ISM MCP Server

ISM MCP Server

Serves the Australian Cyber Security Centre Information Security Manual (ISM) via MCP, providing access to all historical and current versions, search, and comparison tools.

Category
Visit Server

README

ism-mcp

A Model Context Protocol server that serves the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) to MCP-capable LLM clients (Claude Desktop, VS Code, Cursor, Continue, etc.).

Data is sourced live from the official ASD/ACSC OSCAL mirror:

https://github.com/AustralianCyberSecurityCentre/ism-oscal

Each git tag in that repository is one published ISM release. The server discovers tags dynamically via the GitHub API, so:

  • All historical versions back to v2022.09.14 are available.
  • The current version is whichever tag is newest.
  • Future versions automatically appear the moment ASD publishes a new tag — no code changes or redeploys required.

Catalog and profile JSON is cached on disk (default ~/.cache/ism-mcp/, override with ISM_MCP_CACHE_DIR). Tag listings are refreshed every six hours (override with ISM_MCP_TAGS_TTL_MS).

Capabilities

Tools

Tool Purpose
list_versions Enumerate every published ISM release (tag, id, SHA, date).
get_version_metadata OSCAL metadata + control/group counts for a version.
list_groups Hierarchical chapter/guideline structure with control counts.
list_controls Paginated list of controls, filterable by applicability / group / label prefix.
search_controls Full-text search across labels, titles, statements, and group paths.
get_control Full detail for a single control by OSCAL id or human label (e.g. GOV-01), as JSON or Markdown.
compare_versions Diff two ISM releases — added, removed, and modified controls.
list_profiles List the eight OSCAL profiles (NC / OS / P / S / TS + E8 ML1/2/3).
get_profile_controls Resolved set of controls for a given baseline or Essential Eight maturity level.
cache_info Inspect the local cache.

Resources (templates)

  • ism://catalog/{version} — full OSCAL catalog JSON (use latest or e.g. 2026.03.24).
  • ism://catalog/{version}/control/{controlId} — a single control rendered as Markdown.
  • ism://profile/{version}/{profile} — OSCAL resolved-profile catalog for a baseline.

Prompts

  • ism_compliance_check — generate a structured compliance assessment of a system against a baseline.
  • ism_change_brief — produce a change-management brief between two ISM releases.

Install / build

npm install
npm run build

The compiled entrypoint is dist/index.js and is exposed as the ism-mcp bin.

Run

The server speaks MCP over stdio:

node dist/index.js

For interactive exploration, use the official inspector:

npm run inspect

Wire it into a client

VS Code (.vscode/mcp.json or settings)

{
  "servers": {
    "ism": {
      "command": "node",
      "args": ["/absolute/path/to/ism-mcp/dist/index.js"],
    },
  },
}

Claude Desktop (claude_desktop_config.json)

{
  "mcpServers": {
    "ism": {
      "command": "node",
      "args": ["/absolute/path/to/ism-mcp/dist/index.js"],
    },
  },
}

Optional environment

Variable Purpose
ISM_MCP_CACHE_DIR Override on-disk cache directory.
ISM_MCP_TAGS_TTL_MS Tag-list cache TTL in milliseconds (default 6h).

Example prompts to try

  • "What ISM versions are available?"
  • "Show me GOV-01 from the latest ISM, in Markdown."
  • "Search for ISM controls about multi-factor authentication that apply to PROTECTED."
  • "Compare ISM 2025.12.9 with the latest release and summarise the changes."
  • "List the controls in the Essential Eight ML2 baseline for the latest ISM."

Data and licensing

The ISM is published by the Australian Signals Directorate. See the upstream repository and https://www.cyber.gov.au for terms of use. This server is an unaffiliated tool that consumes the publicly published OSCAL data.

CI / CD

Three GitHub Actions workflows ship with the repo:

  • .github/workflows/ci.yml — type-checks, builds, and runs the offline smoke test on every push and PR.
  • .github/workflows/release.yml — dispatched by CI after a successful main build when a new version tag is created (or by manual dispatch), bundles the latest data, builds, packs the tarball, generates checksums, creates a GitHub Release with the tarball and data/index.json attached, updates a rolling latest git tag to the released commit, and (optionally) publishes to npm. If Cloudflare credentials are configured, it deploys a Cloudflare Worker that serves the site and exposes the MCP Streamable HTTP endpoint at /mcp (manual dispatch can disable this via deploy_cloudflare=false).
  • .github/workflows/upstream-sync.yml — checks the upstream ACSC ISM OSCAL repository on a daily schedule (or manual dispatch). When a new ISM tag is published upstream, it rebundles data/, bumps the package patch version, commits the update to main, and lets CI trigger the tagged release and Cloudflare deployment.

One-time repository setup

  1. Settings → Actions → General → Workflow permissions: Read and write.
  2. (Optional) configure repository credentials for npm publish on release.
  3. Update the repository, homepage, and bugs fields in package.json (replace OWNER).
  4. (Optional) configure Cloudflare account credentials in repository secrets to enable Workers deployment on release.

Cutting a release

# bump version
npm version patch        # or minor / major
git push --follow-tags

Manual releases run CI first; when CI succeeds on main, it creates the version tag and dispatches release.yml, which builds an offline-ready ism-mcp-<version>.tgz, attaches it to the GitHub Release, and (optionally) publishes the package to npm and deploys the Cloudflare Worker endpoint.

Upstream ISM releases are also checked automatically once per day. If a new upstream tag is detected, the sync workflow rebundles the data, bumps the package version, pushes the update to main, and the existing CI and release workflows take over from there.

For remote AI clients, add the remote MCP server with this URL:

https://ism.mcp.zta.au/mcp

{
  "servers": {
    "ism": {
      "type": "http",
      "url": "https://ism.mcp.zta.au/mcp",
    },
  },
}

Remote MCP / HTTP transport

Beyond stdio, ism-mcp also speaks MCP Streamable HTTP so it can be hosted as a remote endpoint that AI tools query over the network.

# run as an HTTP server on :8080
MCP_TRANSPORT=http PORT=8080 node dist/index.js
# or via flag
node dist/index.js --http

Endpoints:

  • POST /mcp — JSON-RPC over Streamable HTTP (per-session via Mcp-Session-Id header).
  • GET /health — liveness probe.
  • GET / — plain-text usage hint.
  • GET /.well-known/oauth-protected-resource/mcp — protected resource metadata for MCP OAuth discovery.
  • GET /.well-known/oauth-authorization-server — authorization server metadata.
  • POST /register — dynamic client registration.
  • POST /token — token issuance for registered clients using client_credentials.

The hosted Cloudflare deployment supports dynamic client registration and client_credentials token exchange in addition to unauthenticated MCP access.

For durable client registrations and issued tokens across Worker restarts, bind a Cloudflare KV namespace as AUTH_KV. If AUTH_KV is not configured, the Worker falls back to in-memory auth state.

Environment variables:

Variable Purpose
MCP_TRANSPORT stdio (default for CLI) or http. The Docker image sets this to http.
PORT / HOST Bind address (defaults: 0.0.0.0:8080).
MCP_HTTP_PATH URL path for the MCP endpoint (default /mcp).

Connect a client to the remote endpoint

Hosted endpoint: https://ism.mcp.zta.au/mcp

// VS Code .vscode/mcp.json
{
  "servers": {
    "ism": {
      "type": "http",
      "url": "https://ism.mcp.zta.au/mcp",
    },
  },
}

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured