{"id":50769901,"url":"https://github.com/unidoc/isms","last_synced_at":"2026-06-11T17:03:37.039Z","repository":{"id":359409524,"uuid":"1240061827","full_name":"unidoc/isms","owner":"unidoc","description":"The Information Security Management System is an open-source management system platform. Documents live in git, collaboration lives in PostgreSQL, AI operates through suggestions and review and everything ships as a single binary.","archived":false,"fork":false,"pushed_at":"2026-06-03T17:06:57.000Z","size":3477,"stargazers_count":5,"open_issues_count":5,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-06-03T17:12:49.885Z","etag":null,"topics":["compliance","isms","iso27001","nis2","risk-management","self-hosted","soc2"],"latest_commit_sha":null,"homepage":"https://isms.sh","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/unidoc.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-15T18:18:23.000Z","updated_at":"2026-06-03T16:14:58.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/unidoc/isms","commit_stats":null,"previous_names":["unidoc/isms"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/unidoc/isms","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unidoc%2Fisms","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unidoc%2Fisms/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unidoc%2Fisms/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unidoc%2Fisms/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/unidoc","download_url":"https://codeload.github.com/unidoc/isms/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unidoc%2Fisms/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34208762,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-11T02:00:06.485Z","response_time":57,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["compliance","isms","iso27001","nis2","risk-management","self-hosted","soc2"],"created_at":"2026-06-11T17:03:36.112Z","updated_at":"2026-06-11T17:03:37.029Z","avatar_url":"https://github.com/unidoc.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# isms.sh — The Intelligent Management System\n\n## Why yet another management system?\n\nBecause the ones we have are complex, opaque, and treated as a compliance exercise — relevant for the audit, irrelevant the day after. Meanwhile the stakes keep rising: in a world of accelerating AI adoption and expanding threat surfaces, a management system that doesn't stay alive is worse than useless.\n\nWe believe it doesn't have to work that way. Security done right starts at the root — genuinely understanding and managing your risks, not papering over them. Built from the ground up with an AI-first workflow and real discipline in design and use, a management system should be a living part of how you operate, not a burden on top of it.\n\nThat's why it's open source: built to work for organizations of all sizes — and finally a credible option for smaller ones, who've never had a management system that's simple, stays current, and doesn't fight them. We built this to change that.\n\n## What it is\n\nAn open-source management system platform. Documents live in git, collaboration lives in PostgreSQL, AI operates through suggestions and review — and everything ships as a single binary.\n\nThe core is a **generic versioned document engine** — it knows nothing about specific standards. All standard-specific content is provided through **templates**: collections of markdown files that get scaffolded into your organization's git repository. Templates exist for ISO 27001, ISO 9001, ISO 14001, ISO 42001, SOC 2, NIS2, PCI DSS, HIPAA, NIST CSF, NIST 800-53, and DORA — and creating your own is as simple as writing markdown files in a folder.\n\n**[isms.sh](https://isms.sh)** — Built by [UniDoc](https://unidoc.io).\n\n![Overview](docs/screenshots/overview.png)\n\n## Try the live demo\n\nA hosted demo runs at **[demo.isms.sh](https://demo.isms.sh)** with a sample\norganization — **ACME Logistics** — pre-populated so you can explore every role.\nEvery demo account uses the password `demo`:\n\n| Role | Email | Password |\n|------|-------|----------|\n| Admin | `sarah.chen@acme-logistics.demo` | `demo` |\n| Manager | `maria.rodriguez@acme-logistics.demo` | `demo` |\n| Contributor | `david.walsh@acme-logistics.demo` | `demo` |\n\n\u003e The demo is a sandbox: data resets periodically and holds nothing real.