It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

How Atlassian uses Jira to manage risks and compliance obligations - Part 1

Who am I?

My name is Guy Herbert and I am part of the Risk and Compliance team at Atlassian.  I have been with Atlassian for about 5 years and have worked in Risk and Compliance for over 25 years.  George Totev is the head of our team and we have a great group of people that work to make Risk and Compliance a fun place to be.  Our team is pretty small (Brad Coons, Nick Deitz, Nick Miller and Raul Lucky) but we make up for that with enthusiasm and crazy ideas.  We all love talking about what we do and take great pride in the feedback we get from the teams that we support (they say that we are not as boring as they thought we would be).  

The background

At Atlassian we believe that information is better shared and so our Governance, Risk and Compliance (GRC) tool is open to everyone.  We also believe that a GRC tool needs to be flexible enough to handle the changes in our organisation without going back to the vendor to incorporate those changes.  When we first started to manage risk at Atlassian we looked at a few of the tools that were out there and they did not really do what we wanted - so we put our risks in Jira as a way to track them.  Our project has grown organically over time, adding new issuetypes as we realised that we needed to track something more.  And we have changed the approaches on somethings as we have gone along.  Where we are now is pretty stable - we make minor changes to workflow - but nothing major.  

Two of the reasons that I love using Jira for Risk and Compliance management is that it is really flexible - I can get our admin to make changes and they are able to do that - and the second is that anyone can access the information - creating a filter is super easy and then putting that on a dashboard is a 5 minute task.   

This is a project in our existing Jira instance - it is likely to be a project in your existing Jira instance as well instead of setting up a new instance for the GRC.  To avoid unintended consequences of field changes we use custom fields for some of the GRC specific information.  We try to use standard fields as much as possible because we can then take advantage of standard functionality - due date is a good example of this.  

What type of Project?

We use a service desk project. The reason was that we wanted to provide a service desk for anyone to be able to raise a risk and bring it to our attention.

Create the issuetypes

Within the project create each of the issuetypes:

  • Risk
  • Risk Driver
  • Policy
  • Standard
  • Control objective
  • Control activity
  • Control test
  • Finding
  • Remediation
  • Exception
  • Control activity performance
  • Documentation request

Create the custom fields

These are the fields that the GRC uses to hold information on each of the issue types.  There are quite a few and some of the them have lots of options so I have put them in a jpeg to make it easy to access. 

GRC Fields (page 1).jpgGRC Fields (page 2).jpg

Coming Next

The workflows that we used for the issuetypes, covered in Part 2 of this series.


Hope that you are enjoying the journey so far. We would love your feedback and questions in the comments below.




Are there definitions for each of the issue types and examples of what they translate to?

Like # people like this
Guy Atlassian Team May 21, 2019

Part 2 has all the information about the fields, workflows etc.

Thanks for sharing, it was really helpful!! :) 

Hello Guy - would like to chat with you about using Jira as a GRC tool mostly for SOX purposes at this stage. How can I get in touch with you?

Guy Atlassian Team Jun 19, 2019

Nesia - absolutely - we love to share. email me at

Hi Guy, Would you be available to chat? I'd love to know more about how you & the team use JIRA as a GRC tool, the change management process, and Altassian's Controls Framework. 



Hi Guy, looking at your control domains it looks like you used a tweaked version of ISO 27001 control domains. How did you arrive at this and did you map ISO to SOC 2 using the files produced by AICPA or with another method? 


Log in or Sign up to comment
Community showcase
Published in Agile

Webinar: Dean Leffingwell and Steve Elliot present on SAFe 5.0, come ask Dean and Steve questions!

...steemed Steve Elliot (head of product for Jira Align). Agenda: What’s new or changed in SAFe 5.0: Introduction of OKRs Essential SAFe How to achieve true business a...

959 views 4 4
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you