ISMS Implementation and and maintenance with Asana


wouldn’t it make sense to setup a set of templates which are supporting the implementation and maintenance of an ISMS according to ISO/IEC 27001?

I am thinking of a ISMS Portfolio with the following Asana Projects in it:

  1. Documentation Framework - all policies, procedures and other ISMS relevant documents could be put in here and maintained.
  2. Activity Schedule Projekt with sections like Trainings, Management reviews, Audit program etc.
  3. Internal Audit Activities Project - all internal audits can be planned and conducted based on this.
  4. Metrics and Measurement Project - All KPIs can be documented in here as well as relevant evidences could be stored in here.
  5. Asset register and Risk Management Project - all relevant assets are listed in here and the risk assessment could be done in here as well. Including tracking of mitigating actions.

This is just an initial thought. Maybe someone has already established something like that. If not, why not proving some templates for this as included in the Asana template library? I think many customers would be very interested in them.

What are your thoughts about this? I am happy to discuss :slight_smile:

Kind regards


We are struggling with this one too. We have implemented Asana and are still using an ISMS separately. I think it would be great to replace the ISMS with Asana. Do you have any idea’s ont his topic?

1 Like

well, i have set up an ASANA Portfolio with few projects in order to ease the burden of administering an Information Security Management System (ISMS). i just wondered if it would make sense to setup some generic and easily adoptable templates for that. I am thinking of an annual audit program, internal audit activity planning and documentation, a Statement of Applicability (SoA), a project for documenting and maintaining KPIs and other isms metrics, a project for documenting Nonconformities and corrective actions as well as there status etc, a documentation log, a project for planning and documenting Management reviews, a project for regular ISMS activities and also a project for Information Security Risk Management incl. Assets and the entire risk assessment process. For larger organisations with many locations inside the ISMS it would make sense to have a workflow (via forms) for conducting annual quick assessments of such entities. This were just my initial thoughts. i am pretty sure there is even more in it.

1 Like

This is a great idea and I did do this when I set up our ISMS many years ago. We utilized some of Google’s features because it integrates so well with Google, but ultimately you are on the right path. With a smaller enterprise you can see how Asana could function as a GRC with Risk Register, audits of controls, policies, procedures, templates, TPRM, corrective action plans, etc. All the quarterly/yearly/etc. reviews of controls can all be automated within Asana and pushed out to Calendars or Slack messages etc. prior to the due dates. The internal reviewer/auditor can become and approver for that control and you have a complete lifecycle that you can show to your ISO auditor when they are onsite.

1 Like

Thank you :slight_smile:
I think it would even work in larger organizations with multiple locations. In preparation of the annual internal audits it would be possible to work with forms. setting up a form for a self assessment is no big thing. sending it out and getting all the answers back into a dedicated project would make it easier to select entities for onsite audits as well would it, at least partially, meet the internal audit requirements and can be shown to the external auditor as well. besides a few other advantages.

the thing is, why investing in a dedicated isms tool, of which there are many in the market and some are quite expensive, when you have all needed tools at hand with Asana :slight_smile:

1 Like

Thanks for your great input and for sharing your thoughts.
I have been thinking about this and find it logical to implement. At my company, we have been successfully using Asana for incident management for a long time. I have already listed out all necessary controls for our ISO 27001 implementation using the Asana list. It is nice to use in our planning, and we are now just launching our implementations… so the experience is coming up in the next couple of weeks after a few sprints of implementation.

I have had concerns about other things when considering using Asana for the whole ISMS system.

A) For documenting policies and procedures, the description field in Asana is the only field that allows tagging to link related items. I find this as a limitation. If it could create a new field with that functionality, it would be possible to set up a “formal document template”. Then, in the same context, document versioning. All changes are saved but not easily compared, which might be frustrating when doing an audit review.

B) I love using Asana for asset management, but one prominent feature needs to be added to implement it perfectly. In my opinion, it is important to be able to create two relationships from an asset perspective (using task) to give assets context in their operation; the relationships are “assets used by me” and “assets using me” - where I is an asset (Asana task).

I saw an interesting video

where this problem is “tackled,” using projects to implement every client in an Asana-based CRM system. Even though it was interesting, it is a bit too complicated for the general users.

But even though I have these concerns, I will try to implement a lot of ISMS functionality within Asana as my belief is that if such a system is not near the users (using great tools), then the implementation will be poor, and the ISMS system will be in low use.

1 Like

Hi Gunnar,

many thanks for sharing your experiences. Very much appreciated :slight_smile:

I would use Asana almost only to administer an ISMS. I wouldn’t use it for writing and storing policies and procedures. Besides these documents you also need to collect evidences which are documenting that the designed policies and procedures are working properly. I would just use normal file services for such documents (well structured in accordance with the chapters and controls of 27001). these files or better these directories can be linked to any Asana Task.

Regarding asset management i am the more conservative guy. i have setup a pretty straight forward asset register (information, software, hardware, people, services, physical assets, intangibles) with all needed information for each asset like location, owner, etc. against which i run my risk assessments (in accordance with ISO 31000). Risk assessments can also be done with Asana thanks to the nice calculation functions.

In my opinion Asana shows its entire beauty when it comes to run an ISMS and to keep on track with all the actions needed to be done on a regular basis. I have attached a screen shot of my ISMS portfolio to this message. I think the titles of the projects are self explaining (more or less :wink: ) to give you a feeling about my ISMS approach in Asana. i am pretty sure that there is a lot room for improvement in this structure. But i think that this approach could be a great foundation for implementing and running an ISO/IEC 27001 compliant ISMS. Happy to discuss :slight_smile:

1 Like

Arnd, I’m a new User supporting a client and have a similar need to enable a feature for information organization according to an ISO framework as you state. For global applications, a central repository of information is needed for a Project Manager or PM Office (PMO). This information is referenced as a need for #1) PM administration, and #2) the Project itself.

Using your example, your ISMS Portfolio approach to have an Asset register is an internal PM reference for how you are administering ISO 27001 (#1). Users on any one project may need to contribute content for their specific asset register (#2).

1 Like