\n\u003e Please don't store anything sensitive there.\n\n## Round-Based Document Review\n\n![Review workflow](docs/screenshots/review.png)\n\nMost compliance tools treat review as a checkbox. isms.sh treats it as a proper workflow with tracked rounds — because a lawyer reviewing a data processing agreement needs to know exactly what changed since their last feedback, not scroll through a generic diff.\n\n- **Round-based review** — Send for review, get feedback, resubmit. Each round is explicit.\n- **What changed since last round** — Default view shows only changes in the current round. Toggle to see everything since the review began.\n- **Clear reviewer status per round** — See who approved, who's pending, and who requested changes — for this specific round.\n- **Three reviewer actions** — Approve. Request changes with comments. Or propose a revision — edit the document directly and send your version back.\n- **Inline suggestions** — Reviewers suggest replacement text on individual paragraphs. Author accepts or rejects each one.\n- **Auto-merge** — Approval policies with `require_human` and `auto_merge` flags. When all requirements are met, the document publishes automatically.\n- **Immutable audit trail** — Every approval, every round transition, every proposed revision gets a decision record with a SHA-256 content hash.\n\n## AI-First\n\nAI is a first-class participant, not a bolt-on.\n\n- **MCP server** — `isms server mcp` exposes 22 tools over stdio. Any MCP-compatible AI (Claude Code, etc.) can read entities, suggest changes, review documents, and propose operational actions.\n- **Entity suggestions** — Generic suggestion primitive across all modules. AI (or any user) proposes changes → manager reviews and applies atomically.\n- **Agent identity** — Agent users are explicit (`is_agent` flag). Every AI action is attributed. UI shows AI badge. Audit trail distinguishes human from agent.\n- **AI document review** — Agent users participate in review as assigned reviewers: inline comments, paragraph suggestions, approve/reject decisions.\n- **AI review loop** — Two agents iterate (writer + reviewer) with automatic notification suppression. Escalates to human after max rounds.\n- **Annual review confirmation** — AI reviews document against registers, human owner confirms. Creates audit evidence without full review cycle.\n- **AI kill switch** — `ai_enabled` org setting. Set to `false` and all agent API tokens are blocked. Core works identically without AI.\n- **Three approval modes** — Human required (default), AI confidence + human confirm, full autopilot.\n\n## Features\n\n- **Template scaffolding** — Pick a standard, scaffold the documents, start writing. Templates provide structure; you own the content.\n- **Multi-standard** — Run ISO 27001 + ISO 14001 + HIPAA simultaneously in one organization.\n- **Git-based documents** — Markdown with YAML frontmatter. Full version history with diffs and blame.\n\n  ![Documents](docs/screenshots/documents.png)\n- **Review workflow** — Round-based review, inline suggestions, approval policies, auto-merge. See above.\n- **Risk management** — Risk register with 5×5 matrix, inherent/residual scoring, CIA impact, treatment plans, auto-calculated review dates.\n\n  ![Risk Register](docs/screenshots/risks.png)\n- **Asset register** — Information assets with CIA ratings, ownership, classification, linked to risks and systems.\n- **Legal \u0026 statutory requirements** — Regulatory obligations with jurisdiction, compliance status, review cycles.\n- **Internal audit** — Audit programmes, scope-based assessments, findings, corrective actions with full lifecycle.\n- **Supplier management** — Supplier register with criticality, certifications, data access tracking, review cycles.\n- **Business impact analysis** — Systems with RPO/RTO, criticality levels, access reviews, supplier/asset linkage.\n- **Incident management** — Incident register with severity, timeline, root cause, lessons learned.\n- **Change management** — Change requests with priority, risk level, rollback plan, approval workflow.\n- **Corrective actions** — Full lifecycle from assessment through implementation to verification.