Open ISMS Framework

Cloud security compliance
without the pain

A practical, open reference framework for SaaS organisations navigating C5:2026, ISO 27001:2022, and the EU Cyber Resilience Act — mapped to a coherent, minimal document library.

Browse the framework → What is this?
BSI C5:2026
ISO 27001:2022
EU CRA 2024/2847
622
C5:2026 requirements
116
ISO 27001 controls
62
document types
What this is

A compliance framework built to be used

Most ISMS documentation frameworks are either too abstract to implement or too bloated to maintain. This framework tries to be neither.

Every C5:2026 requirement is mapped to the document type that satisfies it — policy, process, register, or artefact — with a rationale explaining why. ISO 27001:2022 and CRA obligations are mapped to the same document set, so one coherent library satisfies all three frameworks.

Built on the principle that a small, honest document library is worth more than a large, ceremonial one.

DRY documentation

Every obligation is mapped to one place. No duplication across frameworks.

Policy vs. process separation

Policies govern. Processes produce evidence. The distinction matters for audits.

Audit-honest

No document exists just to exist. Every artefact has a verifiable purpose.

Operationally realistic

Built for a small SaaS team, not a 10,000-person enterprise compliance department.

Browse the framework

Four views, one coherent library

Each view is independently filterable and cross-linked. Click any document tag to jump to its full definition in the document register.

C5:2026 Requirements

All 622 requirements across 17 areas, each mapped to the document type that satisfies it. Filterable by area, criterion type (Basic / Sharpening / Complemented), and document.

622 requirements · 17 areas

ISO 27001:2022 Coverage

All 116 clauses and Annex A controls mapped to the framework. Each entry explains why that document type satisfies the clause — without referencing C5.

116 controls · Clauses 4–10 + Annex A

CRA 2024/2847 Mapping

Key obligations from the EU Cyber Resilience Act mapped to the framework. Articles 13–14 and Annex I Parts I and II.

37 obligations · Art. 13–14 + Annex I

Document Register

Every document in the framework defined: type, owner, purpose, and which C5, ISO 27001, and CRA obligations it satisfies. 62 document types.

62 documents · Policies, Processes, Registers, Artefacts
Scope note

Built for multi-product SaaS on AWS

This framework was designed for a SaaS organisation hosting production infrastructure on AWS, with a small Operating Team owning production and an IT Administration team owning endpoints and office IT. Physical security obligations for data centres are delegated to AWS and verified via supplier management. Adapt as needed for your specific context.

All regulation mappings are principle-level inferences and should be verified against official source texts before relying on them for certification or legal compliance.