osm.dev · Open Standards

A framework, methodology, and toolset for aligning organisational governance, risk, compliance, IT operations, and business continuity into a single cohesive system.

Explore Modules Learn More GitHub
0
Core Modules
0
Supported Standards
0
Configuration as Code
0
Vendor Independence
Defined, Shared, and Codified

Automation scales safely only with a defined operating model.

Without a defined data and operating model, increasing automation, data flow, and AI utilisation can lead to:

  • 🔻 decreased efficiency
  • ⛔ inability to continuously improve
  • 🕳️ loss of organisational knowledge
  • 🧰 blind dependency on tools

Without a defined data and operating model, organisations fail to leverage the exponential growth in data ingestion, automation, and AI. Ever-increasing complexity—paired with reduced “in-the-loop” organisational knowledge—limits efficiency gains and can ultimately lead to failure.

An Ontology-driven Knowledge Graph (OKG) is a knowledge representation system where a formal ontology (defining concepts, relations, and rules) guides the construction, validation, and querying of a knowledge graph. Unlike data-only graphs, OKGs use an explicit semantic schema to ensure data consistency, enabling advanced AI reasoning and automated knowledge management.

— “An Ontology-driven Knowledge Graph (OKG) …” (ACM)

Primarily, OSM provides a flexible, extensible, open-source schema-as-code: schema.OSM, defined in alignment with industry standards. OSM addresses these failure modes by providing type safety for organisational management via an Ontology-driven Knowledge Graph (OKG):

  • Efficiency: typed entities/relationships reduce ambiguity and rework.
  • Continuous improvement: consistent semantics make performance measurable and comparable over time.
  • Knowledge retention: ontology + graph capture operating context as versioned, queryable knowledge.
  • Tool independence: automation/AI are schema-constrained; tools can change without losing meaning.
  • Controlled complexity: constraints/validation prevent inconsistent models from accumulating.
  • Safer AI use: explicit types/relations improve reasoning, traceability, and auditability.
OSM — Organisation Service Management banner
What is OSM?

Automation-first. Standards-aligned. Yours to own.

Organisation Service Management (OSM) is an automation and configuration suite that integrates Governance, Risk & Compliance (GRC), IT operations, vendor management, and business continuity into a cohesive, auditable system.

Using a configuration-as-code approach, OSM ensures repeatability, auditability, and alignment to international standards — with full tenant ownership and no vendor lock-in.

  • Automates manual repetition across compliance, risk, and IT service management
  • Centralises and reconciles data from cloud, endpoint, and service providers
  • Provides executive visibility through structured, machine-readable reporting
  • Helps organisations evidence compliance and certification efficiently
  • Integrates with existing stacks — no displacement, no additional silos
Core Modules

The OSM Suite

Modular, interconnected components that address every layer of organisational governance and operations.

GRCosm ISO 27001

Information Security & Risk Management aligned to ISO/IEC 27001:2022 and ISO/IEC 27002:2022. Machine-readable risk registers, control frameworks, and Statement of Applicability generation.

Risk Register Controls SoA Audit Trails

HRosm People

People, Roles, Training, and Competence Management. Tracks personnel roles, responsibilities, security awareness training records, and competence evidence against compliance requirements.

Roles & Responsibilities Training Records Competence

VLNosm Supply Chain

Vendor and Third-Party Management. Structured vendor registers, supplier risk assessments, contract tracking, and dependency mapping for supply chain security compliance.

Vendor Register Risk Assessment Contracts

CMosm Config

Configuration and Change Management. Asset configuration baseline tracking, change advisory workflows, CI/CD integration for configuration drift detection, and impact analysis.

CMDB Change Advisory Drift Detection

OSM Orchestrator Core

Central automation engine for scheduling, synchronisation, and disaster recovery support. Coordinates cross-module workflows, event-driven triggers, and multi-tenant data pipelines.

Automation Scheduling DR Support Multi-tenant

BCMosm ISO 22301

Business Continuity Management aligned to ISO 22301:2019. Business impact analysis, recovery time objectives, continuity plans, and exercise tracking with automated evidence collection.

BIA RTO/RPO DR Plans Exercises
Compliance

Supported Standards

OSM provides built-in schema mappings and control frameworks for leading international and Australian standards.

ISO/IEC 27001:2022
Information Security Management Systems
Full ISMS framework alignment with Annex A controls, SoA generation, and risk treatment plans.
Fully Aligned
ISO/IEC 27002:2022
Information Security Controls
Detailed control implementation guidance mapped to OSM control records and treatment schemas.
Fully Aligned
ISO 22301:2019
Business Continuity Management
BCM program management, BIA, continuity plans, and exercise scheduling via BCMosm module.
Fully Aligned
ACSC ISM
Australian Govt Information Security Manual
ISM control mappings for Australian government uplift with PROTECTED baseline coverage.
Fully Aligned
ASD Essential Eight
Essential Eight Maturity Model
Maturity level tracking across all eight strategies with automated evidence collection and gap analysis.
Fully Aligned
SOC 2 Type II
Trust Service Criteria
Security, availability, and confidentiality criteria mapped to OSM control records for service organisations.
In Progress
NIST CSF 2.0
Cybersecurity Framework
GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER function mappings with OSM schema integration.
In Progress
auDA Policy
auDA Registrar Compliance
Automated evidence and reporting for domain registrars under the .au Domain Administration policy framework.
Fully Aligned
Open Source

Public Repositories

Schemas, connectors, and tooling published under the OrganisationServiceManagement GitHub organisation.

Loading repositories…

More Information

Status and Updates

OSM HQ — Melbourne
--:--:--
Loading…
Australia/Melbourne (AEST/AEDT)
Standards Coverage
ISO 27001
96%
ACSC ISM
91%
Essential Eight
88%
ISO 22301
82%
NIST CSF 2.0
74%
Compliance Tip
Tip 1 of 10
Loading tip…
OSM Schema — osm.dev

Machine-readable organisational management schemas. Click any entity to explore.

Risks Assets Controls Treatments Policies Objectives Third-Parties Audits People Vendors Configuration Items BCM Plans
Explore on GitHub →
Integration Ecosystem
Who is OSM for?

Built for Organisations like yours

SMB Technology Companies

Small to medium technology businesses without dedicated security or risk teams who need structured, affordable compliance without the enterprise price tag.

Service Providers & Registrars

Service providers and registrars under ISO 27001, ACSC ISM, or auDA compliance requirements who need automated evidence collection and ongoing compliance maintenance.

Organisations on Existing Tooling

Organisations already using Atlassian, Microsoft 365, AWS, Azure, PagerDuty, Tenable, or Intruder.io who need GRC capability that integrates rather than replaces.

Get in Touch

Start your OSM journey

Whether you need a compliance gap analysis, a GRC automation roadmap, or hands-on deployment support with an OSM Guardian consultant — we're here to help.

[email protected] GitHub ZOAK Solutions

OSM Guardian Consulting — available through ZOAK Solutions for deployment, maintenance, and accreditation support.