The turn of June and July 2019 was an intense time for us. Due to the increasingly dynamic development of companies in the TT Capital Group, it was gradually becoming clear that in the long term it was impossible to maintain a central IMS (which, in addition to ISO9001, ISO20000, and OHSAS also included ISO27001). It was time to act.

We decided that the responsibility for ensuring the security of information (and of other systems) would fall on each of the companies that use it. It was quite a subversive idea for the warm, lazy summer holiday period (indeed, at that time the possibility of travel far exceeded the boundaries of the living room, terrace, and garden, which many of us were happy to take advantage of). A task as lofty as it was ambitious. At our disposal, we had the functioning central system of the TTCG and a great deal of experience gained over the many years of working with it. We only had to use this knowledge, documentation, and existing tools… or, perhaps, could it be better to start from scratch? For some reason, that question kept bothering us.

Evolution or revolution?

An eternal dilemma. In one of my previous articles, “How to efficiently perform a digital transformation in your company?“, I argued that if we do not have a good argument for a revolution, then we should stick to evolution. Then, if we make a wrong decision, going back a step or two is much easier. Well, precisely – that’s if we do not have a good argument. Overall, the task that was facing us required three things:

  1. Defining the scope of IMS that we needed in the organisation – here the choice was simple, because as a provider of programming services we focus primarily on information security.
  2. Analysing the entire IMS and pinpointing documents, processes, practices, and ways of ensuring information security.
  3. Adopting the above in our business needs, organisational structure, and good practices.

Step one was a matter of minutes. A piece of cake. Step two was where the trouble started. The Integrated Management System indeed proved to be substantially integrated. There was no easy and quick way to simply extract just the information security part. The only option was to catalogue all the documents, analyse them meticulously, and then rewrite and adapt them to our needs. No shortcuts. But this made us see the light at the end of the tunnel. If we couldn’t speed up our work by simply incorporating parts of the system, why not use tools that would allow us to implement and supervise the system more conveniently, faster, and more efficiently? We had found the argument for the revolution. The third item on our list began to take shape.

Where Excel fails, Jira excels

It is not my intention to criticise Excel. It’s a great tool, but it does not necessarily give you the level of performance and ease of maintenance we require from our ISMS here at TTPSC. We have been working with the Jira and Confluence systems and using a whole range of extensions for years. Once we analysed the IMS documentation (yes, we did it document by document, sentence by sentence), the structure and content of Information Security policies that will be applied in TTPSC, we had to think about tools. And so:

  • We replaced the document repository (Word, Excel, PDF, and more) in Sharepoint with content posted on Confluence websites – and that solved the issues of versioning, employee access, and control of changes. We rely only on integrated mechanisms available as standard. No encryption. It’s quick, efficient, and there’s no need for any additional tools.
  • Reporting incidents, activities, and other events relevant from the point of view of ISMS – fortunately, this item combines all the standards that were part of the IMS. Throughout the years of IMS operation, TT CG developed a great mechanism for event reporting and management, based on Jira. Each report has its own type (Incident, Improvement Potential, Nonconformity, Action) and a number of attributes to help classify the event, which then enables precise analysis and monitoring. Reports have their life cycle, they can be delegated to specific people, provide records of activity, allow for grouping and merging, as well as many other things, which can all be achieved with Jira’s basic functions. This is a key element of the system.

creating ISO issues in Jira, Transition Technologies PSC

  • Monitoring the effectiveness and measuring the achievement of objectives – a structured form of reporting incidents or activities is fundamental. A manual analysis or reporting of the results of measurements in Excel would be heresy. This must be automated, legible, and accessible online with appropriate permissions. Sounds complicated. Nothing could be further from the truth – the integrated Jira and Confluence mechanisms and a very high degree of integration of both systems can also help here. This is why we have access to the most important indicators and the degree of objective achievement at all times, without even one operation, database query, or macro in excel. We only use filters, reports, macros, and widgets.

ISO statisticks in Jira, Transition Technologies PSC

  • The risk matrix. I saved the best for last. On the web, we can find hundreds of excel templates with samples of a risk matrix. All of them have one thing in common – they cannot be integrated with other parts of the ISMS. Why is that? With 30 or more risks, Excel becomes completely unmanageable. We do not like the look of it. It’s difficult to read the contents of the cells. It’s even more difficult to see the connections between them. And tracking risk activities becomes mental gymnastics. Impossible? And yet. The awesome Jira add-on – Big Picture came to our rescue. Whole articles could be written about the add-on itself, but for our purposes it was the module for risk management that proved invaluable. It allows you to create (and visualise!) a matrix, easily transfer risks between sections of the matrix, and, because each risk is a task in Jira – we can use metadata, links, life cycles, and change history. The icing on the cake is that the risks can easily be linked to their source (design analysis, system implementation, incident), can be filtered and constitute a basis for advanced reports. Quick, simple, and effective.

ISMS Risk Register in Jira, Jira and BigPicture, Transition Technologies PSC

It is worth mentioning that while the analysis of documentation took us weeks, creating these tools for ISMS management turned out to be a matter of… a few days. For one person. The combination of good practices, even better tools, and the gut feeling that old, established patterns can be replaced by something fresh, better, and more efficient, gave exceptional results.

