Anyone who’s ever looked at ISO 27001 knows the feeling.
You download the standard, start reading… and after a few pages you think:
“Okay… but what does this actually mean in practice?”
That’s exactly where we found ourselves.
At SoftComply, we’re currently working toward ISO 27001 certification — not just because it’s required for Atlassian Gold and Platinum Partners but also because it’s an important trust signal for our customers.
We also wanted to prove that our Atlassian-native GRC solution supports ISO 27001 compliance.
So far, it’s done exactly that.
Watch our interview with Simon Gatto and Matteo Gubellini as they discuss SoftComply’s journey toward ISO 27001 certification, practical lessons learned, and why building an ISMS inside the Atlassian ecosystem has been the right choice for our team.
We Didn’t Want Another Compliance Tool
One question came up early:
Should we buy one of the popular standalone compliance platforms?
After looking at the options, our answer was simple.
Why leave Atlassian if all of our work already happens there?
Our code lives in Bitbucket.
Our documentation lives in Confluence.
Our teams (and assets and infosec risks) live in Jira every day.
Adding another platform would mean another system to maintain, more integrations, more administration, and more places for information to become disconnected.
Instead, we decided to build our Information Security Management System (ISMS) where our team already works every day.
Less tool sprawl. More visibility. Better traceability.
Documentation Was the Easy Part…
ISO 27001 requires controlled documentation.
That means version history, approvals, electronic signatures, and being able to demonstrate exactly who approved what and when.
Fortunately, our Document Manager already supports those requirements.
The real challenge wasn’t writing documents.
It was making sure the documents actually reflected how the company works.
As Matteo Gubellini, SoftComply’s Chief Compliance Officer, explains, copying someone else’s procedures rarely works.
Every company operates differently, so your compliance system has to reflect your own processes, not somebody else’s template.
Then Came Risk Management…
This is where things became interesting.
Matteo has nearly two decades of experience with quality management and regulatory compliance across automotive, aerospace, and medical devices.
But information security risk management is different.
Instead of starting with threats or vulnerabilities, we started with something much more familiar:
Assets.
Hardware.
Software.
Information.
Services.
Once we had our assets documented in Jira Assets, building our first risk assessment became much easier. Later, we expanded into process-based risks and continue to refine the model as we learn more.
Forget Excel
Could you manage ISO 27001 in spreadsheets?
Of course.
Would you want to maintain it that way?
Probably not.
One of Matteo’s best observations during our interview was this:
- Paper is easy but impossible to maintain.
- Excel is better but quickly becomes unreliable.
- Jira takes more effort upfront but everything stays connected, traceable and maintainable in the long run.
Once your risks, assets, controls, and actions are linked together, updating your compliance program becomes dramatically easier.
New supplier?
Add it.
New vulnerability?
Assess it.
Need another control?
Check the Risk Manager Plus and pick it from its ISO 27001 controls library.
Everything stays connected.
That’s almost impossible to achieve with disconnected spreadsheets.
AI Isn’t Running Our Compliance Program
Yes, we’re using AI.
No, we’re not asking AI to write our compliance system.
Instead, we’re using AI as a second pair of eyes.
Matteo even built a Rovo Agent whose only job is to review procedures and point out possible weaknesses.
It doesn’t make decisions.
It doesn’t approve policies.
It simply asks helpful questions that a human might have missed.
That’s probably one of the best uses of AI in compliance today.
Let humans make the decisions.
Let AI help find the gaps.
ISO 27001 Is Never “Finished”
One misconception about ISO 27001 is that certification is the finish line.
It isn’t.
It’s really the starting line.
After certification come:
- Internal audits
- Surveillance audits
- New suppliers
- New risks
- New technologies
- New policies
Your compliance system has to evolve continuously.
As Matteo puts it, it’s a bit like earning a Michelin star.
Getting it is difficult.
Keeping it is even harder.
The Biggest Lesson?
If Matteo could give one piece of advice to anyone starting ISO 27001, it would be this:
Start earlier than you think you need to.
Building procedures takes time.
Understanding the standard takes time.
Learning what auditors actually expect takes time.
And perhaps most importantly, you need time to make mistakes and improve.
Trying to rush ISO 27001 a month before your audit is almost guaranteed to create unnecessary stress.
Why We Chose an Atlassian-Native Approach
Looking back, using Jira and Confluence wasn’t just about convenience.
It meant that compliance became part of everyday work instead of something people only thought about before an audit.
Risks are managed where work happens.
Documents live where teams collaborate.
Actions become Jira issues.
Compliance stops being a yearly project and becomes part of the company’s operating system.
And that’s exactly how ISO 27001 is intended to work.
