5 Steps to Building an ISMS in Jira and Confluence

Today, every company faces a constant stream of threats, from ransomware and phishing to third-party vulnerabilities. In response, an increasing number of companies are standardizing their information security management efforts by following frameworks like ISO 27001 or SOC 2. These standards demand a core focus on continuous information security risk management, which includes identifying assets, assessing threats and vulnerabilities, and implementing controls.

But here’s the painful reality: in far too many companies, information security risks are still trapped in a static spreadsheet, completely disconnected from the actual workflows and projects of the organization.

The good news? You can transform this disconnected process into a living, compliant procedure by building your Information Security Management System (ISMS) right inside Jira and Confluence Cloud.

Watch the full walkthrough:

5 Step Workflow for Building an ISMS in Jira and Confluence

The ISMS workflow has five main steps that transforms your information security risk management into the central part of your overall ISMS process:

Step 1 – Define your risk model & asset-based risk register in Jira

To comply with ISO 27001 or SOC 2, you need to identify assets, link threats/vulnerabilities, assess risks, and define your risk acceptance criteria.

To do that, you will have to: 

• Create a risk model in Jira: define your likelihood × impact matrix (for example a 5 × 5 grid), assign risk categories (Low, Medium, High) and specify how risk is quantified.

• Create an asset-based risk register in Jira: a risk register where you identify and link assets → threats/vulnerabilities → controls → owners → mitigation timelines → current risk ratings).

• Ensure your register supports iterations (e.g., initial assessment, residual risk after controls, review period) so you can track how risk evolves.

 

Benefit: Having this in Jira means your teams can identify assets, link risk items to assets, and assign controls (and owners) to them directly inside Jira to track their real-time status rather than have them all being buried in static spreadsheets. You can manage your InfoSec risks in Jira with the SoftComply Risk Manager Plus app.

---

Step 2 – Create dynamic risk reporting in Confluence

When your documentation (risk management plan, review minutes, risk reports etc) is stored in Confluence, you can easily visualize and include the latest risk models and risk registers in Confluence.

How to do this:

• Use Confluence macros that pull live risk model and risk register data from Jira.

• For example: embed the risk-matrix view so that Confluence shows the current distribution of risks by severity or embed the asset-based risk register so that Confluence lists identified assets, linked threats, their statuses, owners (shown below).

• Make sure the team knows that while these dynamic elements are great for day-to-day visibility, they’re not ideal for approved compliance-documents (since the content is always up-to-date).

 

Tip: Label Confluence pages clearly e.g. “Live risk dashboard” vs “Approved risk-register snapshot” so your team understands the use-case difference. You can create these Risk macros with the free SoftComply Risk Manager for Confluence app.

---

Step 3 – Create a static snapshot for your approved baseline

Compliance audits expect documentation that is frozen at the time of approval (you can’t keep editing the “approved” Risk Review document after you officially sign-off).

How to do that: 

• On the Confluence page that has your live risk model macro or risk table macro, generate a “static snapshot” (essentially a timestamped capture of the content) at the time of approval.

• The snapshot is automatically saved in your snapshots library in Confluence. This becomes the official baseline from a certain point in time. 

Tip: All snapshots are timestamped, versioned and stored in your Confluence to support traceability and audit-readiness. You can take snapshots of your dynamic macros with the SoftComply Static Snapshots app.

---

Step 4 – Build your controlled document in Confluence

Your ISMS will have a number of documents including the InfoSec Risk Management Plan, Risk Review Meeting Minutes, Statement of Applicability, etc. These documents must reflect the approved state of your information at the time of sign-off and be under version control.

How to best do that: 

• Create a Risk Management Plan from an approved risk plan template for your document that includes the scope, purpose, definitions, risk acceptability criteria (risk model setup), responsibilities, etc.
• Insert the static snapshot from Step 3 as the embedded evidence of your risk model or register at approval time.

• Ensure the document is stored in a controlled location (Confluence space dedicated for draft ISMS docs, or a document-management app with audit logging).

 

Tip: Make sure to add the static macro i.e. the static snapshot of the macro to your Confluence page before you route the document for approval. You can control your ISMS documents in Confluence with the SoftComply Document Manager app.

---

Step 5 – Route for review and approval

For compliance audits you need to demonstrate that documents and your ISMS processes are reviewed, approved by relevant stakeholders and locked (no further changes) until the next revision.

How to do this: 

• Use a ready-made workflow or build a new one (in SoftComply Document Manager app in Confluence) to route the document for review: assign reviewers and approvers, allow comments, track changes.
• At approval time: capture sign-off (e-signature) and lock the document version.

• Ensure the document is released to the organization and locked from further edits, has an audit trail with links to the live system in Jira, version history, reviewer comments, approval date.
• For periodic reviews (monthly, quarterly) set up automation in the Asset-Based Risk Register in Jira to remind risk owners to repeat steps 2–5: update risk register in Jira during the review meeting, create risk report (macro) in Confluence, take a static snapshot of the macro, add the static macro to your risk review meeting minutes in Confluence, and route it for approval.

Benefit: These approved risk review meeting minutes form a complete audit trail, providing continuous evidence of control, oversight, and accountability under ISO 27001 or SOC 2.

Each month/quarter, your organization can demonstrate that risks are being: 

• Tracked systematically
• Reviewed regularly
• Mitigated appropriately
• Documented with proper approvals

 

Every change gets documented and approved, creating the evidence auditors need to see.

---

Benefits of Building your ISMS in Jira and Confluence

The main benefit in building your ISMS in Jira and Confluence is that you can leverage your existing Atlassian Cloud tools and embed your ISMS where your teams already work reducing “out-of-sync” silos.

Having live risk data in Jira also means better visibility, quicker updates, fewer spreadsheet bottlenecks.

Ability to separate your “live view” (always up-to-date Confluence macros) vs “approved baseline” (static snapshots of the Confluence macros) gives you a compliant audit-ready trail.

When you manage your controlled documents compliantly with versioned snapshots you will have the necessary evidence for ISO 27001 or SOC 2 audits.

Finally, the same solution (risk model → live register → snapshot → document → approval) can be applied not just for information security but also to your other compliance frameworks e.g. your product risk, organizational risk, supplier/vendor risk, etc.

 

---

Best Practice Suggestions

It's best to start small: pick one compliance document (e.g., Risk Management Plan) and apply this workflow. Once you’re comfortable, roll out to quarterly risk reviews, audit reports etc.

Make sure to train your team: explain the difference between “live dashboards” (for reviewing at meetings or live monitoring) and “approved documents” (for organizational use and audit evidence). Without that clarity you risk confusion or misuse.

Control your documents in a compliant document management solution for full traceability, version management and audit-readiness.

Make snapshot-generation part of your standard process (e.g., after the monthly risk review meeting, immediately capture snapshot) so you have baselines from various points in time.

Consider automating reminders and review triggers in your asset-based risk register as your organisation grows or you handle multiple compliance frameworks.

 

---

Summary

By combining Jira to capture and manage risk data, Confluence to present live dashboards, and a controlled snapshot-approach for document approval, you create a transparent, auditable ISMS that lives with your team’s workflow rather than in a forgotten spreadsheet.

This isn’t just “compliance for compliance’s sake” - it helps operationalise risk management, make it visible, and make it owned.

If you’d like to see a detailed walkthrough of the solution and discuss how you can build up your ISMS in Jira and Confluence, please don't hesitate to contact our team at SoftComply.

This article was originally published in SoftComply blog.