IT Governance

Ready-to-use industry IT standards, frameworks, and best practices.

Get your content suite now

Contact us now for a no obligation review of how content suites can accelerate your ACL experience

Designed for IT audit, risk and compliance professionals.

With thousands of industry standards, internal policies, or regulatory requirements, keeping on top of compliance can be daunting. Add in an increasing risk of penalties, brand damage, and the threat of being held personally liable … and it’s overwhelmingly clear how important it is to maintain updated and accurate compliance records. ACL’s curated content subscription integrates common frameworks and automated updates for IT risk & compliance management, making it easy for you to minimize risk exposure and collaborate with your front line.

Included in the Content For IT Governance

Browse by toolkit

A toolkit is a curated set of tools aimed at addressing one area of risk or compliance.

For example, a toolkit might include a set of data analytics, a risk control framework, and a best practices program.

General IT Compliance Toolkit

Cybersecurity, privacy, ITGC, vendor oversight... sigh. Get a handle on your framework, controls, and policies through our ready-built tools for IT standards and frameworks.

  • Last updated November 2, 2017

    The Cloud Security Alliance® (CSA) Cloud Controls Matrix (CCM) provides organizations with fundamental security principles and a controls framework to guide cloud vendors and prospective customers in assessing the overall security risk of a cloud provider. © Copyright 2015-2016 Cloud Security Alliance - All rights reserved.
  • Last updated January 11, 2018

    The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC. The GDPR provides requirements to protect personal data, which can include typical personal or account data that identifies a person. It was created to reshape the way organizations approach data privacy. 

    Official Journal of the European Union. EU publications are all freely available for download at http://eur-lex.europa.eu/. Except where otherwise stated, reuse of the EUR-Lex data for commercial or non-commercial purposes is authorised. 

  • Last updated October 31, 2017

    Payment Card Industry Data Security Standard (PCI DSS) is a framework that provides a baseline of technical and operating requirements designed to protect cardholder data. It was developed to encourage and enhance cardholder data security and increase adoption of consistent data security measures on a global scale. 

    Portions of this product are provided courtesy of PCI Security Standards Council, LLC ("PCI SSC"). ©[2006-2016] PCI Security Standards Council, LLC. All rights reserved. PCI SSC does not endorse this product, its provider or the methods, procedures, statements, views, opinions or advice contained herein. All references to documents, materials or portions thereof made available by PCI SSC ("PCI Materials") should be read as qualified by the actual PCI Materials. For questions regarding PCI Materials, please contact PCI SSC through its web site at https://www.pcisecuritystandards.org.

NIST Toolkit

Cybersecurity is a concern for all organizations in this day and age. The U.S. Department of Commerce's National Institute of Standards and Technology (NIST) have constructed a framework which consists of standards, guidelines, and practices to promote the protection of critical infrastructure. Take advantage of our tools, curated to help you manage your cybersecurity-related risks.

  • Last updated October 31, 2017

    The NIST Framework for Improving Critical Infrastructure Cybersecurity enables organizations to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure. The Framework uses common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses. Because it references globally recognized standards for cybersecurity, the Framework can be used by organizations located outside the United States and can serve as a model for international cooperation on strengthening critical infrastructure.

    U.S. Department of Commerce: National Institute of Standards and Technology (NIST). NIST publications are all freely available for download at http://csrc.nist.gov/. As a work of the U.S. government, this product is not subject to copyright protection.
  • Last updated November 2, 2017

    The NIST Framework for Improving Critical Infrastructure Cybersecurity enables organizations to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure. The Framework uses common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses. Because it references globally recognized standards for cybersecurity, the Framework can be used by organizations located outside the United States and can serve as a model for international cooperation on strengthening critical infrastructure.

    U.S. Department of Commerce: National Institute of Standards and Technology (NIST). NIST publications are all freely available for download at http://csrc.nist.gov/. As a work of the U.S. government, this product is not subject to copyright protection.
  • Last updated October 31, 2017

    NIST SP 800-53 Privacy Controls provide a structured set of controls for protecting privacy and serves as a roadmap for organizations to use in identifying and implementing privacy controls concerning the entire life cycle of PII (personally identifiable information), whether in paper or electronic form. The controls focus on information privacy as a value distinct from, but highly interrelated with, information security.

    U.S. Department of Commerce: National Institute of Standards and Technology (NIST). NIST publications are all freely available for download at http://csrc.nist.gov/. As a work of the U.S. government, this product is not subject to copyright protection.
  • Last updated October 31, 2017

    NIST SP 800-53 Program Management Controls focus on the organization-wide information security requirements that are independent of any particular information system and are essential for managing information security programs.

