leading credit card brands including American Express, Discover, JCB International, MasterCard, and Visa Inc.  

PCI DSS outlines the technical and operational requirements for businesses accepting or processing payment transactions, as well as for technology companies such as software developers and manufacturers of processing hardware used in those transactions.

Sarbanes-Oxley Act (SOX)

Sarbanes-Oxley Act (SOX) one of the initial regulatory frameworks that defined and helped institute GRC as a discipline, is designed to provide transparency and reduce the chance or opportunity for fraud in the public sector for companies operating in the United States.

Senior Managers Certificate and Regime

Senior Managers & Certification Regime expanded to apply to a broader scope of financial service firms. The regulation requires documentation and approval for senior management roles and designates personal accountability for wrongdoing and malicious behavior.

Cross-Framework Support

Leverage controls from providers who continuously maintain and update records based on the latest versions and information across leading industry and compliance frameworks. OneTrust supports any licensed content pack that your organization subscribes to.

Unified Control Framework (UCF)

UCF’s Common Controls Hub maintains an out-of-box collection of control records mapped across various regulatory demands and compliance frameworks for businesses to apply a unique mix of controls based on the regulatory demands specific to their operations.


Control Objectives for Information Technologies (COBIT)

Control Objectives for Information Technologies (COBIT 5), a framework developed by ISACA (Information Systems Audit and Control Association) used to support proper governance across IT Risk and Assurance. COBIT aims to go beyond just control management by providing the control framework, process descriptions common terminology translations for non-technical stakeholderscontrol objectivesmaturity models to identify gaps, and management guidelines to support the distribution of best practices across your organization.