Compliance Operations, Risk & Evidence β ISO 27001 Β· ISO 27701 Β· ISO 27017 Β· ISO 27018 Β· ISO 42001
25 compliance assessment modules β click to expand
-Assessment_Tool-D32F2F?style=flat-square){kind=icon}
-Assessment_Tool-B71C1C?style=flat-square){kind=icon}
-Assessment_Tool-1A237E?style=flat-square){kind=icon}
-Assessment_Tool-B71C1C?style=flat-square){kind=icon}
-Assessment_Tool-4A148C?style=flat-square){kind=icon}
-Assessment_Tool-006630?style=flat-square){kind=icon}
-Assessment_Tool-003366?style=flat-square){kind=icon}
-Assessment_Tool-002395?style=flat-square){kind=icon}
Grows fast. Bends, doesn't break. Built to last. π
ISMS CORE is a production-grade control engineering platform for building and operating an information security management system. It treats compliance implementation as an engineering problem β not a consulting exercise.
New here? Read PARADIGM.md first β it explains how ISMS CORE differs from traditional ISMS approaches, how to choose between products, and what to expect.
ποΈ Framework
Full SSE engineering product for mature security teams and consultants. Governance policies, implementation guides, assessment scripts, generated workbooks β one complete pack per control. 53 control packs Β· 93 Annex A controls 
|
β‘ Operational
Foundation ISMS for SMEs (10β500 people). Operational policies with single-sheet compliance checklists. No engineering overhead β read the policy, run the checklist, done. 53 control groups Β· 53 OP-POL docs 
|
π Privacy
Privacy information management β controller, processor, and shared control groups for ISO 27701:2025. Pairs with Framework or Operational. 21 control groups Β· 23 PRIV-POL docs 
|
βοΈ Cloud
PII protection in public cloud β compliance checklists for cloud service providers processing PII on behalf of controllers. ISO 27018:2025 Annex A. 12 control groups Β· 12 CLD-POL docs 
|
π€ AI
AI management system β governance policies covering AI development, deployment, impact assessment, responsible use, and third-party AI relationships. 12 AI control groups Β· 12 AI-POL policies 
|
π₯οΈ Platform
Live compliance management system β turns all content products into dashboards, gap tracking, evidence ingestion, risk registers, and audit reports. Docker Compose, 10 services, self-hosted. 44 connectors Β· 25 assessment modules Β· 3,433 crosswalk objects / 44 axes 
|
This is not a framework reference or a checklist template library. Every control pack ships production-ready artifacts you open, adapt, and issue.
| Artifact | Format | What it is | Who uses it | Products |
|---|---|---|---|---|
| POL | Markdown | Governance policy document β what the control requires, who owns it, which standards apply. Set your org name, CISO, and effective date. Issue it. | ISMS Manager β Board / Staff | All five products |
| IMP-UG | Markdown | Implementation User Guide β how the ISMS Manager implements and operates the control. Roles, process steps, KPIs, review cycles. | ISMS Manager | Framework Β· Privacy Β· Cloud Β· AI |
| IMP-TG | Markdown | Implementation Technical Guide β step-by-step for the engineer. Commands, config snippets, vendor-specific notes, hardening checklists. | Security Engineer | Framework Β· Privacy Β· Cloud Β· AI |
| SCR | Python 3.11+ | Assessment generator β run python3 generate_*.py to produce a structured, formatted compliance evidence workbook. Single dependency: openpyxl. |
ISMS Manager β Auditor | All five products |
| WKBK | Excel (.xlsx) | Generated compliance workbook β per-control assessment items, evidence status, scoring, and auditor notes. Output of the SCR generator. Hand directly to your auditor. | Auditor / Control Owner | All five products |
| REF | Markdown | Reference extracts from the ISO standard text mapped to this control. Cross-references to adjacent and related Annex A controls. | ISMS Manager / Auditor | Framework |
| CTX | Markdown | Context document linking this control pack to adjacent and dependent control packs β for control stacking and dependency mapping. | ISMS Manager | Framework |