And this is only the beginning…

If that’s the case, then what’s next? Integration More and more integration. Jira and Confluence are accompanied by dedicated systems which analyse reports from partners and providers. Results are automatically reported as actions, incidents, or other events, and these consequently provide us with indicators and reports. The unification of communication and cooperation tools gives you greater control over the processed data. Analysis of the requirements of the ISO standard in terms of monitoring the effectiveness of ISMS pushes us to implement solutions based on the digitisation of processes in Jira. As long as we are guided by security, standardisation, automation, and data integration in these activities, although the system covers new, additional areas with every month, it does not require any additional effort to operate and manage it. After all, this is not about creating a system whose operation will be a mystery in itself and will only hinder the work of production departments. The idea is that the solutions we have developed should create conditions in which the risk of loss of integrity, confidentiality, and availability of data processed by employees becomes increasingly lower. At the lowest possible cost.

How useful was this post?

Click on a star to rate it!

Average rating 4.5 / 5. Vote count: 2

No votes so far! Be the first to rate this post.

If you violate the Regulations , your post will be deleted.

    _All posts in this category

    Document Management System at Jira - digital transformation for government, accounting, office and more

    Document System Management is the basis for digitizing business processes. See how it is possible to transfer and archive documents in the Jira…
    Read more

    Project Management in Jira Cloud with Structure and Structure.Gantt

    Among project management applications, you can find simple tools that address a single employee's needs, as well as comprehensive environments for managing an…
    Read more

    Migrating Jira Server to Jira Cloud

    20 years after entering the IT market, Atlassian is still one of the world's leading providers of enterprise software solutions - from test…
    Read more

    Confluence + Linchpin. A modern and functional company intranet

    An intranet improves communication, integrates and gives a sense of belonging. Apart from purely practical advantages, it has a number of assets of…
    Read more

    IT Service Management for business. Service desk with ITIL certificate

    What's the difference between a service desk and a helpdesk; what functionalities does an advanced tool like that have, and what criteria to…
    Read more

    Asset Management in Jira Service Management

    Asset Management is often associated with financial asset management; it can also refer to the management of any fixed assets within a company…
    Read more

    Automatic and manual tests - test management platform based on Jira Software + Xray

    One of the strategic stages of software development work is testing - every single "package" of code should be tested in order to…
    Read more

    Customer Portal in Jira Service Management: notifications, automation, knowledge base, SLA

    The Customer Portal is easy to use, and at the same time it offers advanced configuration possibilities. It is a solution dedicated to…
    Read more

    Jira Service Desk becomes Jira Service Management. New name, more possibilities.

    The year 2020, and especially its end, is the time of changes announced by the producer of Jira software. Recently, we have heard…
    Read more

    Jira Cloud vs Jira Server

    What does Jira Cloud have that Jira Server doesn’t? What benefits does it offer, what functionalities are worth noting, and do both these…
    Read more

    BigPicture 8.0 – a new, better version of the PMO add-on for Jira Software

    BigPicture by SoftwarePlant, a new version of the project management and PMO development addendum in Jira, is coming. What changes will it bring?…
    Read more

    Agility. All you need to know about the agile methodology

    What actually is agile? How did it all start? What are the principles that characterise this working method, how does it differ from…
    Read more

    What software should you choose to work remotely?

    At a time of the coronavirus threat, the ability to work from home is no longer a privilege, but a necessity. The employees…
    Read more

    Jira Core – a tool for effective work and project management for the marketing team

    A good marketing team consists of people who have different, complementary skills: content, SEO, paid campaigns specialists, graphic designers, developers, analysts, PR or…
    Read more

    Project Management Office in your company

    We respond to the expectations of professional project management practices in business environments, offering a complete PMO solution implementation, within the Atlassian tools…
    Read more

    Atlassian Summit 2020 – we’ll be there!

    After a two-year break we return to the Atlassian Summit as sponsors of the event. In Las Vegas, Tomasz Pabich, Project Manager, will…
    Read more

    Jira as CRM system

    Jira by Atlassian is software well-known all over the world; it is associated mainly with solutions for developer teams. The tool can be…
    Read more

    Program for business trip expense reports – Jira

    Settling local and overseas business trip expenses is a process that companies would like to go through in possibly the least complicated and…
    Read more

    Logging work time - timesheets in the Jira system

    Timesheet processing, time tracking in Jira? No problem! If your company uses software by Atlassian, you don't have to invest in new solutions…
    Read more

    Vacation management in Jira. Explore the possibilities of Vacation Manager

    A vacation management program that is easy to use, affordable, and enables the finalization of the entire process without the need to print…
    Read more

    Atlassian Open 2019 – news, thoughts

    A strong emphasis on cloud solutions, customer-focused narration as well as promoting the idea of being “open”. What happened during Atlassian Open 2019…
    Read more

    Confluence by Atlassian – opinions and the most important functionalities from users' point of view

    Based on implementation in Transition Technologies Capital Group currently hires nearly 1000 employees working in broadly understood advanced technology field.
    Read more

    Atlassian Summit 2019 – summary, trends, changes

    Atlassian Summit is an annual even organized by an Australian producer of software for work management, among which the most popular ones are…
    Read more

    DevOps – from trend to standard

    DevOps idea appeared in IT field already in 2009 and since then, it has been systematically entering global business world as a method…
    Read more

    Jira Data Center – solution which does not let down. What is it and why is it worth investing in?

    Regardless of implemented tools, every company needs an environment where they can embed their own processes and manage them. A perfect tool for…
    Read more

    _Let’s get in touch

    Contact us