Available ISMS/GRC products
If we are set out to build our custom product, let's say based on Redmine, then it might make sense to first compare Redmine's potential to some of the existing tools on the market, often marketed under Governance, Risk and Compliance (GRC) not ISMS.
Of course, all of them are almost "ready" to be used as they contain basic content from standards like ISO 27001 but all of them require some customization which is still very limited.
Verinice
A long‑standing open‑source ISMS tool widely used in German public sector.
Strengths:
- Built‑in ISO 27001 & IT‑Grundschutz.
- Strong modeling of assets, risks, controls.
- Mature reporting and audit support.
Weaknesses:
- UI is dated and less intuitive than modern tools.
- Heavyweight; setup and customization require expertise.
- Smaller community compared to newer open‑source tools.
(No recent 2025–2026 sources surfaced in search; this summary is based on general industry knowledge.)
Eramba
Eramba is one of the most mature open‑source GRC platforms (Governance, Risk, Control).
Strengths:
- Comprehensive compliance templates for ISO 27001 & GDPR.
- Frequent updates and community‑driven development.
- Well‑designed interface for policy and risk management.
Weaknesses:
- Requires customization for non‑standard frameworks.
- Limited scalability for very large enterprises.
OpenProject
OpenProject is a project‑management tool (like Redmine) with some compliance‑oriented extensions.
Strengths:
- Modern UI, strong task/project workflows.
- Good for managing ISMS projects (audits, remediation tasks).
- Better reporting and structure than Redmine.
Weaknesses:
- Still not a full ISMS: lacks native frameworks, risk modules, compliance mapping.
- Requires plugins or custom setups similar to Redmine.
Interpretation:
OpenProject is a more polished Redmine, but still not a true ISMS tool.
CISO Assistant
A fast‑growing open‑source GRC/ISMS platform.
Strengths:
- Ships with 100+ frameworks out of the box (ISO 27001, SOC 2, NIST CSF, NIS2, GDPR, etc.).
- Strong compliance mapping across frameworks.
- Frequent updates, active community (3,600+ GitHub stars).
- Supports risk management, audit tracking, and multiple frameworks.
Weaknesses:
- Lacks advanced analytics.
- Requires manual setup and configuration.
- Rigid, cannot really be customized.
Costs
All of these are available for free, meaning they are basically empty, and then the commercial versions can cost anwhere from 2000EUR ti 8000EUR a year.
Not a small amount, especially when you can't really change the tools - the more you pay the less you can change the product.
