iso27001-mcp

A stateful MCP server that gives Claude a complete ISO 27001:2022 ISMS — gap analysis, risk register, 12 policy + 12 procedure templates, audit management, evidence tracking, and browseable MCP Resources. All backed by an AES-256 encrypted SQLite database on your own machine.

✅ 50 MCP tools 🔐 AES-256 encrypted DB 📋 93 ISO 27001:2022 controls 📋 114 ISO 27001:2013 controls 🖥 Node.js 20+

npm install -g iso27001-mcp

What Claude can do with this server

📊

Gap Analysis

Run gap assessments against all 93 ISO 27001:2022 controls, track status per control, and generate prioritised remediation roadmaps.

⚠️

Risk Register

Register risks with likelihood × impact scoring, create treatment plans (mitigate / accept / avoid / transfer), and export the full register.

📄

Policy Generator

Generate 12 ISO 27001-aligned policy documents from Mustache templates, customised with your org name, scope, owner, and effective date.

📋

Statement of Applicability

Auto-generate a full SoA from a gap assessment, then update inclusion status, justification, and responsible party for each control.

🔍

Audit Management

Create internal audits, record non-conformances and observations, raise corrective action requests, and generate audit reports.

🔗

Evidence Tracking

Register evidence artefacts per control, track expiry, find evidence gaps, and link to Jira tickets or GitHub issues.

Installation & Setup

Five steps to get Claude running your ISMS

1

Install the server

Requires Node.js 20.11 or later. Install globally to make the iso27001-mcp command available system-wide. macOS/Linux users may need build tools: run xcode-select --install (macOS) or sudo apt-get install build-essential python3 (Ubuntu/Debian).

npm install -g iso27001-mcp

2

Generate your secrets

Two secrets are required: one encrypts the SQLite database (AES-256), the other signs API keys. Generate them with openssl and save both values — you'll need them in Steps 3 and 4.

openssl rand -hex 32  # → save as DB_ENCRYPTION_KEY
openssl rand -hex 32  # → save as HMAC_SECRET

3

Generate an API key

The server authenticates every tool call with an API key. Set your secrets as environment variables first, then run the keygen command. The raw key is printed once only — copy it before closing the terminal.

# Set secrets in your shell
export HMAC_SECRET=<your_hmac_secret>
export DB_ENCRYPTION_KEY=<your_db_encryption_key>
export DB_PATH=~/.iso27001/isms.db

# Generate an admin key (all 50 tools)
iso27001-mcp keygen --label "Me" --role admin

# Prints: iso27001_xxxxxxxxxxxxxxxxxxxxxxxx  ← copy this

4

Add to Claude Desktop

Open your Claude Desktop config file — ~/Library/Application Support/Claude/claude_desktop_config.json on macOS or %APPDATA%\Claude\claude_desktop_config.json on Windows — and add the block below, substituting your values from Steps 2 and 3.

{
  "mcpServers": {
    "iso27001": {
      "command": "iso27001-mcp",
      "env": {
        "HMAC_SECRET": "your_hmac_secret",
        "DB_ENCRYPTION_KEY": "your_db_encryption_key",
        "MCP_API_KEY": "iso27001_your_api_key_here",
        "DB_PATH": "/Users/you/.iso27001/isms.db"
      }
    }
  }
}

5

Restart Claude Desktop and verify

Fully quit and reopen Claude Desktop. You should see 50 tools in the MCP tools panel (🔨 hammer icon). Ask Claude to verify the server is running:

"Use get_server_info to confirm the server is running."

Claude will call get_server_info and return the version, uptime, and database stats — confirming all 93 ISO 27001:2022 and 114 ISO 27001:2013 controls are seeded and ready.

6

Start your first conversation

Try these prompts to get started:

You

Run a gap assessment for Acme Ltd against ISO 27001:2022. Our scope is all cloud infrastructure and the development team.

Claude

I'll create a gap assessment now. Using create_gap_assessment with scope "all cloud infrastructure and development team" against ISO 27001:2022 (93 controls)…

✅ Assessment created — ID: ga_7f3a...
All 93 controls are pre-populated as not_started. Which control domains would you like to review first?

MORE EXAMPLE PROMPTS

"Show me the gap summary and generate a remediation roadmap with a 26-week timeline."

