CISO Assistant is an open-source governance, risk, and compliance (GRC) platform designed to help security teams document risks, controls, and framework alignment in a structured system. The community edition is maintained as a self-hosted tool for organizations that want direct access to the code and data.
What the community edition of CISO Assistant includes
The community edition focuses on foundational GRC functions. It allows teams to define assets, document risks, create controls, and map those controls to security and compliance frameworks. All of these elements are connected through a shared data model that emphasizes traceability.
Framework coverage is built into the open source release. The tool includes structured representations of commonly used standards such as ISO 27001, the NIST Cybersecurity Framework, and SOC 2. Teams can associate their controls with specific framework requirements and track coverage within the system.
Users can also create custom controls and risks. Each item includes fields for ownership, status, and supporting details. This structure supports recurring reviews and updates as environments change.
Deployment and setup
CISO Assistant Community Edition is designed for self-managed deployment, with Docker-based setup as the primary path.
The application provides a web interface with role-based access controls. Users log in to view and update the records assigned to them. Permissions help separate administrative tasks from day-to-day updates by contributors across security, IT, and compliance teams.
All data remains in the environment where the tool is deployed. Storage, backups, and maintenance are handled by the organization running the system.
Managing risks and controls
Risk management sits at the center of the community edition. Teams can define assets and describe risks associated with them using consistent fields. These risks can then be linked to controls that address specific scenarios.
Controls serve as the connection point between risks and frameworks. Each control can include descriptive text, implementation notes, and references to supporting evidence. Status tracking allows teams to record progress and review control health over time.
The platform also supports assessment activities. Users can record evaluation results for controls and keep a history of those assessments. This provides continuity for internal reviews and external audit preparation.
“CISO Assistant is built to bring several security team activities into one system, including governance, risk, compliance, and SecOps,” Abderrahmane Smimite, Managing Director, intuitem, told Help Net Security. “A core design choice is the way controls are treated as reusable objects, which helps teams structure their work in a consistent way. The open-source project is shaped by an active community of practitioners, and that input keeps the features aligned with day-to-day operational needs. The community has also contributed a broad library of standards and frameworks across industries and regions, along with the ability to define custom ones. Integration is another focus, with options such as APIs, n8n, MCP, and Kafka to connect the tool with other systems.”
Reporting and ongoing use
Reporting features in the community edition focus on operational views of GRC data. Users can review control coverage, risk status, and framework alignment directly in the interface. These views support planning, review meetings, and documentation workflows.
The tool is designed for continuous use across the year. Records can be updated as systems, vendors, or processes change. This keeps the GRC dataset aligned with current conditions.
Future plans and download
“We continue to collect feedback and suggestions from practitioners,” Smimite said. “Planned work includes a RAG mode for document ingestion to extend the AI capabilities alongside the existing MCP support. Another area of development is CA Hub, which is designed to support more advanced multi-tenancy for large organizations, consultants, and managed security service providers.”
CISO Assistant is available for free on GitHub.
Must read:
Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!