If your organisation runs on Confluence, there’s a good chance your Information Security Management System (ISMS) already lives there too. Security policies, standard operating procedures, risk treatment plans, audit evidence, training acknowledgements – for most teams, this is Confluence content. The question ISO/IEC 27001 forces you to answer is not where that documentation sits, but whether you can prove it is classified, access-controlled, reviewed on a schedule, and supported by a defensible audit trail.
Native Confluence gets you part of the way. Page restrictions and version history exist, but they are manual, inconsistently applied, and difficult to evidence at scale – which is exactly what an auditor probes. This is where two AppFox apps come in, and why they’re stronger together than either is alone:
Compliance for Confluence is the security and confidentiality layer. It classifies information, enforces access based on sensitivity, detects exposed sensitive data, and reports on it all.
Workflows for Confluence is the lifecycle and governance layer. It controls how a document moves from draft to approved to published, forces periodic review, and produces the approval evidence an audit depends on.
One protects the information; the other governs how it is created, approved, and maintained. Run them together and you cover a meaningful slice of ISO 27001’s documented-information and access-control requirements directly inside the tool your teams already use.
This guide walks through that setup step by step, mapping each piece of functionality to the relevant clauses and Annex A controls of ISO/IEC 27001:2022 – the current version of the standard, following the transition deadline for 2013-based certificates that passed on 31 October 2025.
A note on scope before we start. No app makes you ISO 27001 compliant on its own, and you should be wary of any vendor that claims otherwise. Certification rests on your ISMS as a whole: leadership commitment, risk assessment, a Statement of Applicability, and controls that reach well beyond Confluence into your network, endpoints, and people. What these two apps do is let you operationalise and evidence a specific set of controls for the information you manage in Confluence – reliably, repeatably, and in a form an auditor can inspect.
Step 1 – Classify your information assets
Where it fits: Annex A 5.12 (Classification of information), A.5.13 (Labelling of information), and the asset-management expectations that flow from A.5.9.
ISO 27001 expects information to be classified according to its sensitivity and labelled consistently so that everyone handling it understands the protection it requires. Doing this by hand across thousands of Confluence pages is unrealistic, and inconsistency is precisely what gets flagged in an audit.
Compliance for Confluence is a data loss prevention (DLP) tool whose two core features are data classification levels and access restrictions. Start here by defining a set of classification levels that mirror your information classification policy – for example Public, Internal, Confidential, and Restricted. Compliance lets you create as many levels as you need, so you can match your existing policy rather than bend your policy to the tool.
Once defined, levels are applied to pages and surfaced as a visible classification banner, giving every reader an unambiguous label (directly serving A.5.13). Because levels are managed centrally by an administrator and rolled out through level schemes, classification becomes a property of the content rather than a matter of individual judgement – which is what gives you consistency across the instance.
The practical outcome: you can demonstrate to an auditor that information assets in Confluence are systematically identified and labelled by sensitivity, with the scheme defined once and enforced everywhere.
Step 2 – Restrict access based on sensitivity
Where it fits: Annex A 5.15 (Access control), A.5.18 (Access rights), A.8.2 (Privileged access rights), and A.8.3 (Information access restriction).
Classification only delivers security value when it drives access. ISO 27001’s access-control family requires that access to information be restricted in line with business need and the “need to know” principle, and that access rights are provisioned, reviewed, and removed in a controlled way.
In Compliance for Confluence, classification levels are paired with enhanced page restrictions through restriction schemes. Rather than relying on staff to manually restrict each sensitive page, you bind a restriction scheme to a classification level so that, for example, anything marked Restricted is automatically locked to a defined group. This turns access control from a hopeful convention into an enforced rule, and it’s the mechanism that most directly answers A.8.3.
For the review side of access control – A.5.18’s requirement to periodically reassess who has access to what – the Compliance Dashboard and the app’s reporting and permission-export capabilities let administrators pull a clear picture of access and classification across the instance. That export is the artefact you bring to a quarterly access review, and the evidence you retain to show the review happened.