| FORM | Markdown | Ready-to-use templates: evidence collection forms, meeting agendas, approval records, risk acceptance forms. | ISMS Manager / Control Owner | Framework |
Example workflow β A.8.24 Use of Cryptography:
- Open
POL/β your organisation's cryptography policy, ready to sign and issue- Open
IMP/IMP-UG/β how to run a key management programme (KPIs, review cycle, ownership)- Open
IMP/IMP-TG/β TLS config, certificate lifecycle, HSM setup, vendor notes- Run
SCR/generate_a824_*.pyβ produces.xlsxassessment workbook- Hand the workbook to your auditor as structured compliance evidence
Prerequisites for generators: Python 3.11+, pip install openpyxl
This is for:
- Security teams building an ISMS wanting repeatable, auditable evidence
- Engineers who prefer automation + tests over "security theater"
- SMEs needing practical, audit-ready policies without over-engineering
- Organisations processing PII needing ISO 27701 controller/processor controls
- Cloud service providers needing ISO 27018 PII compliance
- Organisations developing AI systems needing ISO 42001 AIMS governance
- Consultants and auditors needing structured, traceable control packs
This is not for:
- "One-click compliance" expectations
- Legal interpretations of GDPR/DORA/NIS2 (use counsel)
- Running scripts you haven't reviewed (treat this like code)
Prerequisites: Python 3.11+, pip install openpyxl
# Browse the 53 control packs
cat isms-core-framework/CONTROLS.md
# Navigate to a control, read POL β IMP-UG β IMP-TG, then generate the workbook
cd isms-core-framework/A.8-technological-controls/isms-a.8.24-use-of-cryptography/SCR
python3 generate_a824_1_data_transmission_assessment.pycd isms-core-operational/A.5-organisational-controls/isms-a.5.1-2-information-security-policies/SCR
python3 generate_op_checklist_a512.pycd isms-core-privacy/privacy-controller/priv-a.1.2.2-5-lawful-basis-and-consent/SCR
python3 generate_priv_checklist_a1225.pycd isms-core-cloud/iso27018-pii-cloud/cld-a.11-information-security/SCR
python3 generate_cld_checklist_a11.py# Start with the AI governance foundation policy (available in EN, FR, DE, IT)
cat "isms-core-ai/00-ai-foundation-policies/ai-pol-01-aims-governance-and-decision-making/POL/AI-POL-01 - AIMS Governance and Decision-Making Framework.md"cd isms-core-platform
cp .env.example .env # Fill in HOST_IP, passwords, ADMIN_PASSWORD
docker compose up -d # COMPOSE_PROFILES=opensearch-single is set in .env.example
bash bootstrap.sh # One-shot: seeds all control groups, imports all content
# β Open https://{HOST_IP}Read PLATFORM.md for the full deployment guide, TLS options, connector setup, and Go-Live Checklist.
Login |
Home Dashboard |
Compliance Overview |
Connectors β Automated Evidence |
ISMS Compass (AI Gap Analysis) |
System Status |
Assessments & Collections |
Gap Register |
NIST CSF 2.0 Assessment |
NIS2 Assessment |
DORA Assessment |
BSI IT-Grundschutz Assessment |
Risk Register & Heatmap |
KPI Metrics & Audit Readiness |
EBIOS RM |
TPRM β Third-Party Risk |
MITRE ATT&CK |
CVE / CPE Explorer |
Show all 25+ framework integrations and crosswalk mappings
| Framework / Standard | What ISMS CORE provides | Status |
|---|---|---|
| ISO/IEC 27001:2022 | Full Annex A control packs (Framework + Operational) |  |
| ISO/IEC 27002:2022 | Implementation guidance integrated into IMP-TG documents |  |
| ISO/IEC 27701:2025 | Full Privacy Extension Pack β controller, processor, and shared controls |  |
| ISO/IEC 27018:2025 | Full Cloud Extension Pack β 12 Annex A control groups for PII in cloud |  |
| ISO/IEC 42001:2023 | Full AI Extension Pack β 12 AI control groups covering AIMS governance, impact assessment, responsible use, and third-party AI |  |
| NIST CSF 2.0 | Full assessment tool β 106 subcategories, tier 1β4 ratings, XLSX import/export, radar chart. ISO 27001 crosswalk. |  |
| NIST AI RMF 1.0 | Full assessment tool β 72 subcategories, 0β4 maturity; ISO 42001 crosswalk: 32 mappings, EU AI Act: 31 mappings | |
| NIS2 Directive (EU 2022/2555) | 10 Article 21 measures + 5 Article 23 obligations, maturity 0β4 |  |
| DORA (EU 2022/2554) | 25 articles across 4 chapters (ICT Risk, Incidents, Testing, TPRM), maturity 0β4 |  |