"Register a risk: our customer database could be breached via SQL injection — likelihood 4, impact 5. Create a mitigate treatment plan linked to controls 8.26 and 8.28."

"Generate an Access Control Policy for Acme Ltd. Owner: CISO. Effective from 1 July 2026."

"Create an internal audit for Q3 covering clause 9.1. Auditor: Jane Smith. Record a major non-conformity and raise a corrective action."

"Generate a Statement of Applicability from our gap assessment and export it as CSV for the auditors."

💡 Simulates create_gap_assessment, update_control_status, get_gap_summary, and generate_remediation_roadmap. Click any control to cycle its status.

0

Implemented

0

Partial

0

Not Implemented

0

Not Started

Compliance Score

Weighted: implemented=100%, partial=50%

0%

compliant

● Implemented0%

● Partial0%

● Not Implemented0%

Controls

Click to cycle: not started → partial → implemented → not implemented

💡 Simulates create_risk, list_risks, get_risk_summary, and create_treatment_plan. Risk score = likelihood × impact (1–5 scale). Click any risk for details.

Risk Heatmap

5×5 likelihood × impact matrix

Likelihood →

Low impact High impact →

Risk Summary

0

Critical

0

High

0

Medium

0

Low

Highest risk

Risk Register

💡 Simulates the create_policy tool. The real server renders 12 Mustache templates server-side and stores the output in the encrypted database.

Policy Details

Fill in your organisation details

Policy Type

Organisation Name

Policy Owner

Approver

Effective Date

Scope

Generated Policy

ISO 27001:2022 aligned · ready to review and sign

Fill in the form and click Generate Policy to preview the document. In the real server, this is stored in your encrypted ISMS database with full version history.

💡 All 50 tools are fully implemented. Each tool requires a valid API key (set via MCP_API_KEY env) and goes through input validation, role-based access control, and tamper-evident audit logging.

Author

HN

Hemant Naik

LinkedIn hemant.naik@gmail.com

Built March 2026 · ISO 27001:2022 ISMS automation via the Model Context Protocol

GitHub Repository

Sushegaad / MCP-Server-for-ISO27001

github.com/Sushegaad/MCP-Server-for-ISO27001

🐛 Report an Issue 📦 All Releases npm Package

Release Notes

Latest: v0.7.9

v0.7.9 Latest May 2026

Fixed vitest worker hang in CI (pool: "forks" in vitest.config.ts). Updated all GitHub Pages and repository URLs to use correct casing. Improved README Quick Start with cleaner keygen flow and role guidance.

v0.7.7 May 2026

Added pool: "forks" to vitest config to prevent hanging CI workers caused by open fetch handles in evidence-tracking tests. Version bump only; no functional changes.

v0.7.6 May 2026

Pinned CI and release workflows to Node 20.11.0 to prevent ABI mismatch between build and runtime environments. Fixed npm publish with SLSA provenance via GitHub Actions Granular Access Token.

v0.7.5 May 2026

Fixed double-nested policy templates in dist/seed/ caused by dual build invocation. Fixed broken keygen command (removed positional KEY= form). Replaced deprecated windows-build-tools with Visual Studio Build Tools link. Added Node ABI compatibility warning.

v0.7.4 May 2026

Added "browser": false to package.json to fix bundlephobia analysis. Added fast-uri ≥3.1.2 override to resolve HIGH CVE from MCP SDK transitive dependency. Launched GitHub Pages interactive demo site.

v0.7.3 May 2026

Added Socket security badge and npm version badge to README. Fixed postbuild script to use rm -rf dist/seed before copy, ensuring a clean slate on every build in CI.

v0.7.2 April 2026

Fixed double-shebang SyntaxError on install caused by tsup banner prepending a second #!/usr/bin/env node line. Removed db.pragma("key=''") from test fixtures causing SQLiteError on macOS.

v0.7.0 Initial release March 2026

First public release. 43 MCP tools across 9 groups covering gap analysis, risk register, policy generation, Statement of Applicability, audit management, and evidence tracking. AES-256 encrypted SQLite, HMAC-signed API keys, 3-tier RBAC, tamper-evident audit log, Jira and GitHub integrations. 93 ISO 27001:2022 and 114 ISO 27001:2013 controls seeded with SHA-256 checksum verification. Now updated to 50 tools across 11 groups with organisation profile management, 12 procedure templates, and 12 browseable MCP Resources via the iso27001:// URI scheme.