Comment by Terretta
7 hours ago
> I'm working on an open source project for security policies/processes/standards that map back to underlying frameworks (e.g. SOC 2, GDPR, ISO 27001, etc.) Docs are Markdown with YAML frontmatter metadata, interlinks generated automatically, site is published via GitHub actions.
> Would love to know if others find it useful or have built similar systems.
Yes, to both for over a decade now, and by now there are many so one doesn't need to rewalk the whole path, some are developed in open on GitHub.
Commercial firms have built on that for live monitoring of the mappings, although don't scratch at that too hard, it's generally mostly (a) self-selected subsets of controls, and (b) manually self-reported at the end of the day.
Product examples: https://delve.co or https://safebase.io/products/trust-center
Applied example: https://trust.openai.com
Have you Googled this or talked to large firms (e.g. banks) that care about avoiding footfalls with regularly scheduled regulator exams? Writing your own shows you grok the concept, many need (well paid!) help applying something off the shelf or from OSS.
In my research I haven’t come across the prior art you suggest exists. The trust centers you linked aren’t fungible with what I’m building with GraphGRC. The idea is to make all your security docs just a GitHub repo with structured markdown that permits useful automation (e.g. generating linked internal site, validating all docs have been “reviewed” annually by checking metadata, change control via PR, etc.)
There are plenty of GRC products out there and are popular for good reasons, but I don’t think any of them are Git/Markdown/developer-first.