| CIS Critical Security Controls v8 | 153 safeguards across 18 controls, maturity 0β4 |  |
| BSI IT-Grundschutz Kompendium | 68 Bausteine across 10 layers, maturity 0β4. Crosswalk: ISO 27001βBSI (115), ISO 27701βBSI (103), ISO 27018βBSI (51) |  |
| CSRM (Swiss NCSC, 2025) | Object-centric module β IT Protection Objects, 20 NIST CSF 2.0 baseline requirements, binary status, 6 Control Objectives |  |
| TISAX / VDA ISA 6.0 | 53 requirements across 12 domains, maturity 0β4 |  |
| Swiss nDSG 2023 | 25 provisions across 6 chapters, maturity 0β4 |  |
| Swiss ISG (SR 128, 2024) | 27 requirements across 8 sections, 24h cyberattack reporting; ISO 27001 crosswalk: 40 mappings |  |
| EU Cyber Resilience Act (2024/2847) | 26 essential requirements across 6 groups, maturity 0β4 |  |
| EU AI Act (2024/1689) | 25 articles across 6 groups (Risk Mgmt, Data Governance, Transparency, Human Oversight, Robustness, Accountability), maturity 0β4 |  |
| EU Cloud Sovereignty Framework (v1.2.1) | 8 Sovereignty Objectives (SOV-1 to SOV-8), SEAL-0 to SEAL-4 scoring, weighted Sovereignty Score |  |
| COBIT 2019 | 40 governance/management objectives, capability scoring 0β4 |  |
| CyberFundamentals (BE) | 41 NIST CSF 2.0 aligned practices, maturity 0β4; ISO 27001 crosswalk: 107 mappings | |
| BaFin BAIT (DE) | 23 requirements across 12 modules, maturity 0β4; ISO 27001 crosswalk: 69 mappings | |
| CSSF 20-750 (LU) | 19 requirements across 7 domains, maturity 0β4; ISO 27001 crosswalk: 47 mappings |  |
| ACN Guidelines (IT) | 19 guidelines across 4 groups, maturity 0β4; ISO 27001 crosswalk: 43 mappings |  |
| UK NIS Regulations | 13 requirements across 3 objectives, maturity 0β4; ISO 27001 crosswalk: 51 mappings | |
| UK Operational Resilience | 12 requirements across 4 objectives, maturity 0β4; ISO 27001 crosswalk: 34 mappings |  |
| NCSC CAF v4.0 (UK) | 41 Contributing Outcomes across 14 Principles and 4 Objectives β outcome-based; ISO 27001 crosswalk: 65 mappings |  |
| ReCyF v2.5 β France NIS2 (ANSSI) | 20 Security Objectives across 4 pillars (Gouvernance / Protection / DΓ©fense / RΓ©silience) β French NIS2 transposition (Loi 2024-449); ISO 27001 crosswalk: 50 mappings |  |
| FINMA | Assessment module | |
| NIST SP 800-53 Rev. 5 | Security control cross-mapping |  |
| MITRE ATT&CK v19 | Threat technique mapping (Enterprise / ICS / Mobile) β 697 techniques across 15 tactics, EPSS + CISA KEV correlation. |  |
| MITRE ATLAS | AI/ML adversarial threat techniques |  |
| ENISA EUVD | European Vulnerability Database β exploited + critical CVEs; daily feed; EUVD Explorer + cross-enrichment of NVD CVE index with in_euvd flag |
 |
| Exploit-DB | Daily exploit database (~52K entries) β cross-referenced to NVD CVE by CVE ID; adds edb_id, edb_verified (Metasploit module flag), edb_description to matching CVEs. EDB/EDBβ chips in CVE Explorer; EDB-only filter. |
 |
| CIRCL MISP OSINT Feed | Public MISP feed (Luxembourg) β 6-hourly manifest delta; 100K+ IOCs (IPs, domains, URLs, hashes) cross-enriched with ATT&CK TIDs, Malpedia family slugs, actor slugs at ingest |  |
| Botvrij MISP OSINT Feed | Public MISP feed (Botvrij.eu) β 6-hourly manifest delta; deduplicated against CIRCL by IOC value + source | |
| AbuseIPDB | Daily blacklist (top 10K confidence=100 IPs); on-demand single-IP enrichment with 24h cache; OpenSearch ti-abuseipdb-blacklist index |
|
| Malpedia | Weekly malware knowledge base β families (aliases, ATT&CK TIDs), threat actors (country, motivation); links IOCs to malware + actor attribution | |
| URLhaus | Daily malware download URL feed (abuse.ch) β URLs, associated payload hashes; ti-urlhaus OpenSearch index |
|
| ThreatFox | Daily malware IOC feed (abuse.ch) β IPs, domains, URLs, hashes with confidence scores and malware family labels; requires THREATFOX_API_KEY |
|
| SSL Blacklist (SSLBL) | Daily SSL certificate blacklist (abuse.ch) β SHA1 fingerprints of certificates used by malware C2 infrastructure; ti-sslbl index |
|
| MalwareBazaar | Daily malware sample hash feed (abuse.ch) β MD5/SHA1/SHA256 hashes with family classification; requires MALWAREBAZAAR_API_KEY |
|
