💡 This simulates the create_gap_assessment, update_control_status, and generate_remediation_roadmap tools. Click any control to cycle its status. Gap summaries are available as the
iso27001://assessments/{id}/gap-summary resource.
0
Implemented
0
Partial
0
Not Implemented
0
Not Started
Compliance Score
Weighted by implementation status
0%
compliant
● Implemented0%
● Partial0%
● Not Implemented0%
Controls
Click to cycle status
💡 Simulates create_risk, list_risks, and create_treatment_plan. Risk score = likelihood × impact (1–5 scale). The risk heatmap and summary are available via the
iso27001://risks/summary resource.
Risk Heatmap
5×5 likelihood × impact matrix
Likelihood →
Low impact
High impact →
Low ≤4
Medium 5–9
High 10–14
Critical ≥15
Risk Summary
0
Critical
0
High
0
Medium
0
Low
Top risk by score
Risk Register
Click a risk to view treatment plan
💡 Simulates the create_policy tool. Policies are rendered from ISO 27001-aligned Mustache templates with your organisation's details.
Policy Details
Policy Output
Rendered from ISO 27001-aligned Mustache template
Fill in the form and click Generate Policy to render a complete ISO 27001-aligned policy document.
💡 All 50 tools exposed by the MCP server. Each tool requires a valid API key. Role requirements: viewer (read-only, 18 tools), analyst (36 tools), admin (all 50 tools).
💡 Simulates create_procedure, list_procedures, and update_procedure. Select a procedure type, fill in your org details, and click Generate to render a full ISO 27001-aligned operating procedure document.
Procedure Details
Procedure Type
Select one of 12 ISO 27001 operating procedures
Incident Handling
Access Provisioning
Backup & Restore
Change Management
Vulnerability Management
Supplier Onboarding
Asset Management
Cryptography & Key Mgmt
Business Continuity
Secure Development
Physical Security
Data Classification & Handling
💡 Simulates create_audit, record_finding, create_corrective_action, update_corrective_action, and close_audit. ISO 27001:2022 Clause 9.2 requires all NC findings to have verified corrective actions before the audit can be closed.
Plan Internal Audit
Calls
create_auditRecord a Finding
Calls
record_findingFindings
Click a finding to pre-select it for a CAR
No findings recorded yet
Raise Corrective Action
Calls
create_corrective_actionCorrective Actions
All NC CARs must be verified to close the audit
No CARs raised yet
Raise and verify CARs for all NC findings first
💡 Simulates create_management_review, record_review_input, record_review_output, and complete_management_review. ISO 27001:2022 Clause 9.3 requires all 7 inputs to be addressed and at least 1 output decision recorded before the review can be completed.
§9.3.2 Required Inputs
All 7 must be addressed before completion
Previous action status
Status of actions from previous management reviews
External & internal issues
Changes in external and internal issues relevant to the ISMS
Interested party needs
Changes in needs and expectations of interested parties
ISMS performance
Feedback on performance incl. nonconformities, audit results, monitoring, KPIs
Interested party feedback
Feedback from interested parties (customers, regulators, partners)
Risk assessment results
Results of risk assessment and status of risk treatment plan
Improvement opportunities
Opportunities for continual improvement of the ISMS
§9.3.3 Required Outputs
Select at least one output decision
improvement_decision
Decisions and actions related to continual improvement opportunities
Example: "Implement automated vulnerability scanning by Q3 2026 · Owner: Head of Engineering"
isms_change_decision
Decisions on changes needed to the ISMS including resources and objectives
Example: "Expand ISMS scope to include GCP production environment by 2026-09-01"
Requires 7/7 inputs + 1 output
💡 Simulates create_improvement_opportunity, update_improvement_opportunity, and list_improvement_opportunities. ISO 27001:2022 Clause 10.1 requires a forward-only status workflow — opportunities cannot be moved backwards.
Backlog Health Rating
Based on open opportunity count
Open: – · In Progress: – · Closed: –
Open0
In Progress0
Implemented0
Closed0
💡 Simulates generate_evidence_document and list_evidence_documents. Generated documents are dual-written to both the
evidence and generated_evidence tables, enabling both tracking and version history. Individual documents are readable via the iso27001://evidence/documents/{id} resource.
