Munimentx

Stand up and prove your automotive CSMS — 100% offline.

A self-contained Windows workbench that turns ISO/SAE 21434 Clause 5 and UN R155 into a living, audit-ready system of record — governance, work products, evidence and a one-click audit binder — without a cloud platform or a consulting engagement.

Your compliance data never leaves your machine. No cloud. No telemetry. No subscription.

Start a 30-day trial Book a 20-minute walkthrough

Munimentx compliance dashboard — overall readiness, per-framework coverage and a ranked gap list

The problem

Every programme must operate a CSMS — and prove it on demand.

UN R155 and ISO/SAE 21434 Clause 5 require a working Cybersecurity Management System — policy, roles, managed processes, risk and supplier oversight, monitoring, incident handling, and a complete, traceable evidence trail. Today teams are stuck between three bad options:

Six-figure cloud GRC / vSOC

Capable, but priced for large OEMs — and they put your governance data and IP in someone else's cloud.

Spreadsheets & shared drives

Not built for 21434/R155 — coverage status is invisible, evidence is scattered, and every audit is a fire drill.

Consultants

Expensive — and the knowledge (and the living system) walks out the door when the engagement ends.

Meanwhile Tier-N suppliers, smaller OEMs and teams on air-gapped networks must produce the same audit-ready CSMS evidence — on a realistic budget, without sending their IP to the cloud. That gap is exactly where Munimentx sits.

Headstart — editable starter content mapped to the selected frameworks

What Munimentx is

The organisational cybersecurity lifecycle — as a guided desktop workbench.

A single-user Windows desktop application that implements the organisational CSMS as a guided workbench and produces the auditor-ready deliverables at the end. It runs 100% offline and stores everything locally in a project file you own.

Covers ISO/SAE 21434 Clause 5 (plus touch-points in 6/7/8/15) and UN R155 (CSMS).
Speaks UN R156, the EU Cyber Resilience Act, and ISO/DIS 24882 — switchable per organisation.
100% offline — works on a machine that has never touched the internet.
Headstart seeds an editable starter library of controls, roles and a policy outline, pre-mapped to the clauses you select.

Capabilities

From governance to a hand-over binder — nothing left manual

Live readiness across frameworks

A real compliance-readiness score computed from your actual work products — per-clause, per-framework and overall — with complete / partial / missing coverage bars and a ranked gap list that deep-links to the work product resolving each clause.

The compliance spine

A register of Controls, Processes, Tools (with qualification confidence) and Competence — each mapped to the clauses it satisfies and backed by evidence. Plus Projects (Clause 6) and Suppliers (Clause 7 + R155 §7.2.2.5) with a dynamic RASIC split.

Governance & approval gating

A cybersecurity policy + objectives editor and a RASIC roles register. The operational areas unlock only once an approved policy and at least one approved role are in place — enforcing genuine segregation of duties.

Continual cybersecurity

An organisational cyber-risk register, monitoring sources & events, vulnerability management and incident handling — each feeding the live needs-attention signals so nothing falls through the cracks.

Audits & CAPA

Record internal/external audits and their findings, raise corrective actions with an owner, due date and status, track overdue items, and verify a CAPA — which auto-closes its finding and attaches the closure evidence.

Evidence vault & one-click binder

Attach evidence as files (copied into a project vault, SHA-256 hashed and re-verified on load) or notes. Export the Evidence Binder to Word and Excel in one click — approved registers, full logs and a clause-by-clause compliance matrix.

Baseline snapshots — see your drift

Capture a point-in-time baseline (e.g., a type-approval submission) and diff against it later to see exactly what changed: regressions, newly-covered or de-scoped clauses, and framework-scope changes.

Offline AI assistant

An on-device model (IBM Granite, Apache-2.0) drafts policy statements, CAPA actions, vulnerability analyses and rationale — every suggestion enters as an editable draft for the engineer to approve. No cloud, no data egress.

Inside Munimentx

See the system at work

Real screens from the workbench.

