Open Source · AGPL-3.0 · Self-hosted

Your ISMS — your server,
your data.

A self-hosted Information Security Management System for ISO 27001, NIS2, GDPR/DSGVO and BSI IT-Grundschutz. Built by a CISO, for CISOs.

▶ Try the Demo GitHub
Demo login credentials
Adminadmin@example.com / adminpass
CISOciso@example.com / cisopass
Readerbob@hr.example / bobpass
ISMS Builder Screenshot
ISO 27001:2022 NIS2 GDPR / DSGVO BSI IT-Grundschutz EU AI Act ISO 9001 CRA EUCS
Why ISMS Builder?
Compliance shouldn't cost a fortune.

SMEs and mid-sized companies face an impossible choice when it comes to ISMS tooling.

💸

Enterprise tools are too expensive

Commercial ISMS platforms typically cost €5,000–30,000 per year — unaffordable for most organisations.

📊

Spreadsheets aren't auditable

Excel-based ISMS documentation can't enforce workflows, track policy acknowledgements or produce audit evidence automatically.

☁️

SaaS means giving up control

Storing sensitive security documentation in a third-party cloud contradicts the very principles of a sound ISMS.

Features
Everything your ISMS needs.

313 controls across 8 frameworks. One platform. Fully self-hosted.

📋

Policy Management

Full document lifecycle — draft, review, approve, archive. Version history, role-based workflows, policy acknowledgements for staff without accounts.

⚠️

Risk Register

ISO 27001-aligned risk assessment with treatment tracking, CVSS scoring, scanner import from Greenbone/OpenVAS and multi-framework mapping.

🛡️

Statement of Applicability

313 controls across ISO 27001, NIS2, BSI IT-Grundschutz, EUCS, EU AI Act, ISO 9001, CRA and EUCS — with inline editing and CSV/PDF export.

🔒

GDPR / DSGVO Modules

Processing activity records (VVT), DPIA, 72h incident timer, deletion log (Art. 17), DSAR management and processor agreements.

🏢

Asset & Supplier Management

ISO 27001 A.5.9–5.12 asset classification, criticality levels, supplier audit tracking and BCM/BCP with business impact analysis.

🤖

Local AI Search

Semantic search via Ollama — runs entirely on your server, no cloud API, no data leaving your infrastructure. 100% GDPR-compliant.

Deployment
Self-host or let us run it.

Choose the option that fits your team and infrastructure.

Self-hosted

Run it on your own server — full control, no dependencies.

Free
AGPL-3.0 Open Source
  • Docker Compose in minutes
  • SQLite or MariaDB backend
  • SSL/TLS out of the box
  • 229 automated tests
  • Full source code on GitHub
View on GitHub

Managed Hosting Coming Soon

We host and maintain your dedicated ISMS Builder instance.

Available soon
Interested? Get in touch early.
  • Dedicated instance, your data only
  • Daily backups, monitored uptime
  • Monthly updates included
  • GDPR-compliant EU infrastructure
  • Optional ISMS consulting add-on
Get in touch
Open Source
Built in the open, for the community.

AGPL-3.0 — Free to use, fork and improve.

ISMS Builder is fully open source. The AGPL-3.0 license ensures that any modified version running as a network service must also remain open source — keeping the ecosystem transparent and auditable.

Built by a practising CISO and DPO with 35+ years of IT experience. Every feature exists because it was needed in the real world.

GitHub Repository Changelog
313
Controls
8
Frameworks
229
Tests
Contact
Get in touch.

Questions, consulting or managed hosting?

Whether you need help getting started, want to discuss a managed instance
or have a consulting enquiry — reach out directly.

✉ claude.hecker@pm.me
🔑 PGP Public Key — encrypted mail welcome