    U.S. Department of Commerce: National Institute of Standards and Technology (NIST). NIST publications are all freely available for download at http://csrc.nist.gov/. As a work of the U.S. government, this product is not subject to copyright protection.
  • Last updated October 31, 2017

    NIST SP 800-53 Security Controls are the management, operational, and technical safeguards or countermeasures employed within an organizational information system to protect the confidentiality, integrity, and availability of the system and its information.

    U.S. Department of Commerce: National Institute of Standards and Technology (NIST). NIST publications are all freely available for download at http://csrc.nist.gov/. As a work of the U.S. government, this product is not subject to copyright protection.

    The Federal Risk and Authorization Management Program, or FedRAMP (also included in scope), is a U.S. government program that standardizes how the Federal Information Security Management Act (FISMA) applies to cloud computing services. It provides a standardized approach to security assessment, authorization, and continuous monitoring of cloud-based services.

    U.S. General Services Administration (GSA): Federal Risk and Authorization Management Program (FedRAMP). As a work of the U.S. government, this product is not subject to copyright protection.

     

ISO 2700X Toolkit

The ISO/IEC 27000-series is comprised of information security standards published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Incorporate best practices around information security management with the context of an overall Information security management system (ISMS), to cover the risks related to privacy, confidentiality, and technical cybersecurity issues.

  • Last updated October 31, 2017

    International Standard ISO/IEC 27001:2013 Information Security Management Systems - Requirements provides requirements for establishing, implementing, maintaining and continually improving an information security management system. The adoption of an information security management system is a strategic decision for an organization. The establishment and implementation of an organization’s information security management system is influenced by the organization’s needs and objectives, security requirements, the organizational processes used and the size and structure of the organization. All of these influencing factors are expected to change over time. ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. © ISO. All rights reserved.
  • Last updated October 31, 2017

    International Standard ISO/IEC 27002:2013 Code of Practice for Information Security Controls is designed for organizations to use as a reference for selecting controls within the process of implementing an Information Security Management System (ISMS) based on ISO/IEC 27001 or as a guidance document for organizations implementing commonly accepted information security controls. This standard is also intended for use in developing industry- and organization-specific information security management guidelines, taking into consideration their specific information security risk environment(s). ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. © ISO. All rights reserved.

HIPAA Compliance Toolkit

The Health Insurance Portability and Accountability Act (HIPAA), sets the standards for protecting sensitive patient data. Organizations in the healthcare industry must ensure all security measures in place are followed to protect the privacy and security of any protected health information (PHI). Manage the risks and requirements for HIPAA compliance directly with ACL.

  • The Healthcare - Provider Enterprise Risks are used by company's within the healthcare vertical to identify top risks that may affect their organization. These healthcare enterprise risks were taken from 10-K reports from top healthcare companies within the S&P 500. As a required submission to the SEC, 10-K reports are publicly available online.
  • Last updated October 31, 2017

    The Health Insurance Portability and Accountability Act was created to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.

    U.S. Department of Health & Human Services (HHS): Title 45, Subtitle A, Subchapter C, Parts 160, 162 and 164. As a work of the U.S. government, this product is not subject to copyright protection.

  • Last updated November 17, 2017

    The HIPAA Security Rule specifically focuses on the safeguarding of electronic protected health information (EPHI). Although the Federal Information Security Management Act (FISMA) applies to all federal agencies and all information types, only a subset of agencies are subject to the HIPAA Security Rule based on their functions and use of EPHI. All HIPAA covered entities, which include some federal agencies, must comply with the Security Rule, which specifically focuses on protecting the confidentiality, integrity, and availability of EPHI, as defined in the Security Rule. The EPHI that a covered entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures.

    U.S. Department of Commerce: National Institute of Standards and Technology (NIST). NIST publications are all freely available for download at http://csrc.nist.gov/. As a work of the U.S. government, this product is not subject to copyright protection.

Not what you were looking for? Explore more content suites

Banking & Lending

  • AML/ATF Compliance Toolkit
  • EFT Risk Toolkit
  • Banking Op Risk Toolkit
  • And more

Governments & Higher Education

  • Grants Management Toolkit
  • OMB A-123 Toolkit
  • Government IT Compliance Toolkit
  • And more

Financial Control Monitoring

  • Accounts Payable Toolkit
  • Vendor Management Toolkit
  • Human Resources Management Toolkit
  • And more

Subscription Value

  • GRC Subscription Value Toolkit
  • Analytics Subscription Value Toolkit
  • And more