MCP-Server-for-ISO27001
iso27001-mcp
Turn Claude into an ISO 27001 compliance assistant — controls, risk register, policies, evidence tracking, SoA generation, and full audit workflows in one local encrypted MCP server.
▶ Live Interactive Demo · Guided First-Run Checklist → · Roadmap →
Why this exists
ISO 27001 compliance work is typically scattered across spreadsheets, Word docs, ticketing systems, and shared drives. Security teams and consultants spend more time chasing evidence and reformatting documents than actually improving security posture.
iso27001-mcp solves this by giving Claude a live, stateful ISMS — all 93 ISO 27001:2022 controls seeded and ready, a real risk register, policy and procedure generators, evidence tracking, audit workflows, and a Statement of Applicability, backed by an encrypted local database that never leaves your machine.
The difference from generating static documents: Claude can query, reason, and update across your entire ISMS in a single conversation. Ask it to run a gap assessment, identify which open risks are linked to unimplemented controls, generate the policies that close those gaps, and produce a remediation roadmap — all without switching tools.
Who it's for: Security teams · Compliance consultants · GRC engineers · Startups preparing for ISO 27001 · Internal audit functions
Related MCP server: compliance-mcp
What Claude can do with it
Capability | Example prompt |
Gap assessment | "Run an ISO 27001:2022 gap assessment for a 50-person SaaS company." |
Risk register | "Create a risk register for a startup using AWS, GitHub, Slack, and Google Workspace." |
Statement of Applicability | "Generate a Statement of Applicability for all 93 ISO 27001:2022 controls." |
Policy generation | "Create an Access Control Policy mapped to ISO 27001 controls." |
Procedure generation | "Generate an Incident Handling Procedure with GDPR breach notification triggers." |
Internal audit | "Plan an internal audit for clause 9.1 — Performance Evaluation." |
Corrective actions | "List open audit findings and suggest corrective actions." |
Evidence tracking | "Show me all implemented controls with no current evidence." |
Remediation roadmap | "Generate a 26-week remediation roadmap grouped by risk level." |
Management review | "Prepare agenda items for our Clause 9.3 management review." |
Quick Start
Prerequisites
Node.js 20.11.0+ — nodejs.org or nvm / Volta
Build tools are usually not needed. The package ships pre-built binaries for macOS (arm64 + x64), Windows (x64), and Linux (x64/glibc). Try
npm install -g iso27001-mcpfirst — if it succeeds, you're done.
macOS:
xcode-select --installUbuntu / Debian:
sudo apt-get install build-essential python3Windows: Visual Studio Build Tools → "Desktop development with C++"
Your Node.js was installed system-wide and
npm install -gneeds write access to a root-owned directory. Do not usesudo npm install -g— it causes other issues. Instead, install Node via nvm or Volta, which place Node in your home directory where no elevated permissions are required.The npm global bin directory (
%APPDATA%\npm) may not be on your PATH yet. Open a new terminal window — the installer updates PATH for new sessions but not the one already open. If it still fails, add%APPDATA%\npmto your PATH manually in System Settings → Environment Variables.
Three commands to get running
npm install -g iso27001-mcp # 1. install globally
iso27001-mcp init --yes # 2. one-shot setup — all defaults, no prompts
# (omit --yes to choose custom paths interactively)
iso27001-mcp doctor # 3. verify everything is workingAfter running iso27001-mcp doctor you should see:
iso27001-mcp — health check
────────────────────────────────────────────────────────
✅ DB_ENCRYPTION_KEY set (64 hex chars)
✅ HMAC_SECRET set (64 hex chars)
✅ MCP_API_KEY set (starts with iso27001_)
✅ Database file /Users/you/.iso27001/isms.db
✅ Database accessible opened and queried successfully
✅ Migrations 9/9 applied
✅ Controls seeded 93 ISO 27001:2022 controls
✅ Active API key 1 active key found
✅ Claude Desktop config /Users/you/.../claude_desktop_config.json
✅ iso27001-mcp entry present in mcpServers
────────────────────────────────────────────────────────
All 10 checks passed. Restart Claude Desktop if you just ran init.Then restart Claude Desktop fully and you should see 50 tools in the tools panel.
macOS: press Cmd+Q to quit (clicking the red dot only closes the window — the server won't reload).
