Skip to main content

Login system

ISOwl uses a hardcoded credential store — there is no backend authentication server, identity provider, or token exchange. Credentials are validated entirely in the browser against fixed values in the application state. This design makes ISOwl suitable as a self-contained demo or internal tool without any infrastructure dependencies.
Do not use ISOwl’s built-in credentials to protect sensitive production data. The login mechanism is not a substitute for a real authentication system.

Demo accounts

AccountEmailPasswordRoleWorkspace
Agency Adminadmin@agencia.comadmin123CISOAgency + all client tenants
Client Ownerowner@cliente.comcliente123OWNERCLIENT_A only
These are the only two accounts available by default. No user creation or password reset functionality exists.

Role-based access control

Every authenticated session has one of three roles. The role determines what actions a user can perform across all modules.
The CISO role has full administrative access.
CapabilityAccess
View all modules and dashboardsYes
Mark clause requirements as implementedYes
Evaluate and update Annex A controlsYes
Add, edit, and delete assetsYes
Create and update risksYes
Upload and delete evidenceYes
Manage findings and improvement actionsYes
Switch between client tenantsYes
Access Clients Admin pageYes
Export PDF reportsYes
The Agency Admin account (admin@agencia.com) is always assigned the CISO role.

Multi-tenant workspaces

ISOwl supports multiple isolated workspaces called tenants. Each tenant has its own ISMS data — clauses, controls, assets, risks, and evidence are completely separate between tenants. There are two types of tenants:
  • Agency workspace (AGENCY) — the consulting firm’s own internal ISMS. The Agency Admin lands here by default after login.
  • Client workspaces (CLIENT_A, and any dynamically created clients) — one isolated workspace per managed client.
Data written in one tenant is never visible in another.

How to switch tenants

Switching tenants is available only to users with the CISO role.
1

Open the Clients Admin page

Navigate to Clients (/clients) in the sidebar. This page lists all client workspaces created in the agency.
2

Select a client

Click on the client you want to manage. ISOwl switches the active tenant to that client’s workspace. The sidebar and all module data now reflect that client’s ISMS.
3

Return to the Agency workspace

To switch back to the agency’s own ISMS, click the agency workspace entry on the Clients Admin page, or use any navigation link that returns you to the agency context.
The current active tenant is shown in the application header. Always verify the active tenant before making changes to avoid editing the wrong workspace.

How to log out

Click your user profile or the logout option in the application navigation. On logout, the session is cleared:
  • isAuthenticated is set to false
  • The active user and role are removed from state
  • The active tenant resets to AGENCY
You are redirected to the login screen. Workspace data stored in localStorage is not deleted on logout — it persists for the next session.

localStorage persistence

All ISMS data and session state is stored in localStorage under the key sgsi-storage.
Workspace data (clauses, controls, assets, risks, evidence) persists across logout and browser restarts. Only the active session (authenticated user, current role) is cleared on logout.
Clearing localStorage — via browser developer tools, a browser reset, or a privacy-clearing extension — permanently deletes all ISOwl data. This action cannot be undone. Export PDF reports regularly to preserve a record of your ISMS state.
No. localStorage is scoped to a single browser on a single device. Data is not synced across browsers, profiles, or machines.
Yes. Open your browser’s developer tools, go to Application > Local Storage, and find the sgsi-storage key. The value is a JSON object containing the full Zustand state tree.

Build docs developers (and LLMs) love

Get started for freeTalk to us