Governance — policy, objectives and the RASIC roles register with approval state

Governance — policy, objectives & RASIC roles

The compliance spine — controls mapped to framework clauses, backed by evidence

The spine — controls mapped to framework clauses

Control editor — clause mapping and supporting evidence in one place

Control editor — clause mapping & evidence

Organisational cyber-risk register — inherent vs residual risk, treatment and status

Risk register — inherent vs residual, treatment & status

Audits and CAPA — findings flow to corrective actions with owners and closing evidence

Audits & CAPA — findings to closed corrective actions

Evidence Binder — the audit-ready Word and Excel export with a clause-by-clause matrix

Evidence Binder — one-click Word + Excel audit export

Baseline snapshot — capture a baseline and diff against it to see drift and regressions

Baseline — capture a snapshot and diff to see drift

Offline AI assistant — editable drafts for policy, CAPA and analysis with no data egress

Offline AI assistant — editable drafts, no data egress

Who it's for

Built for the whole supply chain

Tier-1 / Tier-2 / Tier-3 automotive suppliers that must operate and evidence a CSMS for OEM programmes.
Smaller & emerging OEMs that need UN R155 / ISO 21434 organisational readiness without an enterprise GRC spend.
Cybersecurity managers, GRC / compliance and quality teams who want the structure enforced and the binder generated — not hand-assembled.
Teams on air-gapped / restricted networks (defense-adjacent, IP-sensitive) that cannot use cloud tools.
Off-highway & agricultural machinery makers working to ISO/DIS 24882.

Why Munimentx

How it compares

	Cloud GRC / vSOC	Spreadsheets / shared drives	Consultants	Munimentx
21434 §5 / R155 CSMS model built-in	✓	✗	n/a	✓
Multi-framework (R156 / CRA / ISO 24882)	partial	✗	depends	✓
Live readiness % + gap analysis	✓	✗	✗	✓
Runs fully offline / air-gap	✗	✓	n/a	✓
Your data stays on your machine	✗	✓	✗	✓
One-click auditor-ready binder	✓	✗	✓	✓
Affordable per-seat	✗ ($100k–$2M/yr)	✓	✗	✓
Knowledge / living system stays in-house	partial	✓	✗	✓

The offline, affordable CSMS workbench that gets automotive teams ISO/SAE 21434 §5 + UN R155 audit-ready on their own machines — the governance, the evidence and the binder, without the cloud or the consultant.

Trust & security

Private by default — buyers will ask

100% offline

No account, no server, no online activation. The only ever-optional network call is a one-time AI-model download you can do on a separate machine and copy across.

Hardened & sandboxed

The renderer is locked down (connect-src 'none'), sandboxed, and asar-packaged with Electron fuses — defence in depth around your data.

Zero telemetry

We collect nothing. Your CSMS is yours.

Your IP stays yours

Everything lives in a local project file you control; nothing is uploaded, ever.

Honest evidence

The binder lists approved work products and the complete operational log, and states completeness against the standards — it never claims to certify compliance.

Licensing that respects you (roadmap)

Per-seat / node-locked, with a graceful read-only fallback when a licence lapses — you can always open and export your existing work; never locked out of your own data.

Where this goes

Local, affordable, method-complete — private by default

Horizon 1 · now → next

The definitive offline CSMS workbench

Deepen the 21434 §5 / R155 core: richer framework packs and clause guidance, smarter Headstart libraries per industry, a stronger evidence binder, and an AI assistant that genuinely saves hours on policy, CAPA and analysis drafting.

Horizon 2

The two-tool suite (with TARAexl)

TARAexl proves the product; Munimentx proves the organisation. A shared on-disk AI model and consistent, auditor-ready binders make the pair the offline, affordable alternative to the six-figure cloud GRC platforms.

Horizon 3

The lifecycle, end to end, on your terms

A future on-premises multi-user edition (still 100% offline, on your own LAN) with segregation of duties and no data migration, broader multi-framework coverage (ASPICE-for-Cybersecurity, ISO 27001) — your data never leaves your control.

What we'll deliberately never build: cloud monitoring / vSOC / telemetry ingestion, a SaaS collaboration portal, or anything that requires your governance data to leave your machine.

Stand up and prove your CSMS — on your own machine.

Start a 30-day trial or book a 20-minute walkthrough — and see a complete ISO/SAE 21434 §5 + UN R155 CSMS stood up offline, with a one-click audit binder at the end.

Start a 30-day trial Book a walkthrough