CloudComply: Your Free Tool for ISM & ISO Compliance

Glowing cloud icons linked by bright lines forming a network in space

A few weeks ago I completed the Claude Code in Action course from Anthropic. I said I’d share what I build with it. Here’s the first one.

Meet CloudComply – a free, open-source cloud compliance mapping tool that helps Australian organisations understand how AWS and Azure native services map against the Australian ISM (March 2026) and ISO 27001:2022.

No backend. No login. No vendor lock-in. Just a fast, static web app with 780 control records baked in, running entirely in your browser.

You can use it right now at cloud-comply.vercel.app or grab the source from GitHub.

Why I Built This

If you’ve ever tried to answer the question “which AWS or Azure services satisfy our ISM controls?” – you’ll know how painful it is. You’re usually bouncing between vendor documentation, a spreadsheet someone built two years ago, and the ISM PDF trying to manually piece together mappings.

For Australian organisations, especially those operating under government or critical infrastructure obligations, this is a recurring problem. The ISM is updated regularly, cloud service catalogues change constantly, and maintaining an accurate picture of your compliance posture against both ISM and ISO 27001 simultaneously is genuinely tedious work.

A quick shoutout to Charles Diraviam, he put this problem in front of me. He flagged the pain of manually mapping ISM controls to cloud services in his organisation, and that conversation is what kicked this off.

I wanted a tool that solved this cleanly, was free to use, and didn’t require anyone to hand over data to a SaaS platform to get value from it. So I built one.

What CloudComply Actually Does

The tool covers 780 ISM controls, each dual-mapped to ISO 27001:2022, with coverage status across AWS and Azure services.

Here’s a quick demo of all the features.

Here’s what’s inside:

Dashboard

The first thing you see when you open the app is a snapshot of your overall compliance picture:

  • Total controls, covered, partial coverage, and gaps at a glance
  • A donut chart breaking down coverage status
  • A stacked bar chart showing controls by ISM domain and coverage status
  • A horizontal bar chart of controls by service category – click any bar to filter the mapping table directly
  • A live implementation posture progress bar that reflects what you’ve actually marked as done in the tracker

Mapping Table

This is the core of the tool. All 780 ISM controls in a fully filterable, searchable table. You can:

  • Toggle between ISM view (all 780 controls), ISO 27001 view (deduplicated to ~240 unique ISO controls), or both side by side
  • Filter by cloud provider, coverage status, service category, ISM guideline, ISO theme, specific service, or free text
  • Click any control ID to open the Control Detail Panel – a slide-in panel showing the full control record including description, ISO mapping, AWS/Azure service mapping, coverage badge, implementation notes, and recommended third party tools for that control.
  • Export the current filtered view as CSV

Gap Analysis

Shows only the controls marked as Partial or Gap – the ones that actually need your attention. Grouped by service category and domain, with remediation guidance included. Exportable as a PDF in landscape format – ready to drop into a report or risk register.

Cross-Reference View

Side-by-side ISM ↔ ISO 27001:2022 mapping. Useful when you need to understand the relationship between the two frameworks rather than just looking at one in isolation.

AI & Containers

A dedicated tab for AI/ML services and container services, both of which come with their own compliance nuances. Includes a shared responsibility matrix per service type and compliance controls filtered to those specific categories.

Implementation Tracker

This is where the tool goes from reference material to something you actually work in. You select your compliance scope, framework, cloud provider, specific services and then track each control as:

  • Not Started
  • In Progress
  • Implemented
  • Accepted Risk

You can add inline notes per control, and everything persists to localStorage so it survives page refresh without needing an account or a database. Export your tracker state as JSON (re-importable) or CSV for reporting.

The posture bar on the dashboard reflects your live implementation progress in real time.

How It’s Built

The entire thing is a static React SPA, no server, no authentication, no external API calls at runtime. All 780 control records live in a single controls.json file.

LayerTechnology
UIReact 19, TypeScript
BuildVite 8
StylingTailwind CSS v4
StateZustand 5
RoutingReact Router DOM v7
ChartsRecharts
PDF ExportjsPDF + autoTable
FeedbackFormspree

Because it’s fully static, you can deploy it anywhere, Vercel, Netlify, S3/CloudFront — or run it locally behind your firewall if you don’t want data leaving your environment at all.

A few security details worth calling out since this is a compliance tool and it should practise what it preaches:

  • All source_url fields are validated to https:// before rendering as links — no javascript: or data: URI injection risk
  • CSV export strips leading =, +, -, @ characters to prevent formula injection attacks
  • A CSP meta tag is set in index.html
  • No external data fetching at runtime except Formspree on feedback submit

Built With Claude Code

I want to be honest about this because I think it’s genuinely useful context for anyone in the community exploring AI-assisted development.

This tool was built using Claude Code and the speed difference compared to traditional development (or even other vibe coding tools I’ve tried like Lovable) is significant. The data model alone, 780 dual-mapped control records across ISM and ISO 27001, each with AWS and Azure service mappings, coverage status, and remediation notes, would normally be a project in itself before you even touched the front end. But using Claude Code I have managed to build a initial version from idea to MVP in an hour and then tweaked with bug fixes, better UI/UX and additional features that took a couple of hours. Overall it was all done in 4 hours of effort.

Claude Code handled the architecture, the component structure, the filtering logic, the chart wiring, and a lot of the edge cases (the ISO deduplication logic in particular, which needed to collapse 780 records down to ~240 unique ISO controls without losing the underlying ISM mappings). What would have taken weeks took a fraction of that time. In addition to that with integration of MCP servers like PlayWright, I was able to perform UI/UX improvements and bug fixes in minutes which I would have been able to do without spending hours of UI/UX learning.

That said, it still required domain knowledge to drive it. Knowing what the tool needed to do, understanding the ISM structure, knowing what a compliance team actually needs from a gap analysis, none of that comes from the AI (at least inside this tool) . The tool reflects decisions that came from working in this space. Claude Code just removed the friction of building it.

Get Started

The app is live at https://cloud-comply.vercel.app

The source code is at https://github.com/cybersecbalaji/cloud-comply

To run it locally:

bashgit clone https://github.com/cybersecbalaji/cloud-comply
npm install
npm run dev

It’s open source. If you work in an Australian organisation dealing with ISM or ISO 27001 compliance and you have suggestions, spotted a mapping that needs correcting, or want to contribute, add a comment below or raise an issue or a PR on GitHub.

Leave a comment

Create a website or blog at WordPress.com

Up ↑