\n- **Objectives \u0026 programs** — Measurable objectives with check-ins, evidence upload, review cycles.\n- **Tasks** — Operational work items with auto-generation from overdue review cycles.\n- **Entity references** — Link anything to anything: risks to documents, incidents to assets, legal requirements to controls.\n- **Dashboard** — Annual plan calendar, overdue items, module overview.\n- **Notifications** — In-app notifications, Slack webhooks, Matrix integration (configured per-org in Admin).\n- **Web UI** — Vue 3 dark-themed SPA for readers and management.\n- **CLI** — Full-featured command-line interface for ISMS managers.\n- **TUI** — Terminal UI for quick operational access.\n- **One binary** — Single Go binary: serve, CLI, TUI, MCP, migrate, manage.\n\n## Security\n\n- **5 auth methods** — OIDC/SSO, password+TOTP, passkeys (WebAuthn), API tokens, Cloudflare Zero Trust\n- **Secrets encrypted at rest** — AES-256-GCM on OTP secrets, OIDC client secrets, sensitive settings\n- **Two-layer tenant isolation** — Application-layer `organization_id` filtering on all queries, with Postgres RLS policies as defense-in-depth on transactional operations via `WithOrgTx`\n- **Multi-tenant isolation** — composite FKs, org membership validation, UUID-only org resolution, org-scoped API tokens\n- **Role-based access control** — admin, manager, contributor, reader (per-org). Review assignment grants approve rights.\n- **Agent identity** — `is_agent` flag on users, enforced in policy evaluation and audit trail\n- **AI kill switch** — `ai_enabled` org setting blocks all agent API tokens at middleware level\n- **SVG sanitization** — Regex-based stripping of scripts, event handlers, dangerous URIs on branding uploads\n- **Repo protection** — Path allowlist, size limits, symlink/exec rejection on git push\n- **Audit trail** — Activity log + entity changelog with field-level diffs on all operations\n\nSee [Architecture](docs/architecture.md) for details on the core vs templates split and multi-tenancy design.\n\n## Quick Start\n\n### Prerequisites\n\n- Go 1.25+\n- PostgreSQL 14+\n- Node.js 20+ (for web UI development)\n\n### Build\n\n```bash\ngo build -o isms ./cmd/isms/\n```\n\n### Setup\n\n```bash\n# Set required environment\nexport DATABASE_URL=\"postgres://user:pass@localhost/isms?sslmode=disable\"\nexport ISMS_SECRET=\"$(openssl rand -hex 32)\"  # min 32 characters\nexport ISMS_STORAGE_BACKEND=\"file\"\nexport ISMS_TEMPLATE_PATH=\"/path/to/isms-templates\"\n\n# Start the server (runs migrations automatically)\nisms server serve --addr :9090\n\n# Create the first user and organization\nisms server user create --email admin@company.com --name \"Admin\" --password changeme\nisms server org create --name \"My Company\" --slug myco\nisms server org add-member --org myco --email admin@company.com --role admin\n```\n\n### Configure CLI\n\nCreate an env file (e.g. `company.env`):\n\n```env\nISMS_BASE_URL=http://localhost:9090\nISMS_API_TOKEN=isms_your_token_here\nISMS_ORGANIZATION=\u003corg-uuid\u003e\n```\n\n```bash\nexport ISMS_ENV=company.env\nisms whoami\nisms document list\nisms risk list\n```\n\n### Setup AI Agent\n\n```bash\n# Create agent user\nisms server user create --email ai@company.com --name \"Claude Agent\" --agent\nisms server org add-member --org myco --email ai@company.com --role contributor\nisms server api-key create --email ai@company.com --name \"mcp\"\n\n# Configure Claude Code (.claude/settings.json)\n{\n  \"mcpServers\": {\n    \"isms\": {\n      \"command\": \"isms\",\n      \"args\": [\"server\", \"mcp\"],\n      \"env\": {\n        \"ISMS_API_URL\": \"http://localhost:9090\",\n        \"ISMS_API_TOKEN\": \"tok_...\"\n      }\n    }\n  }\n}\n```\n\n## Scope — what ISMS is, and isn't\n\nISMS is a generic, versioned engine for management systems. The core is\ndeliberately small: it does a few things well and pushes everything else to its\nedges. That smallness is the point — it keeps the engine clean, and the value of\na managed deployment lives at the edges.\n\n**Core** (in the binary) — generic primitives every deployment needs: git-backed\ndocuments (markdown + frontmatter), the review/approval workflow, and structured\nregisters (risks, assets, suppliers, systems, incidents, legal requirements,\ncorrective actions, audits, objectives). Multi-tenant, white-label,\nauthentication. The core knows nothing about any specific standard.