Frictionless Information Security Management in Jira

July 2, 2026

What if your next ISO 27001 audit required almost no preparation?

That’s exactly how Lemuel Valdez, CISO at Cobham Satcom, approaches security.

Instead of scrambling to collect evidence before an audit, he builds systems where audit readiness is simply a byproduct of everyday work.

“Controls, risk approvals, documents and evidence are linked in a system that works. Audit work cannot exist as a separate scramble.”

That’s the essence of frictionless security management.

Watch the full interview with Lemuel Valdez in our YouTube channel:

Stop treating compliance as a separate project

Many organizations still manage risk and compliance in dedicated GRC tools that sit outside the engineering workflow. The result?

  • Engineers keep working in Jira.

  • Security teams work somewhere else.

  • Audits become detective work.

Lemuel chose a different approach: bring compliance directly into Jira, where engineering already happens.

“When security lives inside existing workflows, people don’t have to change how they work – they simply work more securely.”

Traceability beats paperwork

For Lemuel, every security process starts with one design principle:

Traceability

An auditor should be able to start from a risk or requirement and follow the complete chain:

  • the decision,

  • the mitigation,

  • the approval,

  • the implementation,

  • the evidence.

No screenshots. No spreadsheets. No hunting through emails.

Everything already exists because it’s part of the workflow.

Security people understand controls. Engineers understand risk.

One of the most interesting insights from the conversation was that awareness isn’t built by teaching controls.

It’s built by explaining risk.

Engineers don’t necessarily care about compliance frameworks. They care about understanding why a change matters to their product, their project, and ultimately the business.

By linking risks directly to Jira issues and engineering tasks, security becomes relevant instead of abstract.

Use the tools people already love

When asked why he embedded risk management directly into Jira with SoftComply Risk Manager Plus app, Lemuel’s answer was refreshingly practical:

“Look at what you already have.”

Organizations spend years building habits around tools like Jira and Confluence. Replacing those habits creates resistance.

Building security into them creates adoption.

Instead of asking engineers to visit yet another system, risk management becomes just another part of delivering software.

Dashboards people actually use

Different people need different views of risk.

Executives want strategic risks.

Finance wants financial exposure.

Engineering wants actionable tasks.

By keeping everything connected inside Jira, live dashboards automatically show the information each audience needs – without manually preparing reports or PowerPoint slides before every meeting.

AI is helpful but it should not be in charge

The interview also touched on AI.

Lemuel uses AI to improve risk descriptions, suggest mitigation tasks and identify related work items, making it easier for teams to document and manage risks.

But there’s one rule that never changes:

Humans stay accountable.

AI should support decisions, not make them. Structured data, clear ownership and human review remain essential – especially in regulated industries.

The biggest lesson? Start where you are.

Perhaps the strongest takeaway from the entire conversation wasn’t about technology at all.

It was about culture.

Rather than replacing everything, successful CISOs look at the organization they already have, identify the easy wins, and gradually embed security into existing ways of working.

The result?

Cobham Satcom achieved ISO 27001 certification with zero major and zero minor findings after roughly six months – not because they prepared harder for the audit, but because the organization was already working that way.

Frictionless security isn’t about adding more process.

It’s about making secure, compliant behaviour the easiest way for people to get their work done.

Table of Contents

Ready to get started?

Contact us to book a demo and learn how SoftComply can cover all your needs

e-signature
Picture of Matteo Gubellini

Matteo Gubellini

Regulatory Affairs Manager
June 30, 2026

Not every Confluence e-signature app is designed for regulated industries. This guide explains how to evaluate Atlassian Marketplace apps against 21 CFR Part 11 and choose the right solution for MedTech, pharma, and biotech teams. Looking for an E-Signature App for Confluence? Open the Atlassian Marketplace and search for electronic...

Road to ISO27001
Picture of Marion Lepmets

Marion Lepmets

CEO
June 29, 2026

Anyone who’s ever looked at ISO 27001 knows the feeling. You download the standard, start reading… and after a few pages you think: “Okay… but what does this actually mean in practice?” That’s exactly where we found ourselves. At SoftComply, we’re currently working toward ISO 27001 certification — not just...

Compliance Workshop 26
Picture of Marion Lepmets

Marion Lepmets

CEO
May 13, 2026

At Atlassian Team26, the Compliance Alliance hosted the 5th Compliance Workshop on May 7th that focused on one of the biggest questions facing regulated industries today: How can organizations adopt AI on Atlassian Cloud without compromising security, governance, compliance, or trust? The workshop brought together Atlassian Marketplace Partners and Solution...