Is your organization struggling to keep up with crucial information security (InfoSec) management requirements?
Today, every company faces a constant stream of threats, from ransomware and phishing to third-party vulnerabilities. In response, an increasing number of companies are standardizing their InfoSec efforts by following frameworks like ISO 27001 or SOC 2. These standards demand a core focus on continuous risk management, which includes identifying assets, assessing threats and vulnerabilities, and implementing controls.
But here’s the painful reality: in far too many companies, information security risks are still trapped in a static spreadsheet, completely disconnected from the actual workflows and projects of the organization.
The good news? You can transform this disconnected process into a living, compliant procedure by building your Information Security Management System (ISMS) right inside Jira and Confluence Cloud.
Watch the full walkthrough:
See exactly how to set up your ISMS with step-by-step demonstrations
5 Steps to Build ISMS in Jira and Confluence
The ISMS workflow has five main steps that transforms your information security risk management a part of your overall ISMS process:
Step 1: Create your risk model and risk register in Jira using the SoftComply Risk Manager Plus app
Step 2: Generate dynamic risk reports in Confluence with Confluence macros that automatically update
Step 3: Take static snapshots of the Risk Report macros using the SoftComply Static Snapshots app
Step 4: Create your Risk Documents in SoftComply Document Manager app and add the snapshot of the risk macro in the document
Step 5: Route the Risk Document for approval in the SoftComply Document Manager app.
This approach gives you the best of both worlds – dynamic updates for daily work in Jira and static baselines for your meeting minutes and reports in Confluence.
Following are two examples where the 5 step ISMS workflow is followed.
In the first example, we will create and approve an information security risk management plan in Confluence that includes a static ISO 27001 risk model setup from Jira.
In the second example, we will create and approve a monthly Risk Review Meeting Notes in Confluence that includes a static Asset-Based Risk Register from Jira.
Example 1: Creating and Approving your Information Security Risk Management Plan
In this example, we are going to create and approve a risk management plan for information security risks.
Step 1: Create Your Risk Model in Jira
Every risk management project starts with a risk model. This defines your risk acceptability criteria – basically, which risks you can tolerate and which ones are critical, and need immediate control.
The Risk Manager Plus app comes with templates for risk models and registers. For ISO 27001 compliance, you’ll have a risk model set up for you that you can further customize:
Risk Iterations Setup
- Initial risk iteration: First assessment when you identify the risk (no controls implemented yet)
- Current risk iteration: Assessment after controls are assigned and implemented
Risk Parameters Configuration
The classic 5×5 risk matrix uses two characteristics:
- Consequences (or impact): Five levels from minimal to catastrophic
- Likelihood (or probability): Five levels from rare to almost certain
Risk Levels
You can customize the descriptions, colors, and number of risk levels (low, medium, high) to match your organization’s needs.
The matrix helps you determine how a risk with a certain likelihood and impact is categorized, e.g. a risk with “possible likelihood” and “major consequence” should be classified as a high risk.
Once your Risk Model is ready, you can assign it to the Jira project and its risk register where you manage your information security risks.
Step 2: Set Up Dynamic Risk Reports in Confluence
Once your risk model is ready, you’ll want to display it in Confluence where you keep your Risk Management Plan document. The magic happens with Confluence macros that pull live data from Jira.
This macro (Risk Matrix Macro) displays your risk model setup dynamically. Every change you make in Jira automatically appears in Confluence – no manual updates needed.
This macro shows your risk parameters and risk classes with their names and descriptions.
The dynamic nature of Confluence macros is amazing for daily operations, but it creates a problem when you need approved documentation for compliance.
Step 3: Create a Static Snapshot for your Approved Risk Plan
Here’s where the SoftComply Static Snapshots app becomes essential. When you need to approve a document, you can’t have the content of the document changing after the approval.
The process is straightforward:
Navigate to your Confluence page of the dynamic InfoSec Risk Model macro
Use the Static Snapshots app to capture the current state
The snapshot gets timestamped and stored in your snapshots library
Step 4: Add the Static Snapshot of the Risk Matrix to your Risk Management Plan in Confluence
When creating formal documents like risk management plans or risk reports, you can insert the static snapshot instead of the dynamic macro to the document. This ensures that the approved content never changes.
