Open Source · AGPL-3.0 · Self-hosted

Your ISMS — your server,
your data.

A self-hosted Information Security Management System for ISO 27001, NIS2, GDPR/DSGVO and BSI IT-Grundschutz. Built by a CISO, for CISOs.

▶ Try the Demo GitHub

Demo login credentials

Adminadmin@example.com / adminpass

CISOciso@example.com / cisopass

Readerbob@hr.example / bobpass

ISO 27001:2022 NIS2 GDPR / DSGVO BSI IT-Grundschutz EU AI Act ISO 9001 CRA EUCS

Why ISMS Builder?

Compliance shouldn't cost a fortune.

SMEs and mid-sized companies face an impossible choice when it comes to ISMS tooling.

💸

Enterprise tools are too expensive

Commercial ISMS platforms typically cost €5,000–30,000 per year — unaffordable for most organisations.

📊

Spreadsheets aren't auditable

Excel-based ISMS documentation can't enforce workflows, track policy acknowledgements or produce audit evidence automatically.

☁️

SaaS means giving up control

Storing sensitive security documentation in a third-party cloud contradicts the very principles of a sound ISMS.

Features

Everything your ISMS needs.

313 controls across 8 frameworks. One platform. Fully self-hosted.

📋

Policy Management

Full document lifecycle — draft, review, approve, archive. Version history, role-based workflows, policy acknowledgements for staff without accounts.

⚠️

Risk Register

ISO 27001-aligned risk assessment with treatment tracking, CVSS scoring, scanner import from Greenbone/OpenVAS and multi-framework mapping.

🛡️

Statement of Applicability

313 controls across ISO 27001, NIS2, BSI IT-Grundschutz, EUCS, EU AI Act, ISO 9001, CRA and EUCS — with inline editing and CSV/PDF export.

🔒

GDPR / DSGVO Modules

Processing activity records (VVT), DPIA, 72h incident timer, deletion log (Art. 17), DSAR management and processor agreements.

🏢

Asset & Supplier Management

ISO 27001 A.5.9–5.12 asset classification, criticality levels, supplier audit tracking and BCM/BCP with business impact analysis.

🤖

Local AI Search

Semantic search via Ollama — runs entirely on your server, no cloud API, no data leaving your infrastructure. 100% GDPR-compliant.

Deployment

Your server. Your data. Your rules.

ISMS Builder runs entirely on your own infrastructure — no cloud dependency, no vendor lock-in.

Self-hosted

Run it on your own server — full control, no dependencies.

Free

AGPL-3.0 Open Source

Docker Compose in minutes
SQLite or MariaDB backend
SSL/TLS out of the box
229 automated tests
Full source code on GitHub

View on GitHub

Community

Built in the open — contributions, bug reports and feedback are always welcome.

Open Development

Issues · PRs · Discussions

Report bugs or request features on GitHub
Contribute code, policies or translations
Browse the architecture and API docs
Read the full changelog
Reach out directly with questions

Open an Issue Contribute

Positioning

A tool, not a subscription.

ISMS Builder is not a monitoring service. It is a structured, methodical instrument that guides you step by step through the PDCA cycle — auditable, self-hosted, without vendor lock-in.

ISMS Builder This tool

✓ Pragmatic & modular — no overhead, no permanent subscription
✓ Guides you through the PDCA cycle step by step
✓ Template-based documentation — structured and auditable
✓ Self-hosted — your data stays on your infrastructure
✓ Built for SMEs, public authorities and European compliance (GDPR, NIS2, BSI)
✓ No vendor lock-in — open source, AGPL-3.0

Typical SaaS ISMS tools Others

– Designed for permanent operation and continuous monitoring
– Heavy automation and integrations — complex to set up
– Recurring licence costs, often per user
– Data stored on third-party infrastructure
– Often US-centric — GDPR and BSI compliance requires workarounds
– Vendor dependency for updates, support and availability

"The pragmatic and modular approach of ISMS Builder makes it particularly suitable for German and European SMEs and public authorities. Compared to heavily automated SaaS tools, it offers a structured, methodical and process-oriented approach to building a comprehensive and auditable ISMS."

Open Source

Built in the open, for the community.

AGPL-3.0 — Free to use, fork and improve.

ISMS Builder is fully open source. The AGPL-3.0 license ensures that any modified version running as a network service must also remain open source — keeping the ecosystem transparent and auditable.

Built by a practising CISO and DPO with 35+ years of IT experience. Every feature exists because it was needed in the real world.

GitHub Repository Changelog

313

Controls

Frameworks

229

Tests

Standards & Legal Notices

ISO 27001 & ISO 9001
ISO 27001:2022 and ISO 9001:2015 are proprietary standards published by the International Organization for Standardization (ISO) and are protected by copyright. ISMS Builder does not include or distribute the standard texts. To implement ISO 27001 or ISO 9001 in your organisation, purchase the official standard from iso.org. Control identifiers and titles used in this software are cited for interoperability purposes only.

BSI IT-Grundschutz
BSI IT-Grundschutz is published by the German Federal Office for Information Security (BSI) and is freely available at bsi.bund.de/grundschutz. ISMS Builder references BSI control identifiers for mapping purposes. The full Grundschutz compendium is not included in this software.

NIS2 · GDPR/DSGVO · EU AI Act · CRA · EUCS
These are EU regulations and directives in the public domain. References to their articles and requirements within ISMS Builder are for compliance-mapping purposes only and do not constitute legal advice. Always consult the official EU legislation at eur-lex.europa.eu and seek qualified legal counsel for your specific situation.

Third-Party Software Licenses
ISMS Builder uses a number of open-source components including Node.js, Express, Jest, and others. A full list of third-party licenses is available in the repository: THIRD-PARTY-LICENSES.md. ISMS Builder itself is licensed under AGPL-3.0.

Your ISMS — your server,your data.