Windows: right-click the taskbar icon → Quit.
Tools not appearing after restart?
Check the MCP server log — Claude Desktop writes server stderr here:
macOS: ~/Library/Logs/Claude/mcp-server-iso27001-mcp.log
Windows: %APPDATA%\Claude\Logs\mcp-server-iso27001-mcp.logCommon causes: wrong Node.js version loaded by Claude Desktop, missing DB_ENCRYPTION_KEY in the config, or a database path that doesn't exist yet. Run iso27001-mcp doctor in a fresh terminal for a guided diagnosis.
Switched Node versions with nvm or Volta? The absolute Node.js path baked into your Claude Desktop config at init time now points to a deleted binary. Re-run
iso27001-mcp init— it will detect your current setup and update the path. Your existing database and API keys are preserved (the wizard aborts if your secrets file already exists and you run with--yes).
Five prompts to try first
"Read the iso27001://server/info resource to check the server is running."
"Run an ISO 27001 gap assessment for a 50-person SaaS company."
"Create a risk register for a startup using AWS, GitHub, Slack, and Google Workspace."
"Generate a Statement of Applicability for ISO 27001:2022."
"Create an Access Control Policy mapped to ISO 27001 controls."Tool Categories
50 tools across 14 groups. All require an API key; minimum role is shown. Read-only lookups (single-record fetches, summaries) have been moved to MCP Resources (iso27001:// URIs) — they appear in Claude's resource panel, not the tools list.
Group | Tools | Min. role | What it does |
Control Registry | 5 | viewer | Search, filter, and compare ISO 27001:2022 and 2013 controls; browse clause requirements |
Gap Analysis | 6 | viewer / analyst | Create and track gap assessments; export gap reports; generate remediation roadmaps |
Risk Management | 6 | viewer / analyst | Risk register with likelihood × impact scoring, treatment plans, and heat-map summaries |
Policy Management | 3 | analyst / admin | Generate, version, and export policies from 12 Mustache templates |
Statement of Applicability | 3 | analyst | Build and export SoA from a gap assessment; all 93 controls with applicability decisions |
Audit Management | 5 | admin | Plan audits, record findings (NCs, OFIs), raise CARs, and close with effectiveness check |
Evidence Tracking | 4 | analyst | Register evidence artefacts, spot gaps, link to Jira / GitHub issues |
Server Info | — | — | Retired to MCP Resource — access via |
Admin & Key Management | 3 | admin | Generate / revoke API keys, query the HMAC audit log |
Organisation Profile | 1 | admin | Set org name, scope, and defaults used by all templates |
Procedure Management | 4 | analyst / admin | Generate, version, and export procedures from 12 Mustache templates |
Management Review | 5 | admin | Full Clause 9.3 lifecycle — inputs, outputs, completion (enforces all 7 required input categories) |
Improvement Plan | 3 | analyst | Clause 10.1 improvement opportunities — track, link, and report |
Evidence Templates | 2 | analyst | Generate Mustache-rendered evidence documents; dual-write to evidence and generated_evidence tables |
Templates
The server ships 30 Mustache templates that Claude renders on demand with your organisation's name, scope, and control references automatically injected.
ISO 27001 Policy Templates
Generate any of these with a single Claude prompt:
information_security · access_control · risk_management · asset_management · incident_response · business_continuity · supplier_security · cryptography · physical_security · acceptable_use · data_classification · secure_development
ISO 27001 Procedure Templates
incident_handling · access_provisioning · asset_onboarding_offboarding · audit_log_review · backup_restore · bcp_testing · change_management · cryptographic_key_management · data_classification_handling · secure_development_workflow · supplier_onboarding · vulnerability_management
Evidence Document Templates
Pre-structured evidence documents for auditor submissions: access_review_attestation · bcp_test_report · incident_post_mortem · risk_treatment_sign_off · supplier_security_questionnaire · training_acknowledgement
Sample Outputs
The samples/ directory contains auditor-ready example outputs for a fictitious organisation ("Acme Financial Services Ltd") — a full gap assessment, remediation roadmap, risk register CSV, SoA CSV, access control policy, incident handling procedure, internal audit report, corrective action records, and evidence package. See Sample Outputs for the full index.
