ISMS Implementation and and maintenance with Asana


wouldn’t it make sense to setup a set of templates which are supporting the implementation and maintenance of an ISMS according to ISO/IEC 27001?

I am thinking of a ISMS Portfolio with the following Asana Projects in it:

  1. Documentation Framework - all policies, procedures and other ISMS relevant documents could be put in here and maintained.
  2. Activity Schedule Projekt with sections like Trainings, Management reviews, Audit program etc.
  3. Internal Audit Activities Project - all internal audits can be planned and conducted based on this.
  4. Metrics and Measurement Project - All KPIs can be documented in here as well as relevant evidences could be stored in here.
  5. Asset register and Risk Management Project - all relevant assets are listed in here and the risk assessment could be done in here as well. Including tracking of mitigating actions.

This is just an initial thought. Maybe someone has already established something like that. If not, why not proving some templates for this as included in the Asana template library? I think many customers would be very interested in them.

What are your thoughts about this? I am happy to discuss :slight_smile:

Kind regards


We are struggling with this one too. We have implemented Asana and are still using an ISMS separately. I think it would be great to replace the ISMS with Asana. Do you have any idea’s ont his topic?

well, i have set up an ASANA Portfolio with few projects in order to ease the burden of administering an Information Security Management System (ISMS). i just wondered if it would make sense to setup some generic and easily adoptable templates for that. I am thinking of an annual audit program, internal audit activity planning and documentation, a Statement of Applicability (SoA), a project for documenting and maintaining KPIs and other isms metrics, a project for documenting Nonconformities and corrective actions as well as there status etc, a documentation log, a project for planning and documenting Management reviews, a project for regular ISMS activities and also a project for Information Security Risk Management incl. Assets and the entire risk assessment process. For larger organisations with many locations inside the ISMS it would make sense to have a workflow (via forms) for conducting annual quick assessments of such entities. This were just my initial thoughts. i am pretty sure there is even more in it.

This is a great idea and I did do this when I set up our ISMS many years ago. We utilized some of Google’s features because it integrates so well with Google, but ultimately you are on the right path. With a smaller enterprise you can see how Asana could function as a GRC with Risk Register, audits of controls, policies, procedures, templates, TPRM, corrective action plans, etc. All the quarterly/yearly/etc. reviews of controls can all be automated within Asana and pushed out to Calendars or Slack messages etc. prior to the due dates. The internal reviewer/auditor can become and approver for that control and you have a complete lifecycle that you can show to your ISO auditor when they are onsite.

Thank you :slight_smile:
I think it would even work in larger organizations with multiple locations. In preparation of the annual internal audits it would be possible to work with forms. setting up a form for a self assessment is no big thing. sending it out and getting all the answers back into a dedicated project would make it easier to select entities for onsite audits as well would it, at least partially, meet the internal audit requirements and can be shown to the external auditor as well. besides a few other advantages.

the thing is, why investing in a dedicated isms tool, of which there are many in the market and some are quite expensive, when you have all needed tools at hand with Asana :slight_smile: