iso27001-mcp

Turn Claude into an ISO 27001 compliance assistant — controls, risk register, policies, evidence tracking, SoA generation, and full audit workflows in one local encrypted MCP server.

▶ Live Interactive Demo

---

Why this exists

ISO 27001 compliance work is typically scattered across spreadsheets, Word docs, ticketing systems, and shared drives. Security teams and consultants spend more time chasing evidence and reformatting documents than actually improving security posture.

iso27001-mcp solves this by giving Claude a live, stateful ISMS — all 93 ISO 27001:2022 controls seeded and ready, a real risk register, policy and procedure generators, evidence tracking, audit workflows, and a Statement of Applicability, backed by an encrypted local database that never leaves your machine.

The difference from generating static documents: Claude can query, reason, and update across your entire ISMS in a single conversation. Ask it to run a gap assessment, identify which open risks are linked to unimplemented controls, generate the policies that close those gaps, and produce a remediation roadmap — all without switching tools.

Who it's for: Security teams · Compliance consultants · GRC engineers · Startups preparing for ISO 27001 · Internal audit functions

---

What Claude can do with it

Capability	Example prompt
Gap assessment	"Run an ISO 27001:2022 gap assessment for a 50-person SaaS company."
Risk register	"Create a risk register for a startup using AWS, GitHub, Slack, and Google Workspace."
Statement of Applicability	"Generate a Statement of Applicability for all 93 ISO 27001:2022 controls."
Policy generation	"Create an Access Control Policy mapped to ISO 27001 controls."
Procedure generation	"Generate an Incident Handling Procedure with GDPR breach notification triggers."
Internal audit	"Plan an internal audit for clause 9.1 — Performance Evaluation."
Corrective actions	"List open audit findings and suggest corrective actions."
Evidence tracking	"Show me all implemented controls with no current evidence."
Remediation roadmap	"Generate a 26-week remediation roadmap grouped by risk level."
Management review	"Prepare agenda items for our Clause 9.3 management review."

---

Quick Start

Prerequisites

• Node.js 20.11.0+ — nodejs.org or nvm / Volta

Build tools are usually not needed. The package ships pre-built binaries for macOS (arm64 + x64), Windows (x64), and Linux (x64/glibc). Try npm install -g iso27001-mcp first — if it succeeds, you're done.

↳ If the install fails with a node-gyp error, expand for OS-specific fix

• macOS: xcode-select --install
• Ubuntu / Debian: sudo apt-get install build-essential python3
• Windows: Visual Studio Build Tools → "Desktop development with C++"

↳ If you get an EACCES permission error on macOS or Linux

Your Node.js was installed system-wide and npm install -g needs write access to a root-owned directory. Do not use sudo npm install -g — it causes other issues. Instead, install Node via nvm or Volta, which place Node in your home directory where no elevated permissions are required.

↳ If you get command not found on Windows after a successful install

The npm global bin directory (%APPDATA%\npm) may not be on your PATH yet. Open a new terminal window — the installer updates PATH for new sessions but not the one already open. If it still fails, add %APPDATA%\npm to your PATH manually in System Settings → Environment Variables.

Three commands to get running

npm install -g iso27001-mcp     # 1. install globally
iso27001-mcp init --yes         # 2. one-shot setup — all defaults, no prompts
                                #    (omit --yes to choose custom paths interactively)
iso27001-mcp doctor             # 3. verify everything is working

After running iso27001-mcp doctor you should see:

iso27001-mcp — health check
────────────────────────────────────────────────────────
✅  DB_ENCRYPTION_KEY      set (64 hex chars)
✅  HMAC_SECRET            set (64 hex chars)
✅  MCP_API_KEY            set (starts with iso27001_)
✅  Database file          /Users/you/.iso27001/isms.db
✅  Database accessible    opened and queried successfully
✅  Migrations             9/9 applied
✅  Controls seeded        93 ISO 27001:2022 controls
✅  Active API key         1 active key found
✅  Claude Desktop config  /Users/you/.../claude_desktop_config.json
✅  iso27001-mcp entry     present in mcpServers
────────────────────────────────────────────────────────
  All 10 checks passed. Restart Claude Desktop if you just ran init.

Then restart Claude Desktop fully and you should see 50 tools in the tools panel.

macOS: press Cmd+Q to quit (clicking the red dot only closes the window — the server won't reload).
Windows: right-click the taskbar icon → Quit.

Tools not appearing after restart?

Check the MCP server log — Claude Desktop writes server stderr here:

macOS:   ~/Library/Logs/Claude/mcp-server-iso27001-mcp.log
Windows: %APPDATA%\Claude\Logs\mcp-server-iso27001-mcp.log

Common causes: wrong Node.js version loaded by Claude Desktop, missing DB_ENCRYPTION_KEY in the config, or a database path that doesn't exist yet. Run iso27001-mcp doctor in a fresh terminal for a guided diagnosis.

Switched Node versions with nvm or Volta? The absolute Node.js path baked into your Claude Desktop config at init time now points to a deleted binary. Re-run iso27001-mcp init — it will detect your current setup and update the path. Your existing database and API keys are preserved (the wizard aborts if your secrets file already exists and you run with --yes).

Five prompts to try first

"Read the iso27001://server/info resource to check the server is running."
"Run an ISO 27001 gap assessment for a 50-person SaaS company."
"Create a risk register for a startup using AWS, GitHub, Slack, and Google Workspace."
"Generate a Statement of Applicability for ISO 27001:2022."
"Create an Access Control Policy mapped to ISO 27001 controls."

---

Tool Categories

50 tools across 14 groups. All require an API key; minimum role is shown. Read-only lookups (single-record fetches, summaries) have been moved to MCP Resources (iso27001:// URIs) — they appear in Claude's resource panel, not the tools list.

Group	Tools	Min. role	What it does
Control Registry	5	viewer	Search, filter, and compare ISO 27001:2022 and 2013 controls; browse clause requirements
Gap Analysis	6	viewer / analyst	Create and track gap assessments; export gap reports; generate remediation roadmaps
Risk Management	6	viewer / analyst	Risk register with likelihood × impact scoring, treatment plans, and heat-map summaries
Policy Management	3	analyst / admin	Generate, version, and export policies from 12 Mustache templates
Statement of Applicability	3	analyst	Build and export SoA from a gap assessment; all 93 controls with applicability decisions
Audit Management	5	admin	Plan audits, record findings (NCs, OFIs), raise CARs, and close with effectiveness check
Evidence Tracking	4	analyst	Register evidence artefacts, spot gaps, link to Jira / GitHub issues
Server Info	—	—	Retired to MCP Resource — access via iso27001://server/info
Admin & Key Management	3	admin	Generate / revoke API keys, query the HMAC audit log
Organisation Profile	1	admin	Set org name, scope, and defaults used by all templates
Procedure Management	4	analyst / admin	Generate, version, and export procedures from 12 Mustache templates
Management Review	5	admin	Full Clause 9.3 lifecycle — inputs, outputs, completion (enforces all 7 required input categories)
Improvement Plan	3	analyst	Clause 10.1 improvement opportunities — track, link, and report
Evidence Templates	2	analyst	Generate Mustache-rendered evidence documents; dual-write to evidence and generated_evidence tables

---

Templates

The server ships 30 Mustache templates that Claude renders on demand with your organisation's name, scope, and control references automatically injected.

ISO 27001 Policy Templates

Generate any of these with a single Claude prompt:

information_security · access_control · risk_management · asset_management · incident_response · business_continuity · supplier_security · cryptography · physical_security · acceptable_use · data_classification · secure_development

ISO 27001 Procedure Templates

incident_handling · access_provisioning · asset_onboarding_offboarding · audit_log_review · backup_restore · bcp_testing · change_management · cryptographic_key_management · data_classification_handling · secure_development_workflow · supplier_onboarding · vulnerability_management

Evidence Document Templates

Pre-structured evidence documents for auditor submissions: access_review_attestation · bcp_test_report · incident_post_mortem · risk_treatment_sign_off · supplier_security_questionnaire · training_acknowledgement

Sample Outputs

The samples/ directory contains auditor-ready example outputs for a fictitious organisation ("Acme Financial Services Ltd") — a full gap assessment, remediation roadmap, risk register CSV, SoA CSV, access control policy, incident handling procedure, internal audit report, corrective action records, and evidence package. See Sample Outputs for the full index.

ISO 27001 keywords: ISO 27001 Statement of Applicability generator · ISO 27001 risk register template · ISO 27001 gap assessment tool · ISO 27001 audit evidence tracker · ISO 27001 MCP server · Claude ISO 27001 compliance assistant · AI GRC tool open source

---

Security Model

Role-Based Access Control (RBAC)

Three roles with strict hierarchy. A key can only call tools at or below its assigned role level.

Capability	Viewer	Analyst	Admin
Read controls, clauses, version mappings	✅	✅	✅
Read gap assessments, risks, policies, audits, evidence	✅	✅	✅
Create / update gap assessments and control statuses	—	✅	✅
Create and manage risks and treatment plans	—	✅	✅
Generate policies and procedures	—	✅	✅
Create and export Statements of Applicability	—	✅	✅
Track and link evidence artefacts	—	✅	✅
Record and track improvement opportunities	—	✅	✅
Plan and close internal audits; raise CARs	—	—	✅
Set organisation profile	—	—	✅
Run management reviews (Clause 9.3)	—	—	✅
View and query the audit log	—	—	✅
Generate and revoke API keys	—	—	✅

Tool counts: Viewer — 18 tools · Analyst — 36 tools · Admin — 50 tools

What never leaves your machine

In local mode (stdio, the default), no data leaves the machine. The encrypted SQLite database, the .env secrets file, and the append-only audit log are all stored locally. There is no telemetry, no cloud sync, and no outbound network calls — unless you explicitly configure the optional Jira or GitHub integrations.

For the full security profile — threat model, hardening guide, supply chain attestation, and audit log integrity verification — see the Trust Center.

Encryption and audit trail summary

• Database — AES-256 encrypted SQLite via better-sqlite3-multiple-ciphers
• API keys — HMAC-SHA256 hashed; raw key printed once and never stored
• Audit log — HMAC-SHA256 hash chain; every row linked to its predecessor — insertion, deletion, or reordering is detectable; actor_type (ai | human | system) and model_id are included in the hash so provenance claims are tamper-evident
• Prompt injection — free-text fields sanitised before passing to any handler
• HITL confirmation gates — 7 critical write tools (update_control_status, update_risk, update_treatment_status, update_soa_entry, update_policy, update_procedure, complete_management_review) require confirmed: true to commit; omitting it returns a preview diff and records outcome: "proposed" in the audit log

---

Table of Contents

• Why this exists
• What Claude can do with it
• Quick Start
• Tool Categories
• Templates
• Security Model
• Use Cases
• Full Reference — installation, tools API, architecture, modes, development, security

---

Use Cases

1 — Run a Gap Assessment

Ask Claude to assess your organisation against ISO 27001:2022, track the status of each control, and generate a prioritised remediation roadmap.

"Create a gap assessment for Acme Ltd covering all 2022 controls. Our scope is cloud infrastructure and development. Exclude physical security controls."

Claude will create the assessment, pre-populate all 93 controls as not_started, and let you work through them one by one or in bulk. When you're done:

"Generate a remediation roadmap grouped by risk level. Give us 26 weeks to get to certification."

The roadmap groups work by theme (Technological first), links controls to open risks, and assigns recommended due dates.

---

2 — Manage the Risk Register

Track information security risks end-to-end from identification through treatment.

"Register a new risk: our customer database is at risk from SQL injection due to unparameterised queries. Likelihood 4, impact 5."

"Create a treatment plan to mitigate this risk. Link it to controls 8.26 and 8.28. Owner: head of engineering. Due: end of Q3."

"Show me all critical and high risks that still have open treatment plans."

Risk scores are computed automatically (likelihood × impact) and reflected in summaries and heatmaps without any manual input.