ISO 27001 keywords: ISO 27001 Statement of Applicability generator · ISO 27001 risk register template · ISO 27001 gap assessment tool · ISO 27001 audit evidence tracker · ISO 27001 MCP server · Claude ISO 27001 compliance assistant · AI GRC tool open source
Content Accuracy
Control identifiers, Annex A control names, clause numbers (4–10), and the 93-control 2022 / 114-control 2013 structure are mapped directly from the published ISO/IEC 27001:2022 and ISO/IEC 27001:2013 texts. Policy and procedure templates follow the clause structure and RACI patterns common in practitioner guidance.
Note: Template content and clause mappings have not yet been independently reviewed by a certified ISO 27001 Lead Auditor. They are intended as a starting point, not a substitute for professional audit or legal advice. A formal practitioner review is planned — see Roadmap.
Security Model
Role-Based Access Control (RBAC)
Three roles with strict hierarchy. A key can only call tools at or below its assigned role level.
Capability | Viewer | Analyst | Admin |
Read controls, clauses, version mappings | ✅ | ✅ | ✅ |
Read gap assessments, risks, policies, audits, evidence | ✅ | ✅ | ✅ |
Create / update gap assessments and control statuses | — | ✅ | ✅ |
Create and manage risks and treatment plans | — | ✅ | ✅ |
Generate policies and procedures | — | ✅ | ✅ |
Create and export Statements of Applicability | — | ✅ | ✅ |
Track and link evidence artefacts | — | ✅ | ✅ |
Record and track improvement opportunities | — | ✅ | ✅ |
Plan and close internal audits; raise CARs | — | — | ✅ |
Set organisation profile | — | — | ✅ |
Run management reviews (Clause 9.3) | — | — | ✅ |
View and query the audit log | — | — | ✅ |
Generate and revoke API keys | — | — | ✅ |
Tool counts: Viewer — 18 tools · Analyst — 36 tools · Admin — 50 tools
What never leaves your machine
In local mode (stdio, the default), no data leaves the machine. The encrypted SQLite database, the .env secrets file, and the append-only audit log are all stored locally. There is no telemetry, no cloud sync, and no outbound network calls — unless you explicitly configure the optional Jira or GitHub integrations.
For the full security profile — threat model, hardening guide, supply chain attestation, and audit log integrity verification — see the Trust Center.
Encryption and audit trail summary
Database — AES-256 encrypted SQLite via
better-sqlite3-multiple-ciphersAPI keys — HMAC-SHA256 hashed; raw key printed once and never stored
Audit log — HMAC-SHA256 hash chain; every row linked to its predecessor — insertion, deletion, or reordering is detectable;
actor_type(ai|human|system) andmodel_idare included in the hash so provenance claims are tamper-evidentPrompt injection — free-text fields sanitised before passing to any handler
HITL confirmation gates — 7 critical write tools (
update_control_status,update_risk,update_treatment_status,update_soa_entry,update_policy,update_procedure,complete_management_review) requireconfirmed: trueto commit; omitting it returns a preview diff and recordsoutcome: "proposed"in the audit log
Table of Contents
Full Reference — installation, tools API, architecture, modes, development, security
Use Cases
1 — Run a Gap Assessment
Ask Claude to assess your organisation against ISO 27001:2022, track the status of each control, and generate a prioritised remediation roadmap.
"Create a gap assessment for Acme Ltd covering all 2022 controls. Our scope is cloud infrastructure and development. Exclude physical security controls."
Claude will create the assessment, pre-populate all 93 controls as not_started, and let you work through them one by one or in bulk. When you're done:
"Generate a remediation roadmap grouped by risk level. Give us 26 weeks to get to certification."
The roadmap groups work by theme (Technological first), links controls to open risks, and assigns recommended due dates.
2 — Manage the Risk Register
Track information security risks end-to-end from identification through treatment.
"Register a new risk: our customer database is at risk from SQL injection due to unparameterised queries. Likelihood 4, impact 5."
"Create a treatment plan to mitigate this risk. Link it to controls 8.26 and 8.28. Owner: head of engineering. Due: end of Q3."
"Show me all critical and high risks that still have open treatment plans."
Risk scores are computed automatically (likelihood × impact) and reflected in summaries and heatmaps without any manual input.