Using the SoftComply Document Manager, you can create properly controlled documents:
Create a new document using an approved template
Add the static snapshot of your risk model
Include scope, purpose, and responsibilities to the Risk Plan
Step 5: Route Risk Plan for Review and Approval with Electronic Signatures
Now that the Risk Management Plan includes the static snapshot of the Risk Matrix, you can route the document for review and approval in SoftComply Document Manager.
Once the risk plan is approved, the document gets locked – no one can edit it after release, maintaining document integrity for compliance.
And this is how you can build your information security risk management plan in Jira and approve it in Confluence.
Example 2: Creating and Approving your Monthly Information Security Risk Reviews
Information security risks change constantly.
Most companies conduct monthly or quarterly risk reviews where teams:
Review current risk status
Identify new assets and threats
Assign risk owners
Plan control implementation
In this example, we are going to create and approve an informations security risk review meeting minutes.
Step 1: Create Your Asset-Based Risk Register in Jira
In Jira, you can work with your assets and risks in a table that looks a lot like a spreadsheet but is actually sitting inside your Jira. During the risk review meeting, you identify new assets, analyse the possible threats to them, plan controls and responsibilities to each.
You can do all that directly in the table view of the SoftComply Risk Manager Plus app in Jira:
- Identify assets and link them to threats
- Assign controls and owners
- Assess risk levels using your established model
- Track implementation progress
Step 2: Set Up Dynamic Risk Register in Confluence
Once your risk review meeting is over, you want to document the meeting minutes and approve them with your team. For that, you will first need to pull the latest risk register from Jira to Confluence – you can do that with Confluence macros.
This macro (Risk Table Macro) displays your risk table dynamically. Every change you make in Jira automatically appears in Confluence – no manual updates needed.
This macro mirrors your asset-based risk register from Jira.
The dynamic nature of Confluence macros is amazing for daily operations, but it creates a problem when you need approved documentation for compliance.
Step 3: Create a Static Snapshot for your Approved Risk Review
Here’s where the SoftComply Static Snapshots app becomes essential. When you need to approve a document, you can’t have the content of the document changing after the approval.
The process is straightforward:
Navigate to your Confluence page of the dynamic InfoSec Risk Register macro
Use the Static Snapshots app to capture the current state
The snapshot gets timestamped and stored in your snapshots library
This creates an audit trail showing exactly what was reviewed and approved at each meeting.
Step 4: Add the Static Snapshot of the Risk Table to your Risk Review in Confluence
When creating formal documents like risk review meeting minutes, you can insert the static snapshot instead of the dynamic macro to the document. This ensures that the approved content never changes.
Using the SoftComply Document Manager, you can create properly controlled documents:
Create a new document using an approved template
Add the static snapshot of your risk table (see the picture above)
Include scope, purpose, responsibilities, overview of the review meeting and the agreed actions to the Risk Review Meeting Minutes
Step 5: Route the Risk Review for Review and Approval with Electronic Signatures
Now that the Risk Review Meeting Minutes includes the static snapshot of the Risk Table, you can route the document for review and approval in SoftComply Document Manager.
Once the risk review has been approved, the document gets locked – no one can edit it after release, maintaining document integrity for compliance.
The Complete Audit Trail
These approved risk review meeting minutes form a complete audit trail, providing continuous evidence of control, oversight, and accountability under ISO 27001 or SOC 2.
Each month, your organization can demonstrate that risks are being:
Tracked systematically
Reviewed regularly
Mitigated appropriately
Documented with proper approvals
Every change gets documented and approved, creating the evidence auditors need to see.
Why This Approach Works
With SoftComply Risk Manager Plus and Document Manager, your information security risk management becomes a living procedure that’s always up-to-date and always compliant. From defining risks in Jira to approving meeting minutes in Confluence, everything happens on the cloud platform your teams already use.
You can apply the same approach for:
Project risks
Product risks
Organizational risks
Any compliance framework requiring documented risk management
The system scales with your organization while maintaining the rigor compliance frameworks demand.
Ready to get started? Check out SoftComply solutions for compliance management and see how you can transform your static spreadsheets into a dynamic, compliant ISMS that actually works with your team’s workflow.
If you want to learn more about managing information security in Jira and Confluence, don’t hesitate to book a call with the SoftComply team – we can help you set up your risk projects on Atlassian Cloud.