Step 3 – Detect and prevent sensitive data exposure
Where it fits: Annex A 8.12 (Data leakage prevention) and the operational-security expectations of A.8.
Even with good classification, sensitive data leaks into the wrong places – an API key pasted into a meeting note, a customer record copied into an open project space. A.8.12 introduced an explicit data leakage prevention control in the 2022 standard, and it’s one of the clearest examples of where a tool earns its place.
Compliance for Confluence includes Sensitive Data Detection, which scans content for sensitive information and flags it so it can be addressed. Combined with the app’s classification and restriction enforcement, this gives you a detective-and-corrective pairing: detection surfaces where sensitive data is sitting unprotected, and automated restriction-by-classification ensures that once content is correctly labelled, the right controls follow automatically. Detection events feed the dashboard’s reporting, so exposure isn’t just caught – it’s logged and trendable, which matters for the monitoring expectations we return to in Step 6.
Step 4 – Control the document lifecycle: draft, review, approve, publish
Where it fits: Clause 7.5 (Documented information), Annex A 5.1 (Policies for information security), and A.5.37 (Documented operating procedures).
This is where Workflows for Confluence takes over, and where the two apps start to compound. Clause 7.5 requires that documented information is approved for adequacy before use and controlled so that only current, authorised versions are available. A.5.1 specifically requires that information security policies are defined, approved by management, published, and communicated. “Approved by management” is not a property you can assert – you have to be able to show it.
Workflows for Confluence is an all-in-one document management tool that controls how pages are created, approved, published, and shared. Using the drag-and-drop workflow builder, you construct the states a document moves through – for instance Draft → In Review → Approved → Published – with custom statuses, actions, and approval steps. You can start from ready-made templates (Basic, Simple Approval, Two-stage Approval, Content Restrictions, Content Expiration) and tailor them, or build from scratch.
Several capabilities map almost one-to-one onto ISO 27001’s documented-information requirements:
Approval workflows require a named reviewer or approver to sign off before a document can advance, giving you the documented management approval A.5.1 and Clause 7.5 demand. Where your policies require it, approval tokens provide e-signature approvals, raising the assurance level of that sign-off.
Official Version Workflows let you distinguish the controlled, approved version of a document from work-in-progress drafts – addressing Clause 7.5’s requirement that only current, approved versions are in circulation.
Publishing Control Workflows allow an approved version to be published to a defined audience while drafts remain restricted, so the “communicated and available to those who need it” half of A.5.1 is handled without exposing unreviewed content.
To apply this at scale rather than page by page, Workflows can auto-assign a workflow to pages using CQL – so every page created from your policy template, or every page in your ISMS space, picks up the correct workflow automatically. That’s how you make controlled documentation the default state rather than a manual chore.
Step 5 – Keep documents current with scheduled review
Where it fits: Annex A 5.1 (policies must be reviewed at planned intervals), Clause 9 (Performance evaluation), and Clause 10 (Improvement).
A policy approved once and never revisited is an audit finding waiting to happen. ISO 27001 repeatedly asks for evidence of periodic review – of policies, of procedures, of the ISMS itself.
Workflows for Confluence handles this with document expiration. The Content Expiration workflow template, for example, includes an approval step after which the page expires on a set interval and returns to the start of the workflow, forcing a fresh review and re-approval. You can tie review cadences to your policy (annual policy reviews, quarterly procedure checks) and let the system prompt the cycle rather than relying on someone’s calendar reminder. The result is a self-sustaining review loop that produces, as a by-product, a dated record of every review – exactly the evidence Clause 9 and Clause 10 reward.
Step 6 – Build your audit evidence trail
Where it fits: Annex A 8.15 (Logging), Clause 9.1 (Monitoring, measurement, analysis and evaluation), and A.5.36 (Compliance with policies, rules and standards).