---

3 — Generate ISMS Policies and Procedures

Generate a full suite of ISO 27001-aligned policy and procedure documents in seconds.

"Set our organisation profile: Acme Ltd. ISMS scope: all cloud-hosted systems and remote employees."

"Generate an information security policy. Owner: CISO. Effective from 1 June 2026."

"Create an Incident Handling Procedure linked to our Information Security Policy."

Policies and procedures are rendered from Mustache templates with automatic ISO clause and control mappings. Once the organisation profile is set, organisation_name and scope are injected automatically — no need to repeat them on every call.

12 policy types: information_security · access_control · risk_management · asset_management · incident_response · business_continuity · supplier_security · cryptography · physical_security · acceptable_use · data_classification · secure_development

12 procedure types: incident_handling · access_provisioning · asset_onboarding_offboarding · audit_log_review · backup_restore · bcp_testing · change_management · cryptographic_key_management · data_classification_handling · secure_development_workflow · supplier_onboarding · vulnerability_management

---

4 — Produce a Statement of Applicability

Generate an SoA directly from your gap assessment, pre-populated with inclusion/exclusion decisions and justifications.

"Generate a Statement of Applicability from assessment A-001. Export it as a CSV for the auditors."

---

5 — Run Internal Audits

Plan audits, record findings (NCs, observations, OFIs), raise corrective action requests, and track effectiveness.

"Create an audit of our access control and cryptography controls. Auditor: Jane Smith. Planned for 15 June 2026."

"Record a major non-conformity against clause 9.1: no evidence of ongoing monitoring of security objectives."

"Raise a CAR for this finding. Owner: compliance manager. Due in 30 days."

The server enforces ISO 27001:2022 Clause 10.1 — a corrective action cannot be closed unless effectiveness_verified is true.

---

6 — Track Evidence

Register evidence artefacts for each control, spot gaps, and link them directly to Jira tickets or GitHub issues.

"Show me all controls marked as implemented or partial that have no current evidence."

"Register a screenshot of our firewall config as evidence for control 8.20. Collector: ops team. Expires in 12 months."

"Link this evidence to a new Jira ticket in the SEC project: 'Firewall config screenshot — annual review'."

---

7 — Query the Audit Log

Every tool call is logged in a tamper-evident audit trail. Admins can query it at any time. Each entry records who triggered the action (actor_type: ai | human | system) and which model was running (model_id), both included in the HMAC hash chain so provenance claims are tamper-evident.

"Show me all tool calls made in the last 7 days that resulted in an error."

"Query the audit log filtered to actor_type=human to see which calls were made by human operators."

"List all API keys and when they were last used."

---

Full Reference

The detailed documentation has been moved to keep this page scannable. Everything below is in docs/REFERENCE.md:

• Installation — prerequisites, iso27001-mcp init, doctor, Claude Desktop config
• Connecting to Claude — Claude Desktop JSON, Claude Code, API key management
• Advanced / Manual Setup — CI/CD, custom paths, full env var table
• Tools Reference — all 50 tools across 14 groups with full parameter tables
• MCP Resources — 12 iso27001:// URIs, formats, example prompts
• Architecture — 7-step security pipeline, database schema, seed data
• Modes — local / CI / team / hosted with SSE endpoint reference
• Sample Outputs — 9 auditor-ready example files for Acme Financial Services Ltd
• Integrations — Jira and GitHub issue linking
• Development — build, test, typecheck, project structure
• Security — API key storage, encryption, audit trail, production checklist

---

Community

Discussed on r/mcp · 15K views · 28 upvotes

"Ace dude! I've used your GRC skills, and I'm a fan of the work. Keep it up!!" — asachs01, r/mcp

"Compliance tools are different from most MCP servers because every write needs to be traceable … the 'human in the loop' isn't just a nice-to-have, it's often a regulatory requirement." — NovaAgent2026, r/mcp (audit trail HMAC chain and HITL confirmation gates shipped in v0.9.4–v0.9.6)

---

Author

Hemant Naik · LinkedIn · hemant.naik@gmail.com · Built April 2026

---

License

MIT © 2026