\n\n**Templates** — standard-specific content is documents, not core. ISO 27001\nclauses, controls, a Statement of Applicability, management-review minutes,\ncompetence records are markdown documents scaffolded from\n[isms-templates](https://github.com/unidoc/isms-templates) and owned per\norganization. Templates get you started fast and make the core/content\nseparation concrete. Once scaffolded, documents and operational entities (risks,\nincidents, …) cross-link freely.\n\n**Integrations** — external tools are sources; ISMS is the system of record.\nEvidence and objectives flow in through the integration layer, with objective\ncheck-ins capturing evidence against the objectives they support. The direction\nis first-party connectors for major systems alongside private, customer-specific\nintegrations.\n\n**Hosting** — AI/agent wiring, deployment, and operations are hosting concerns,\nnot the engine. A managed, hosted ISMS is operated by UniDoc at\n[isms.sh](https://isms.sh); self-hosting is fully supported.\n\nThe test for any new capability: *does every deployment need it, generically?* →\ncore. Standard-specific → template. External system → integration. Deployment or\nAI wiring → hosting.\n\n**Meeting a standard's requirements** is done through these generic primitives,\nnot through per-clause features. For example, corrective-action *effectiveness*\nis expressed as an objective with a measurable target — incidents of a type\ntrending down, as part of risk treatment — not a bespoke \"verified\" field.\nBuilt-in layers that *are* core, like the incident data-breach fields (breach\nflag, GDPR role, authority/subject notifications), are deliberate first-class\ncapabilities, not standard-specific leakage.\n\n## Architecture\n\n```\n                    ┌─────────────────────────┐\n                    │      ISMS Server         │\n CLI ──┐            │                          │\n       │  Bearer    │  ┌─────┐    ┌────────┐   │\n TUI ──┼──token───▶ │  │ API │───▶│  Git   │   │\n       │            │  │     │    │  Store  │   │\n Web ──┤            │  │Echo │    └────────┘   │\n       │  CF Zero   │  │     │    ┌────────┐   │\n MCP ──┘  Trust     │  │     │───▶│Postgres│   │\n                    │  └─────┘    └────────┘   │\n                    └─────────────────────────┘\n```\n\n**Git repository** stores all documents:\n- `documents/` — All documents organized by template-defined folders\n- `branding/` — Logo, favicon (optional)\n\n**PostgreSQL** stores collaboration and operational data:\n- Reviews, comments, approvals, decision log\n- Risks, incidents, suppliers, systems, assets, legal requirements\n- Audit programmes, findings, corrective actions\n- Objectives, programs, check-ins, evidence\n- Tasks, change requests, suggestions\n- Notifications, activity log, entity changelog\n- Users, API tokens, approval policies\n\n## Authentication\n\nFive authentication methods:\n\n1. **OIDC / SSO** — Microsoft 365, Google, Okta, any OIDC provider — per-org configuration\n2. **Password + TOTP** — Local users, auditors, external parties\n3. **Passkeys (WebAuthn)** — Modern passwordless authentication\n4. **API tokens** — `Authorization: Bearer isms_xxx` — for CLI and AI agents. Tokens are org-scoped by default.\n5. **Cloudflare Zero Trust** — Optional reverse proxy authentication (`ISMS_CF_AUDIENCE` required)\n\n### Roles\n\n- **Admin** — full control: organization settings, members, SSO, the AI kill\n  switch, plus everything a manager can do.\n- **Manager** — operates the management system: creates and edits all entities\n  and documents, runs governance (send for review, approve/reject, merge), and\n  applies or rejects suggestions.\n- **Contributor** — proposes and reports. Creates suggestions for a manager to\n  act on, and comments. Does not directly create, edit, or apply — a\n  contributor's input flows through the suggestion/review pipeline, the same way\n  an AI agent's does.\n- **Reader** — read-only.\n\nWhen assigned to a review, any role (including reader and contributor) may\ncomment and approve on that review — an explicit per-assignment grant, separate\nfrom the base role.