A reference GitHub organization demonstrating ISO/IEC 27001:2022 source-control and change-management controls in working form.
This is a public sandbox. Real customer code does not live here. The purpose is to give engineers, auditors, and other ISO 27001-oriented organizations a complete, browsable example of:
- How GitHub organization and repository settings map to ISO 27001 Annex A controls.
- What artifacts an auditor should be able to ask for and where to find them.
- A repeatable bootstrap procedure that produces a compliant repository in one command.
| You're looking for… | Go here |
|---|---|
| The canonical template + all governance documentation | iso-compliant-main-only |
| A worked example of a repository created from the template | example-from-main-only-template |
| The org-wide profile and defaults | this repository |
| The full ISO 27001 control mapping | iso-27001-control-mapping.md |
| The audit evidence inventory | iso-27001-evidence-inventory.md |
| The replication checklist for your own org | iso-github-org-replication-checklist.md |
| What differs between this dummy org and a production org | dummy-vs-production-deltas.md |
| Branching, merge, signing, and release guidance | github-compliance-engineering-guidance.md |
| Bootstrap scripts | scripts/ |
| Repository | Purpose |
|---|---|
iso-compliant-main-only |
Canonical governance template. Holds the ISO 27001 control mapping, evidence inventory, replication checklist, dummy-vs-production deltas, engineering guidance, and bootstrap scripts. New ISO-compliant repos are created from this template. |
example-from-main-only-template |
Worked example: a repository created from the template above and bootstrapped to demonstrate the full set of applied controls (custom properties, labels, branch protection, required signed commits, Actions policy). |
.github (this repo) |
Org-wide profile and defaults. Holds the organization profile page (which you are reading now), default community-health files, and the SECURITY.md vulnerability disclosure policy. |
The following ISO 27001-aligned controls are currently active and demonstrable on the repositories above:
- Base repository permission
none; access through teams only. - Repository creation, public-repo creation, private-repo forking, Pages creation, and project creation disabled for members.
- GitHub Actions restricted to GitHub-owned actions only; verified-Marketplace actions disabled.
- Default
GITHUB_TOKENpermission read-only; Actions cannot approve PRs. - Custom properties (
iso_classification,repo_template,branching_strategy) classify every repo. - Branch protection on
main: PR required, stale-review dismissal, last-push approval, conversation resolution required, force pushes blocked, deletion blocked, admin enforcement enabled, release-impact label required. - Required signed commits on
mainofiso-compliant-main-onlyandexample-from-main-only-template.
Controls expected in a production GitHub Team org but not active in this Free-plan dummy org (2FA enforcement, organization rulesets, default secret scanning across new repos, 1+ approving reviewer) are enumerated in dummy-vs-production-deltas.md. The same document gives the exact API call or UI step to enable each one.
- Read
iso-github-org-replication-checklist.mdend-to-end. - Apply the org policy baseline:
scripts/bootstrap-org-policies.sh ORG. - Apply the org rulesets from
.github/examples/(GitHub Team plan or higher). - Create new repositories from the
iso-compliant-main-onlytemplate. - Bootstrap each new repository:
scripts/bootstrap-main-only-repo.sh ORG/REPO. - Run
scripts/collect-audit-evidence.sh ORG ./evidence/<quarter>quarterly. - Close every item in
dummy-vs-production-deltas.md.
See SECURITY.md for vulnerability disclosure procedure.
The contents of this organization are provided as a reference. Adopt them, adapt them, copy them. The configuration is documented for replication, not for running production workloads here.