Some background:
When I joined my company I was told I would be in charge of their ISO 27001, which is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes.
That is quite a mouthful, but very important to get right, especially in the eyes of our customers who trust us with their data.
Okay I thought, I can do this, until I saw what it entailed - roughly 73 Microsoft Word documents of varying file sizes and page lengths, stored on a server somewhere. Each document was written for a corporate sized company, so would need to be amended specifically for our smaller company. Looking beyond the documents I saw a lot of problems especially around version control, document ownership, multiple people editing documents, the sharing nightmare that is email and file attachments, backups and auditing, not to mention how I could standardise fonts, headings, tables, paragraphs etc. Also some ISO pages were not for everyone, as some documents were for Management eyes only.
Hello Confluence:
Confluence solved almost every single problem I predicted and I'll show you how I created the best automated report summary for both Management and myself as Information Security Manager.
First let me run through some of the benefits of using Confluence for this project:
- All pages are on the cloud, which means easily accessible from any location without having to log into the company VPN or server.
- Pages can be easily shared with groups or individuals in your organisation.
- Pages can be easily linked to other pages through hyperlinks or anchors.
- Pages can contain videos, charts and images, which can in turn be clicked on.
- Groups or individuals can watch page(s).
- Groups or individuals can edit page(s) if they have permission.
- Pages can be easily restricted in a few clicks.
- Pages can be easily saved for later or saved in draft or published.
- If someone makes a mistake on a page, pages have version control and can be easily restored to previous versions.
- Pages can have inline comments making auditing a breeze.
- Pages can have comments added with mentions of names or groups making collaboration and communication a doddle.
- Pages have history showing everyone involved in the page.
- Pages can easily be converted to PDF or Word.
- Word Documents can easily be imported into Confluence.
- The WYSIWYG editor is a breeze to use and personally I find it a lot better than the word ribbon.
- Confluence has a large macro base by default offering tons of useful features and it ties in wonderfully well with other Atlassian products such as Jira Service Desk or Jira Core, not to mention Trello boards.
Setting up the ISO pages:
Over a couple of months I imported all the ISO Word documents into Confluence and went about standardising the pages so that they looked and felt the same. I envisaged I would be creating further pages, so created two ISO templates, one for Management related ISO pages and one for everyone else.
On the Management summary report landing page I created a 'New ISO for management' button off the back of the ISO Management template. Below the button I wanted the report to show who had worked on the various ISO pages, when the work had taken place, what comments had been left and if any target dates or actions that needed to be followed up.
The problem I encountered with the Management summary report:
- How do I pull the title, version number, last updated by, updated date, comments into the report for each of the pages I wanted to display? This was a big problem. Not having a solution would mean the report would have to be a manual affair and when there are 70+ documents this is a painful task, which I did for a couple of months. This was made worse if any of those documents were changed.
The solution:
Here is the solution in two parts.
- On the individual ISO pages:
- Set up a Page Properties macro.
- Set the macro to hidden.
- In the window of the macro; create a table with however many rows needed. In my example I've got eleven rows and on each row has the following heading: Title, Version, Audit Month, Auditor, Owner, Status, On Wiki, Restricted, Target Date, Comments and Updated Date.
- Fill in the information for each row
- I instructed our three ISO page owners and auditors, to update the 'comments' section within the hidden page properties macro if they made changes to the page.
- Set a label for the page (in my example I used 'iso').
- Publish the page.
- On the Summary Report Page for Management;
- Setup a Page Properties Report macro.
- Label = iso.
- In space = Current space.
- With parent = ISO for Management.
- Under Options - columns to show I included all the row titles listed in step 1 (e.g. Title, Version, Audit Month, Auditor, Owner, Status, On Wiki, Restricted, Target Date, Comments, Updated Date).
- Number of items to display = 99.
- Sort by = Title.
- Show comments count = checked.
- Show likes count = checked.
- Saved the macro.
- The result is a Page Summary Report that is clean, orderly and most importantly "automated" which contain all the key information for management or whoever needs to quickly see what is going on. It is a thing of beauty.
Do let me know if you have any questions or comments, I would be happy to help out if you have something similar to tackle.
Mike
4 comments