\n\n## Environment Variables\n\n**Required:**\n\n| Variable | Description |\n|----------|-------------|\n| `DATABASE_URL` | PostgreSQL connection string |\n| `ISMS_SECRET` | Secret key for JWT signing and encryption (minimum 32 characters) |\n| `ISMS_STORAGE_BACKEND` | Blob storage backend: `file` (local disk) or `s3` (S3-compatible/R2) |\n| `ISMS_TEMPLATE_PATH` | Path to template directory on disk. Required for template scaffolding. |\n\n**Server:**\n\n| Variable | Description |\n|----------|-------------|\n| `ISMS_BASE_URL` | Public URL (e.g. `https://isms.company.com`) — used for CORS, passkeys, notification links |\n| `ISMS_DATA_DIR` | Data directory for git repos and local file storage |\n| `ISMS_WEB_DIR` | Path to Vue web frontend `dist/` directory |\n| `ISMS_ROOT` | Git repository root (where the org git repo lives) |\n\n**S3 storage** (required if `ISMS_STORAGE_BACKEND=s3`):\n\n| Variable | Description |\n|----------|-------------|\n| `ISMS_S3_BUCKET` | S3 bucket name |\n| `ISMS_S3_REGION` | S3 region (e.g. `auto` for R2) |\n| `ISMS_S3_ENDPOINT` | S3 endpoint URL |\n| `ISMS_S3_ACCESS_KEY` | S3 access key |\n| `ISMS_S3_SECRET_KEY` | S3 secret key |\n\n**CLI:**\n\n| Variable | Description |\n|----------|-------------|\n| `ISMS_API_URL` | API URL for CLI (default: `ISMS_BASE_URL/api`) |\n| `ISMS_API_TOKEN` | API token for CLI authentication |\n| `ISMS_ORGANIZATION` | Organization UUID for CLI |\n| `ISMS_USER` | User email for CLI identity |\n\n**Authentication:**\n\n| Variable | Description |\n|----------|-------------|\n| `CLOUDFLARE_TEAM_DOMAIN` | Cloudflare Access team domain |\n| `ISMS_CF_AUDIENCE` | Cloudflare Access application audience tag (required for CF Zero Trust) |\n| `ISMS_USER_SIGNUP` | Set to `1` to enable self-signup (dev mode) |\n| `ISMS_SKIP_EMAIL_VERIFY` | Set to `1` to skip email verification (dev mode) |\n| `ISMS_RATE_LIMIT` | Rate limit override (`0` to disable, dev mode) |\n\n**SMTP** (optional):\n\n| Variable | Description |\n|----------|-------------|\n| `SMTP_HOST` | SMTP server for email notifications |\n| `SMTP_PORT` | SMTP port (default: 587) |\n| `SMTP_USER` | SMTP username |\n| `SMTP_PASSWORD` | SMTP password |\n| `SMTP_FROM` | From address for emails |\n\n**Git commit signing** (optional):\n\n| Variable | Description |\n|----------|-------------|\n| `ISMS_SIGNING_KEY` | Path to SSH key for git commit signing |\n| `ISMS_SIGNING_NAME` | Signer name for git commits |\n| `ISMS_SIGNING_EMAIL` | Signer email for git commits |\n\n**Platform branding** (optional):\n\n| Variable | Description |\n|----------|-------------|\n| `ISMS_TERMS_FILE` | Path to terms of service markdown file |\n| `ISMS_PRIVACY_FILE` | Path to privacy policy markdown file |\n| `ISMS_HIDE_POWERED_BY` | Set to `1` to hide \"Powered by\" footer |\n\nSlack and Matrix notifications are configured per-organization in **Admin → Settings**, not via environment variables.\n\n## Documentation\n\n- [Evaluate in 10 Minutes](docs/evaluate.md) — Quick start guide\n- [Architecture](docs/architecture.md) — Core vs templates, multi-tenancy, entity references\n- [AI-First Strategy](docs/ai-first.md) — AI architecture, MCP tools, agent identity\n- [Suggestions](docs/suggestions.md) — Entity suggestion system specification\n- [AI Review Loop](docs/ai-review-loop.md) — Multi-agent document review design\n- [Releasing](docs/releasing.md) — Cadence, versioning discipline, and house style\n\n## Contributing\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines. Please open an issue first to discuss what you'd like to change.\n\nHow we ship — a weekly release train, honest semver, and a deliberate release\ndiscipline — is documented in [docs/releasing.md](docs/releasing.md). The short\nversion: rigor lives in the process (CI, signed gates), so the people can stay\nwelcoming.\n\n## License\n\nApache License 2.0 — see [LICENSE](LICENSE) for details.\n\nCopyright 2026 [UniDoc ehf.](https://unidoc.io) — [isms.sh](https://isms.sh)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Funidoc%2Fisms","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Funidoc%2Fisms","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Funidoc%2Fisms/lists"}