Building Open-Source Compliance: Solving GRC as an Engineering Problem

Compliance as an engineering problem: building an open-source Information Security, Privacy and AI Governance Platform

Gregory Griffin developed ISMS-Core, an open-source platform that treats compliance as a structured engineering problem rather than a consulting exercise. The system manages over 377,000 lines of code and utilizes a four-layer validation pipeline to ensure policy consistency.

Why This Matters

Most GRC tools function as spreadsheets dressed in good intentions or expensive contracts that drift from technical reality within a single quarter. By deriving policies, implementation guides, and scorecards from a single structured source, organizations can prevent the drift between compliance documentation and actual engineering implementation. This approach addresses the high cost of manual consulting by automating the generation of artifacts across 93 Annex A controls and 23 frameworks.

Key Insights

• The platform utilizes 317 Python generators to produce 590 implementation documents, ensuring consistency across ISO 27001:2022 and AI governance frameworks.
• A four-layer validation pipeline uses semantic similarity against a 45-standard normative reference corpus (5,000 indexed chunks) to verify policy integrity.
• Automated evidence connectors pull data from 44 sources, including Microsoft Entra ID, Sentinel, and AWS Security Hub, to validate control implementation.
• Cross-framework mapping involves over 3,400 relationships between 23 frameworks, including NIST CSF 2.0 and the EU AI Act, using structured domain tagging.
• The stack relies on OpenSearch for full-text search across implementation documents and Celery/Redis for managing the evidence connector queue.

Practical Applications

• Use case: Multi-jurisdictional policy generation using runtime rendering with country-specific regulatory tokens for seven jurisdictions including CH, FR, DE, and IT. Pitfall: Relying on machine translation for legal tone, which often fails to meet specific jurisdictional regulatory expectations.
• Use case: Automated AI Governance via ISO 42001:2023 extension with integrated EU AI Act and NIST AI RMF crosswalks. Pitfall: Using one-shot LLM prompts for control verification, which results in hallucinations regarding policy coverage that cannot be substantiated.

References:

• https://github.com/isms-core-project/isms-core-platform
• https://isms-core.com