.svg)
ISO-27001: Achieving and Maintaining Regulation Adherence with Compliance for Confluence
For organisations looking to stay compliant with ISO27001 using Compliance for Confluence, the app can assist you in either becoming or staying compliant in the following ways.
Compliance for Confluence can assist in achieving and maintaining ISO/IEC 27001 compliance by supporting controls related to access management, documentation integrity, auditability, and information security governance. While it won't satisfy every requirement on its own, it helps demonstrate control over Confluence, especially where it’s used for policy documentation, internal processes, and evidence storage.
A.5.1 — Policies for Information Security
Requirement: Security policies must be defined, approved, published, communicated, and reviewed regularly.
How Compliance for Confluence helps:
Ensures spaces used for policy and process documentation remain secured and easily auditable
Supports SOC 2 controls around access, audit logging, and permission exports
Aids with traceability and governance by registering who edited what and when, via permission and audit reports
A.8.1 — User Access Management
Requirement: Ensure appropriate user access provisioning, modification, and removal.
How Compliance for Confluence helps:
Exports Confluence space and page-level access controls for review
Provides visibility into who has access to what (supports least-privilege enforcement)
Helps with periodic access reviews by generating reports
A.12.1 — Operational Procedures and Responsibilities
Requirement: Procedures must be documented, maintained, and made available to relevant personnel.
How Compliance for Confluence helps:
Classifies Confluence pages, enforces permissions based on sensitivity, and restricts unauthorized access to operational documents
Provides audit reports and permission logs to track who accessed or modified classified procedures
Displays classification banners and applies data handling restrictions (e.g., prevent exporting) to ensure proper treatment of sensitive procedures
A.12.4 — Logging and Monitoring
Requirement: Activities related to system use should be logged and reviewed to detect anomalies or policy violations.
How Compliance for Confluence helps:
Maintains logs of permission changes and other administrative actions
Allows export of logs for review and archiving across different third party tools via REST API
Supports internal auditing by showing access and configuration changes in Confluence
A.18.1 — Compliance with Legal and Contractual Requirements
Requirement: Ensure organizational compliance with legal, statutory, regulatory, and contractual security obligations.
How Compliance for Confluence helps:
Provides a compliance audit trail for how documentation and access are managed within Confluence
Assists with audit readiness by organizing and preserving historical records
Shows a clear record of controls and how they are enforced in the Confluence environment
You will still need to manage the following activities to become or stay ISO27001 compliant:
Handle risk assessments, corrective actions, or asset registers
Replace formal ISMS documentation
Provide physical, network, or endpoint security controls
Additionally, you will still need an overarching Information Security Management System (ISMS) and may need additional tools for incident response, business continuity, and monitoring outside Confluence.
Best Use Case
If you use Confluence to host ISO 27001-related documentation (policies, SOPs, audit logs, training records), our app Compliance for Confluence helps ensure that these documents:
Are securely stored and access-controlled
Can be audited
Are maintained with a clear change history
Support your internal compliance monitoring process
ISO 27001 Confluence Documentation & Compliance Checklist
1. Information Security Policies (ISO 27001 A.5.1)
Create a 'Security Policies' space in Confluence.
Document policies such as information security, acceptable use, and remote work.
Restrict editing to policy owners and approvers.
Use page versioning to track changes to policies.
Review and update policies annually (record review dates).
Record policy ownership.
2. Access Control (ISO 27001 A.8.1)
Export data around user permissions.
Document user roles and access levels.
Schedule quarterly access reviews and retain evidence of completion.
Restrict access to confidential or sensitive spaces.
Ensure former employees are removed promptly from the system.
3. Operational Procedures and Responsibilities (ISO 27001 A.12.1)
Use Confluence to document standard operating procedures (SOPs).
Restrict access to procedures based on job roles.
Track changes to procedures using version history.
Assign ownership for each SOP document.
4. Logging and Monitoring (ISO 27001 A.12.4)
Enable and review audit logs.
Store permission change logs in a secure space or archive.
Create a schedule to review permission and configuration logs regularly.
Document the log review process.
5. Compliance and Audit Readiness (ISO 27001 A.18.1)
Maintain an audit space in Confluence to store evidence of compliance.
Use export functions to archive access and change logs.
Link documentation to ISO 27001 control references.
Create an index or dashboard of control implementation and supporting evidence.
6. Additional Recommendations
Train staff on using Confluence securely and responsibly.
Use templates to standardize documentation of risks, policies, and procedures.
Store completed training logs and policy acknowledgements in a secure space.
Conduct periodic reviews to ensure Confluence content reflects current practices.
See our solutions in action today
For more information on the features and functionality included within Compliance for Confluence, take a look at our listing on the Atlassian Marketplace, with the option to see how our app works for yourself using a 30-day free trial.