| Feodo Tracker | Daily C2 IP blacklist (abuse.ch) β Emotet, QakBot, TrickBot, Dridex botnet command-and-control IPs; confidence 85; ti-feodotracker index |
|
| AlienVault OTX | Daily Open Threat Exchange pulses β IOCs with TLP labels (WHITE/GREEN/AMBER/RED), ATT&CK TIDs, and confidence scores derived from pulse subscriber count; requires OTX_API_KEY |
|
| Red Flag Domains | Daily suspicious newly-registered domain feed β ti-red-flag-domains index |
|
| Stopforumspam | Daily spammer IP/email/username database β ti-stopforumspam index |
|
| VirusTotal enrichment | Daily IOC confidence enrichment β queries existing IOCs against VT v3 API, updates confidence scores based on AV engine detection ratios; free tier (~500 req/day); requires VT_API_KEY |
|
| EU GDPR / Swiss DSG | Security and privacy control mapping, operational checklists |  |
"The first principle is that you must not fool yourself β and you are the easiest person to fool." β Richard Feynman
| Cargo Cult | ISMS CORE | |
|---|---|---|
| β | Impressive policies nobody reads | β Controls that actually work |
| β | Made-up compliance numbers | β Evidence that proves effectiveness |
| β | Security theater for audits | β Metrics that measure real security |
| β | PowerPoints instead of controls | β Automation that enforces compliance |
See PHILOSOPHY.md for the full methodology.
Every control pack undergoes a structured multi-stage validation before promotion to this repository:
ββββββββββββββββββββ βββββββββββββββββββββββββ ββββββββββββββββββββββββ
β Claude Code ββββββΆβ ISMS QA Engine ββββββΆβ The ISMS Core β
β (Build + QA) β β Existence + Keyword + β β Project (Final) β
β β β Semantic 3-layer check β β β
ββββββββββββββββββββ βββββββββββββββββββββββββ ββββββββββββββββββββββββ
All 188 Framework generators, 53 Operational policies, 21 Privacy control groups, 12 Cloud control groups, and 12 AI control groups carry QA_VERIFIED markers confirming a full QA pass.
See CONTRIBUTING.md for detailed QA standards.
| Product | Control groups | Key artifacts | Languages | Version |
|---|---|---|---|---|
| ποΈ Framework | 53 / 53 | 376 IMPs Β· 188 generators Β· 188 workbooks | EN FR DE IT | |
| β‘ Operational | 53 / 53 | 53 OP-POL Β· 53 checklist generators | EN FR DE IT | |
| π Privacy | 21 / 21 | 23 PRIV-POL Β· 42 IMPs Β· 21 generators | EN FR DE IT | |
| βοΈ Cloud | 12 / 12 | 12 CLD-POL Β· 24 IMPs Β· 12 generators | EN FR DE IT | |
| π€ AI | 12 / 12 | 12 AI-POL Β· 20 IMPs Β· 10 generators | EN FR DE IT | |
| π₯οΈ Platform | 99 total | 44 connectors Β· 25 assessments Β· 3,433 mappings / 44 axes | 7 jurisdictions |  |
See STRUCTURE.md for the complete repository map with per-folder and per-artifact-type explanations.
| Document | Description |
|---|---|
| PARADIGM.md | π§ Product overview and paradigm shift guide β start here |
| PLATFORM.md | π₯οΈ Platform architecture, features, and full deployment guide (includes Docker Compose quick-start) |
| STRUCTURE.md | π Repository map β all folders and artifact types explained |
| COMPLIANCE.md | π All 25 compliance assessment modules β coverage notes, gaps, audience |
| isms-core-framework/CONTROLS.md | π Framework control pack index (53 packs) |
| isms-core-framework/COVERAGE.md | πΊοΈ 93 Annex A controls β 53 pack mapping |
| isms-core-framework/STACKING.md | π Control grouping methodology |
| PHILOSOPHY.md | |
| CONTRIBUTING.md | π§ QA process and standards |
| SECURITY.md | π Vulnerability reporting policy |
- Vulnerability reporting: Report security issues to info@isms-core.com (subject: "ISMS CORE Security")
- Safe usage: Review scripts before execution. Run in a virtual environment. Treat generated artifacts as sensitive until proven otherwise.
- No secrets: Do not commit credentials, tokens, private keys, or customer data to this repository or to generated workbooks.
Dual-licensed:
- AGPL-3.0 for open-source use β see LICENSE
- Commercial license for organisations that cannot comply with AGPL obligations
Commercial licensing: info@isms-core.com
The ISMS Core Project
Copyright Β© 2025β2026 The ISMS Core Project. All rights reserved.
Where bamboo antennas actually work. π