3 — Generate ISMS Policies and Procedures
Generate a full suite of ISO 27001-aligned policy and procedure documents in seconds.
"Set our organisation profile: Acme Ltd. ISMS scope: all cloud-hosted systems and remote employees."
"Generate an information security policy. Owner: CISO. Effective from 1 June 2026."
"Create an Incident Handling Procedure linked to our Information Security Policy."
Policies and procedures are rendered from Mustache templates with automatic ISO clause and control mappings. Once the organisation profile is set, organisation_name and scope are injected automatically — no need to repeat them on every call.
12 policy types:
information_security · access_control · risk_management · asset_management · incident_response · business_continuity · supplier_security · cryptography · physical_security · acceptable_use · data_classification · secure_development
12 procedure types:
incident_handling · access_provisioning · asset_onboarding_offboarding · audit_log_review · backup_restore · bcp_testing · change_management · cryptographic_key_management · data_classification_handling · secure_development_workflow · supplier_onboarding · vulnerability_management
4 — Produce a Statement of Applicability
Generate an SoA directly from your gap assessment, pre-populated with inclusion/exclusion decisions and justifications.
"Generate a Statement of Applicability from assessment A-001. Export it as a CSV for the auditors."
5 — Run Internal Audits
Plan audits, record findings (NCs, observations, OFIs), raise corrective action requests, and track effectiveness.
"Create an audit of our access control and cryptography controls. Auditor: Jane Smith. Planned for 15 June 2026."
"Record a major non-conformity against clause 9.1: no evidence of ongoing monitoring of security objectives."
"Raise a CAR for this finding. Owner: compliance manager. Due in 30 days."
The server enforces ISO 27001:2022 Clause 10.1 — a corrective action cannot be closed unless effectiveness_verified is true.
6 — Track Evidence
Register evidence artefacts for each control, spot gaps, and link them directly to Jira tickets or GitHub issues.
"Show me all controls marked as implemented or partial that have no current evidence."
"Register a screenshot of our firewall config as evidence for control 8.20. Collector: ops team. Expires in 12 months."
"Link this evidence to a new Jira ticket in the SEC project: 'Firewall config screenshot — annual review'."
7 — Query the Audit Log
Every tool call is logged in a tamper-evident audit trail. Admins can query it at any time. Each entry records who triggered the action (actor_type: ai | human | system) and which model was running (model_id), both included in the HMAC hash chain so provenance claims are tamper-evident.
"Show me all tool calls made in the last 7 days that resulted in an error."
"Query the audit log filtered to actor_type=human to see which calls were made by human operators."
"List all API keys and when they were last used."
Full Reference
The detailed documentation has been moved to keep this page scannable. Everything below is in docs/REFERENCE.md:
Installation — prerequisites,
iso27001-mcp init,doctor, Claude Desktop configConnecting to Claude — Claude Desktop JSON, Claude Code, API key management
Advanced / Manual Setup — CI/CD, custom paths, full env var table
Tools Reference — all 50 tools across 14 groups with full parameter tables
MCP Resources — 12
iso27001://URIs, formats, example promptsArchitecture — 7-step security pipeline, database schema, seed data
Modes — local / CI / team / hosted with SSE endpoint reference
Sample Outputs — 9 auditor-ready example files for Acme Financial Services Ltd
Integrations — Jira and GitHub issue linking
Development — build, test, typecheck, project structure
Security — API key storage, encryption, audit trail, production checklist
Community
Discussed on r/mcp · 15K views · 28 upvotes
"Ace dude! I've used your GRC skills, and I'm a fan of the work. Keep it up!!" — asachs01, r/mcp
"Compliance tools are different from most MCP servers because every write needs to be traceable … the 'human in the loop' isn't just a nice-to-have, it's often a regulatory requirement." — NovaAgent2026, r/mcp (audit trail HMAC chain and HITL confirmation gates shipped in v0.9.4–v0.9.6)
Author
Hemant Naik · LinkedIn · hemant.naik@gmail.com · Built April 2026
License
MIT © 2026
This server cannot be installed
Maintenance
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Sushegaad/MCP-Server-for-ISO27001'
If you have feedback or need assistance with the MCP directory API, please join our Discord server