An ISO 27001 audit is, in large part, an evidence-gathering exercise. The strength of running both apps together is that they generate complementary trails:
From Workflows, the Workflow History records every transition, approval, and reviewer comment on a page – who approved what, when, and on which version. This is your proof of management oversight and document control, and it can be exported for audit.
From Compliance, permission and classification reporting plus the detection event logs in the Compliance Dashboard evidence how access has been controlled and how sensitive-data exposure has been monitored over time.
Read together, these answer the two questions an auditor keeps returning to: Can you show this document was reviewed and approved by the right person? (Workflows) and Can you show this information was classified, access-controlled, and monitored? (Compliance). A.8.15’s logging expectations and Clause 9.1’s monitoring requirements are met not with a one-off report but with a living record the apps maintain for you.
Step 7 – Integrate with your wider ISMS
Where it fits: Clause 9.1 (analysis and evaluation) and the integration expectations of the Technological controls.
Your Confluence evidence shouldn’t live in a silo. Compliance for Confluence exposes a REST API, allowing classification, permission, and detection data to be exported into the SIEM, GRC, or reporting platform where your wider ISMS metrics are consolidated. For organisations whose security operations centre or compliance function aggregates control evidence centrally, this is what stops Confluence from being a blind spot in your monitoring.
ISO 27001:2022 mapping at a glance
| ISO 27001:2022 reference | Requirement (in brief) | App & feature |
|---|---|---|
| A.5.12 / A.5.13 | Classify and label information by sensitivity | Compliance — Classification Levels, banners |
| A.5.15 / A.5.18 / A.8.2 / A.8.3 | Restrict access on a need-to-know basis; review access rights | Compliance — Restriction Schemes bound to levels; Dashboard & permission reporting |
| A.8.12 | Prevent and detect data leakage | Compliance — Sensitive Data Detection + automated restriction |
| Clause 7.5 / A.5.1 / A.5.37 | Approve, control, and publish documented information | Workflows — Approval Workflows, Official Version & Publishing Control Workflows, e-signatures |
| A.5.1 (review) / Clause 9 / Clause 10 | Review policies and procedures at planned intervals | Workflows — Content Expiration / document expiry |
| A.8.15 / Clause 9.1 / A.5.36 | Log activity; monitor and evidence control operation | Workflows — Workflow History; Compliance — Dashboard, detection logs |
| Clause 9.1 (integration) | Consolidate evidence into the wider ISMS | Compliance — REST API to SIEM/GRC |
What our apps can’t help you do
To keep this honest – and because auditors and buyers both respect candour – here’s the boundary. Compliance and Workflows for Confluence help you operate and evidence controls for information managed in Confluence. They do not, and cannot, replace:
Your overarching ISMS, Statement of Applicability, or risk assessment methodology.
Formal risk assessments, risk treatment plans, and asset registers (though the documents recording these can certainly be governed by the apps).
Network, endpoint, physical, or malware controls.
Incident response, business continuity, and security monitoring outside Confluence.
Within their scope, though, they turn some of the most labour-intensive, evidence-hungry parts of an ISO 27001 programme – classification, access control, document approval, and review – into something automated, consistent, and audit-ready.
Getting started
Both Compliance for Confluence and Workflows for Confluence are available on the Atlassian Marketplace with a 30-day free trial, so you can stand up a classified, workflow-governed ISMS space and see the evidence trail for yourself before committing. The most effective starting point is a single high-value space – your policy library – configured exactly as the worked example above describes, then rolled out across your ISMS using CQL auto-assignment and global classification schemes.
Checklists and templates for you to use
Getting and staying ISO 27001 compliant isn’t easy, but hopefully this step-by-step guide, backed up by real feedback from our users, has given you some confidence in starting the process and cutting out a lot of the manual work.
For easy reference and sharing amongst your teams, we’ve also created a free templated guide to reaching ISO 27001 compliance here, as well as an Excel evidence checklist here, for you to export into Confluence and keep your compliance journey on track.
