Gap Assessment

Acme Financial Services · ISO 27001:2022 · 93 controls in scope

⚡ Simulated Demo — no server required
💡 This simulates the create_gap_assessment, update_control_status, and generate_remediation_roadmap tools. Click any control to cycle its status. Gap summaries are available as the iso27001://assessments/{id}/gap-summary resource.
0
Implemented
0
Partial
0
Not Implemented
0
Not Started
Compliance Score
Weighted by implementation status
0%
compliant
● Implemented0%
● Partial0%
● Not Implemented0%
Controls
Click to cycle status
💡 Simulates create_risk, list_risks, and create_treatment_plan. Risk score = likelihood × impact (1–5 scale). The risk heatmap and summary are available via the iso27001://risks/summary resource.
Risk Heatmap
5×5 likelihood × impact matrix
Likelihood →
Low impact High impact →
Low ≤4 Medium 5–9 High 10–14 Critical ≥15
Risk Summary
0
Critical
0
High
0
Medium
0
Low
Top risk by score
Risk Register
Click a risk to view treatment plan
💡 Simulates the create_policy tool. Policies are rendered from ISO 27001-aligned Mustache templates with your organisation's details.
Policy Details
Policy Output
Rendered from ISO 27001-aligned Mustache template
✓ Generated
Fill in the form and click Generate Policy to render a complete ISO 27001-aligned policy document.
💡 All 50 tools exposed by the MCP server. Each tool requires a valid API key. Role requirements: viewer (read-only, 18 tools), analyst (36 tools), admin (all 50 tools).
💡 Simulates create_procedure, list_procedures, and update_procedure. Select a procedure type, fill in your org details, and click Generate to render a full ISO 27001-aligned operating procedure document.
Procedure Details
Procedure Type
Select one of 12 ISO 27001 operating procedures
None selected
🚨
Incident Handling
Controls: 5.24, 5.25, 5.26, 5.27, 5.28, 6.8
🔑
Access Provisioning
Controls: 5.15, 5.16, 5.17, 5.18, 8.2, 8.5
💾
Backup & Restore
Controls: 8.13, 8.6
🔄
Change Management
Controls: 8.32, 8.20, 8.9
🛡️
Vulnerability Management
Controls: 8.8, 8.19, 5.7
🤝
Supplier Onboarding
Controls: 5.19, 5.20, 5.21, 5.22, 5.23
📦
Asset Management
Controls: 5.9, 5.10, 5.11, 5.12, 5.14
🔐
Cryptography & Key Mgmt
Controls: 8.24, 8.25
♻️
Business Continuity
Controls: 5.29, 5.30, 8.14
💻
Secure Development
Controls: 8.25, 8.26, 8.27, 8.28, 8.29, 8.31
🏢
Physical Security
Controls: 7.1–7.14
🏷️
Data Classification & Handling
Controls: 5.12, 5.13, 5.14, 8.10, 8.11, 8.12
💡 Simulates create_audit, record_finding, create_corrective_action, update_corrective_action, and close_audit. ISO 27001:2022 Clause 9.2 requires all NC findings to have verified corrective actions before the audit can be closed.
1. Plan Audit
2. Record Findings
3. CARs & Close
Plan Internal Audit
Calls create_audit
Not started
Record a Finding
Calls record_finding
0 findings
Findings
Click a finding to pre-select it for a CAR
0 NCs
No findings recorded yet
NCs: 0
OBS: 0
OFIs: 0
Raise Corrective Action
Calls create_corrective_action
Corrective Actions
All NC CARs must be verified to close the audit
0 CARs
No CARs raised yet
Open: 0
Verified: 0
NCs without CAR: 0
Raise and verify CARs for all NC findings first
💡 Simulates create_management_review, record_review_input, record_review_output, and complete_management_review. ISO 27001:2022 Clause 9.3 requires all 7 inputs to be addressed and at least 1 output decision recorded before the review can be completed.
✓ 1. Created
2. Recording Inputs & Outputs
3. Completed
§9.3.2 Required Inputs
All 7 must be addressed before completion
0 / 7
Previous action status
Status of actions from previous management reviews
External & internal issues
Changes in external and internal issues relevant to the ISMS
Interested party needs
Changes in needs and expectations of interested parties
ISMS performance
Feedback on performance incl. nonconformities, audit results, monitoring, KPIs
Interested party feedback
Feedback from interested parties (customers, regulators, partners)
Risk assessment results
Results of risk assessment and status of risk treatment plan
Improvement opportunities
Opportunities for continual improvement of the ISMS
§9.3.3 Required Outputs
Select at least one output decision
Not selected
improvement_decision
Decisions and actions related to continual improvement opportunities
Example: "Implement automated vulnerability scanning by Q3 2026 · Owner: Head of Engineering"
isms_change_decision
Decisions on changes needed to the ISMS including resources and objectives
Example: "Expand ISMS scope to include GCP production environment by 2026-09-01"
Requires 7/7 inputs + 1 output
Inputs: 0/7
Output: not selected
Status: in_progress
💡 Simulates create_improvement_opportunity, update_improvement_opportunity, and list_improvement_opportunities. ISO 27001:2022 Clause 10.1 requires a forward-only status workflow — opportunities cannot be moved backwards.
Backlog Health Rating
Based on open opportunity count
computing…
Open: · In Progress: · Closed:
Open0
In Progress0
Implemented0
Closed0
💡 Simulates generate_evidence_document and list_evidence_documents. Generated documents are dual-written to both the evidence and generated_evidence tables, enabling both tracking and version history. Individual documents are readable via the iso27001://evidence/documents/{id} resource.
Evidence Document Type
6 pre-built ISO 27001 evidence templates
access_review_log
Quarterly access rights review log documenting who reviewed, what systems, and findings
Controls: 5.15, 5.16, 5.18, 8.2 · Clause 9.1
risk_treatment_evidence
Evidence package for a completed risk treatment action with before/after risk scores
Controls: 6.1.3, 8.3 · Clause 8.3
training_completion_record
Security awareness training completion records with assessment scores and attestation
Controls: 6.3, 6.6 · Clause 7.2, 7.3
vulnerability_scan_report
Structured vulnerability scan results with CVE references, severity, and remediation status
Controls: 8.8, 8.19, 5.7 · Clause 8.1
supplier_assessment
Third-party supplier security assessment questionnaire results and risk rating
Controls: 5.19–5.23 · Clause 8.1
internal_audit_evidence
Internal audit evidence package with objective evidence references and conformance status
Clause 9.2 · All Annex A controls in scope
Document Details
🔒 ISO 27001:2022 · Model Context Protocol