Evidence Document Type
6 pre-built ISO 27001 evidence templates
access_review_log
Quarterly access rights review log documenting who reviewed, what systems, and findings
Controls: 5.15, 5.16, 5.18, 8.2 · Clause 9.1
risk_treatment_evidence
Evidence package for a completed risk treatment action with before/after risk scores
Controls: 6.1.3, 8.3 · Clause 8.3
training_completion_record
Security awareness training completion records with assessment scores and attestation
Controls: 6.3, 6.6 · Clause 7.2, 7.3
vulnerability_scan_report
Structured vulnerability scan results with CVE references, severity, and remediation status
Controls: 8.8, 8.19, 5.7 · Clause 8.1
supplier_assessment
Third-party supplier security assessment questionnaire results and risk rating
Controls: 5.19–5.23 · Clause 8.1
internal_audit_evidence
Internal audit evidence package with objective evidence references and conformance status
Clause 9.2 · All Annex A controls in scope
Document Details
🔒 ISO 27001:2022 · Model Context Protocol
iso27001-mcp
A stateful MCP server that gives Claude a complete Information Security Management System. Run gap assessments, manage risks, generate ISO-aligned policies and procedures, track evidence, and schedule management reviews — all backed by an AES-256 encrypted SQLite database on your own machine.
50
MCP Tools
14
Tool Groups
93
2022 Controls
30
Templates
v0.9.73
Latest
Encrypted Local Database
All ISMS data is stored in an AES-256 encrypted SQLite database (
isms.db) on your machine. Your compliance data never leaves your infrastructure.HMAC-Signed API Keys
Three-tier RBAC (viewer · analyst · admin) enforced on every tool call. Keys are never stored in plaintext — only their HMAC-SHA256 hash is persisted.
Mustache Templates
12 policy templates, 12 procedure templates, and 6 evidence document templates rendered with your organisation's details. Shared partials ensure consistent formatting.
MCP Resources
12 read-only
iso27001:// URIs expose every ISMS artefact as a browsable MCP Resource. Claude can reference them without a tool call.Tamper-Evident Audit Log
Every tool call writes an HMAC-SHA256 chained row. Insertion, deletion, or reordering of audit rows is cryptographically detectable.
SSE Team Mode
Run as a shared Express server for teams. Bearer token auth at connect time, opaque session tokens throughout — raw keys are never retained in server memory.
Installation & Quick Start
Get connected to Claude Desktop in three commands · No openssl required · Requires Node.js ≥ 20.11.0
1
Install globally
The
iso27001-mcp command becomes available globally. The native SQLite module downloads a prebuilt binary on macOS and Linux x64 automatically.npm install -g iso27001-mcp
2
Run the setup wizard
One guided command does everything: generates AES-256 / HMAC-SHA256 secrets, creates and seeds the encrypted database with all 93 ISO 27001:2022 controls, generates your admin API key, and adds the entry to your Claude Desktop config automatically.
iso27001-mcp init
3
Verify and connect
Run the health check, then restart Claude Desktop (quit fully and reopen). You should see 50 tools in the tools panel.
iso27001-mcp doctor
# All 10 checks should show ✅
# Then restart Claude Desktop
✦
Try it with Claude
Ask Claude any of these to get started:
"Read the iso27001://server/info resource to check the server is running."
"Run an ISO 27001 gap assessment for a 50-person SaaS company."
"Register a new risk: our customer DB is exposed to SQL injection — likelihood 4, impact 5."
npm Package
Latest release on the npm registry. Install globally with one command. Provenance-attested build.
npmjs.com/package/iso27001-mcp
GitHub Repository
Source code, issue tracker, and contribution guide. Stars and PRs welcome.
github.com/Sushegaad/MCP-Server-for-ISO27001
Full Documentation
Complete tools reference with all 50 tools, parameter tables, architecture diagram, and security model.
github.com/…/README.md
Report an Issue
Found a bug or have a feature request? Open an issue on GitHub — all feedback is welcome.
github.com/…/issues