Community Announcements have moved! To stay up to date, please join the new Community Announcements group today. Learn more

×
Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How I Use Atlassian to Keep ISO 27001 Compliance Organised and Audit-Ready

fcerullocx
fcerullocx
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
August 16, 2025

Introduction

Managing ISO 27001 compliance is no small task. Between policies, risks, incidents, supplier reviews, and audit evidence, it’s easy for things to become fragmented and overwhelming. When I saw a Reddit post asking “What are your must-have tools for staying organized in GRC?” it made me reflect on my own approach.

I’ve built my ISO 27001 program around the Atlassian ecosystem. Confluence, Jira, Assets, and Jira Service Management have become the backbone of how I keep my ISMS organised, traceable, and always ready for audits.

Why ISO 27001 Compliance Is Harder Than It Looks

  • Volume & variety: ISO 27001 requires documentation across policies, controls, risk registers, incidents, supplier reviews, and evidence. These all live in different formats.

  • Cross-team collaboration: Legal, SecOps, Engineering, HR, and Finance all have roles to play.

  • Audit pressure: Proving traceability (e.g., showing a control links to risks, policies, and evidence) is just as important as doing the work. 

Without a structured system, things slip through the cracks, and in ISO 27001, that means nonconformities.

My ISO 27001 Compliance Toolkit in Atlassian

1. Confluence for Documentation & Evidence

Confluence is my “single source of truth” for all ISMS documentation. I use it to:

  • Maintain policies and procedures with workflows (Draft → Review → Approved → Expired).

  • Map every ISO 27001 control to its related policy, evidence, and Jira task.

  • Store playbooks for recurring processes like incident response or supplier onboarding.

  • Track version history and approval trails directly on the page.

  • (New) Confluence Databases: These are game-changers for registers like risks and suppliers, or even your Statement of Applicability which allows dynamic filtering and linking to Jira issues or Confluence pages within the Database.

Auditors love this because everything is consistent, traceable, and easy to navigate.

2. Jira for Risks, Tasks & Audits

Jira is where the “moving parts” of ISO 27001 live. It gives me a structured way to ensure accountability and follow-through:

  • Risk Register: Each risk is a Jira issue linked to treatment plans, owners, and review cycles.

  • Tasks: Whether it’s closing an audit finding, updating a policy, or performing a quarterly access review, every action item is assigned in Jira with due dates and reminders. This eliminates the “lost in email” problem.

  • Audits & Reviews: Internal and External audits logged as Jira tasks with findings, remediation, and closure tracking. 

Automation reduces manual follow-ups. For example, Jira can automatically notify system owners when a quarterly user access review is due.

3. Jira Assets for Relationships & Registers

Assets (formerly Insight) replaces messy spreadsheets with a relational database for ISO 27001 compliance:

  • Application Inventory: Shows systems, their owners, and data classification.

  • Access Management: Direct relationship between employees and applications, so knowing which applications have access each user is easy to track.

  • Employee records: stored in Assets, linked to the applications they can access. This makes onboarding/offboarding and quarterly access reviews seamless.

With Assets, I always have a live picture of dependencies and risks, not a stale spreadsheet.

4. Jira Service Management for HR Onboarding & Offboarding

ISO 27001 emphasises secure access lifecycle management. JSM helps with:

  • Onboarding: New joiners’ access requests tracked with approvals from HR, managers, and SecOps.

  • Offboarding: Leaver processes ensure timely revocation of accounts.

  • Integration with Assets: Requests automatically update the employee → system relationship.

5. Automation & Integrations

ISO 27001 demands consistency, and automation enforces it:

Automations: For example, when we need to perform quarterly user access reviews, Jira automatically creates a task for each of the system owners to review.

Integrations: Linking Atlassian to Slack/Teams for notifications, and to Google Workspace for evidence storage.

Dashboards: Real-time GRC scorecards to present at management reviews.

6. Lessons Learned

Centralize tasks in Jira. If it’s not in Jira, it’s not happening. Risks, audits, and action items must all have tickets, otherwise they get lost in inboxes or spreadsheets.

Don’t overcomplicate workflows early. Start with simple Jira workflows, then iterate.

Make ownership visible. Every ISO 27001 control, policy, or risk must have a clear owner.

Automate reminders. The less manual chasing, the stronger your ISMS.

Think like an auditor. Build your Atlassian setup so evidence, traceability, and approvals are just a click away.

Conclusion 

ISO 27001 is all about structure, accountability, and evidence. For me, Atlassian has been the most effective way to keep my ISMS organized and audit-ready. Confluence handles policies and evidence, Jira manages risks and incidents, Assets maintains registers, and Jira Service Management enforces access controls during onboarding/offboarding.

If you’re working toward ISO 27001 or looking to strengthen your ISMS, I’d highly recommend exploring how Atlassian can serve as your backbone. And if you’d like me to share a deep dive into a specific use case (like supplier reviews, access control, or internal audits), let me know and I’d be happy to expand on it.

Kind regards,

Fabio Cerullo

https://www.linkedin.com/in/fcerullo/

https://cycubix.com

Comment
Watch
Like # people like this
291 views

3 comments

Comment

Log in or Sign up to comment
Julie Kremp
Julie Kremp
Contributor
August 16, 2025

Hi, this sounds very interesting :) . Can you detail a bit more, for example, the Policies approval workflow? I am also implementing compliance frameworks and using Confluence and Jira, which are associated with some other tools. What are your other recommended approaches?

Like
fcerullocx
fcerullocx
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
August 17, 2025

hi Julie,

Managing policy approvals in Confluence can be done in two main ways, depending on how much structure (and budget) you want:

1. Using a Third-Party App (e.g. Comala Document Management but there are others in the Atlassian Marketplace)

Features: Built-in workflows for Draft > Review > Approved > Expired.
Notifications & Approvals: Reviewers get notified, can approve/reject, and all decisions are logged.
Expiration: You can set review cycles so policies automatically move to Expired if untouched.
Audit Trail: Provides a clear log of who approved what and when, very handy during ISO 27001 audits.
Publishing: Comala (and similar apps) also let you publish policies into a dedicated read-only space, so employees only see the latest approved version.
Trade-off: It’s paid, so you need to budget for licenses. 

2. Using Native Confluence + Jira Workflows

Linked Jira Issues: For each policy, create a Jira issue (e.g., “Review Policy: Access Control”).
Workflow States: Use a Jira workflow with statuses like Draft, In Review, Approved, Expired.
Approvals: Assign the issue to reviewers for sign-off, and link the issue back to the Confluence page.

Confluence Database: You could view the status of all your risks and status using a Confluence Database by linking the Confluence Pages and JIRA Tickets.
Automation: Jira automation can update the Confluence page label or status field once the Jira ticket moves to Approved.
Notifications: Jira reminders ensure reviewers don’t miss deadlines (you can even auto-escalate overdue reviews).
Read-Only Access: As with Comala, you still need to lock down Confluence space permissions or publish approved versions into a dedicated read-only space.
Trade-off: No license cost, more configuration effort, but you get Jira’s built-in accountability and audit trail.


Hope that helps :-)

Fabio

Like Julie Kremp likes this
Julie Kremp
Julie Kremp
Contributor
August 17, 2025

Thank you for the idea! I

think more or less I am heading to the 2nd option.

I have a board with the Policies status and automation in Jira tickets, but those ideas regarding Confluence are good; maybe I can combine them and be a bit more creative there.

I tested Comala, and it was not the ideal tool. I will have a look into Trade-off.

Thank you so much!

Like
Reply
ashu patel
ashu patel
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 17, 2025

Hi,

Thanks for sharing your approach—really practical and encouraging to see how you’ve built a full compliance workflow with Atlassian tools!

Using Confluence for clear, traceable documentation and Jira to manage moving parts like risks, audits, and action items is a smart strategy. I especially like your points about not overcomplicating things early, making ownership visible, and leaning on automation for reminders. It’s great how your setup centralizes tasks and keeps everything audit-ready.

Your use of Assets and Jira Service Management adds an extra layer of structure for access control and HR processes, which is so crucial for ISO 27001.

I’m curious to learn more about how you handle supplier reviews or internal audits—if you’re open to sharing more details, that’d be super helpful!

Thanks again for the insights—very inspiring for anyone building their ISMS with Atlassian.

Like
fcerullocx
fcerullocx
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
August 18, 2025

Hi Ashu,

Thanks for the feedback! For supplier reviews I use a Confluence Database as the central register where all suppliers are listed. Each supplier entry is linked to Jira tickets, which I use to track activities such as filling in missing information, annual reviews, and follow-up actions. That way, the database gives me a structured overview, while Jira ensures accountability, reminders, and a clear audit trail.

For internal audits, I maintain a dedicated Jira board for audit findings and risks. Each finding or risk becomes an issue in Jira, where I assign ownership to the person responsible for remediating it. This makes responsibilities crystal clear and provides an audit-ready record of progress and resolution.

Kind regards,

Fabio

Like
Reply
Nils Bier _K15t_
Nils Bier _K15t_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 18, 2025

Hi @fcerullocx 

Thanks for sharing your insights!

Like @ashu patel I’d also be interested in how you're sharing your ISMS content with your auditor.

Do you grant them access to your Confluence system (e.g. as guests), publish the content to an external (protected) site (e.g. using Scroll Viewport), or export it as a PDF (e.g. using Scroll PDF Exporter) to send over?

I’d love to better understand that part of the process, as we're continually working to improve how our apps support external content sharing.

Cheers,
Nils

Like
fcerullocx
fcerullocx
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
August 18, 2025

Hi Nils,

Good question! In my case, I usually export the Confluence docs as PDFs or simply share my screen with the auditor during the review. I’ve never granted auditors direct guest access to our Atlassian space, mainly because of the risk of exposing more than intended. That said, it’s potentially doable if you set up very strict space/page-level permissions, but so far I’ve found PDF export and screen sharing to be the simplest and safest approaches.

Fabio

Like K_ Scheel likes this
Reply
groups-icon
Trust & Security
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security