iso27001-mcp

A stateful MCP server that gives Claude a complete Information Security Management System. Run gap assessments, manage risks, generate ISO-aligned policies and procedures, track evidence, and schedule management reviews — all backed by an AES-256 encrypted SQLite database on your own machine.

50
MCP Tools
14
Tool Groups
93
2022 Controls
30
Templates
v0.9.73
Latest
🗄️
Encrypted Local Database
All ISMS data is stored in an AES-256 encrypted SQLite database (isms.db) on your machine. Your compliance data never leaves your infrastructure.
🔑
HMAC-Signed API Keys
Three-tier RBAC (viewer · analyst · admin) enforced on every tool call. Keys are never stored in plaintext — only their HMAC-SHA256 hash is persisted.
📋
Mustache Templates
12 policy templates, 12 procedure templates, and 6 evidence document templates rendered with your organisation's details. Shared partials ensure consistent formatting.
🔗
MCP Resources
12 read-only iso27001:// URIs expose every ISMS artefact as a browsable MCP Resource. Claude can reference them without a tool call.
🛡️
Tamper-Evident Audit Log
Every tool call writes an HMAC-SHA256 chained row. Insertion, deletion, or reordering of audit rows is cryptographically detectable.
🌐
SSE Team Mode
Run as a shared Express server for teams. Bearer token auth at connect time, opaque session tokens throughout — raw keys are never retained in server memory.
Installation & Quick Start
Get connected to Claude Desktop in three commands · No openssl required · Requires Node.js ≥ 20.11.0
1
Install globally
The iso27001-mcp command becomes available globally. The native SQLite module downloads a prebuilt binary on macOS and Linux x64 automatically.
npm install -g iso27001-mcp
2
Run the setup wizard
One guided command does everything: generates AES-256 / HMAC-SHA256 secrets, creates and seeds the encrypted database with all 93 ISO 27001:2022 controls, generates your admin API key, and adds the entry to your Claude Desktop config automatically.
iso27001-mcp init
3
Verify and connect
Run the health check, then restart Claude Desktop (quit fully and reopen). You should see 50 tools in the tools panel.
iso27001-mcp doctor # All 10 checks should show ✅ # Then restart Claude Desktop
Try it with Claude
Ask Claude any of these to get started:
"Read the iso27001://server/info resource to check the server is running." "Run an ISO 27001 gap assessment for a 50-person SaaS company." "Register a new risk: our customer DB is exposed to SQL injection — likelihood 4, impact 5."

🤝 Contributors

NM
Nicolò Mastroianni
Contributor · iso27001-mcp
HN
Hemant Naik
Creator & Maintainer of iso27001-mcp · Security & Compliance Automation