You're on your way to the next level! Join the Kudos program to earn points and save your progress.
Level 1: Seed
25 / 150 points
1 badge earned
Challenges come and go, but your rewards stay with you. Do more to earn more!
What goes around comes around! Share the love by gifting kudos to your peers.
Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!
Join now to unlock these features and more
The Atlassian Community can help you and your team get more value out of Atlassian products and practices.
When I joined my company I was told I would be in charge of their ISO 27001, which is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes.
That is quite a mouthful, but very important to get right, especially in the eyes of our customers who trust us with their data.
Okay I thought, I can do this, until I saw what it entailed - roughly 73 Microsoft Word documents of varying file sizes and page lengths, stored on a server somewhere. Each document was written for a corporate sized company, so would need to be amended specifically for our smaller company. Looking beyond the documents I saw a lot of problems especially around version control, document ownership, multiple people editing documents, the sharing nightmare that is email and file attachments, backups and auditing, not to mention how I could standardise fonts, headings, tables, paragraphs etc. Also some ISO pages were not for everyone, as some documents were for Management eyes only.
Confluence solved almost every single problem I predicted and I'll show you how I created the best automated report summary for both Management and myself as Information Security Manager.
First let me run through some of the benefits of using Confluence for this project:
Setting up the ISO pages:
Over a couple of months I imported all the ISO Word documents into Confluence and went about standardising the pages so that they looked and felt the same. I envisaged I would be creating further pages, so created two ISO templates, one for Management related ISO pages and one for everyone else.
On the Management summary report landing page I created a 'New ISO for management' button off the back of the ISO Management template. Below the button I wanted the report to show who had worked on the various ISO pages, when the work had taken place, what comments had been left and if any target dates or actions that needed to be followed up.
The problem I encountered with the Management summary report:
Here is the solution in two parts.
Do let me know if you have any questions or comments, I would be happy to help out if you have something similar to tackle.
It seems like you need Comala apps (workflows + publishing) for document management workflows. We use it for medtech qms-s where we have similar requirements.
Thanks @MN for the mention and @Mike Bowen for explaining your process in this post and comment.
@Iz P the approach that @Mike Bowen explained is valid. If you wanted to automate notifying stakeholders of changes and getting authorisation, you could look at Comala Document Management on the Atlassian Marketplace (https://marketplace.atlassian.com/apps/142/comala-document-management?hosting=cloud&tab=overview). If you have any questions, please do not hesitate to contact me here or contact us via https://support.comalatech.com
All the best
Senior Product Manager
Hi @Iz P
Good timing with your question, as yesterday was our annual external ISO27001 audit, the second audit I've been involved in using the ISM system that I built in Confluence.
This was the second auditor who has seen my ISO system and was blown away by its features, efficiency, and having everything in one place.
The auditor wants to see that you have a handle on your documentation and what better way to show them an audit programme page with all your documents listed with document title, unique code, latest version, and the date the document was updated
It rules out them asking you each time "Is this the latest version?".
No question is stupid...
RE: When changing the version, you must authorize the change and notify stakeholders. How did you handle it?
Yes, confluence makes a new version for every change made, but so what? That is your ISMS strength.
How often really are you making minor changes to grammar?
In my hidden page properties section at the top, I or whoever has the ability to make changes must always add a comment when anything changes on the page. For example:
These page properties comments then update another page automatically with all the changes. I recommend our Stakeholders to watch this page as it is a high-level view of all the ISO documents in our system.
In our company, there is no need to let stakeholders know unless it is a major change to a process or protocol, in which case you would probably arrange stakeholders meeting at some point, to discuss what was is to be changed, add action notes and meeting minutes and then go ahead and make the changes. This is all part of ISMS and you'll have procedure documents such as the Management Review Agenda that will highlight this.
Also, don't forget, every document in your ISMS will need to be audited internally and signed off, before your yearly external audit. These audits can be monthly/quarterly/yearly/you decide.
That is how I do it, and from the feedback from the external auditor yesterday, it is entirely up to you on how one goes about making the changes, document, improve and communicate the changes, and most importantly keep your information safe and secure.
I hope that helps.
H @Mike Bowen I'm really interested to know more about how to automate a page that summaries change on other pages? and also need support related to the automation process for ISO 27001 standard. in the Swedish language?
appreciate your support