Hi Nuala, that's an excellent question, and I'd be happy to help.

In the first instance, I recommend checking out this guidance for a concrete implementation that we've used internally at Atlassian with good success: https://community.atlassian.com/t5/Agile-articles/How-Atlassian-uses-Jira-to-manage-risks-and-compliance/ba-p/896891

That should get you going, however I'd like to extend an additional offer of help. I'm keen to learn more about people's needs and challenges in this space so we can provide better resources, so if you (or anyone reading this with a similar interest) would like to get some more direct guidance, please email me (rbarnes at atlassian com) and we can set up a time for a call.

Cheers,

Roger

Hi @Nuala ClampI know this is from a while back, but as of 2025, more teams are embedding GRC structures into Jira and Confluence to streamline compliance processes.

There are now several apps in the Atlassian Marketplace focused on risk management, compliance tracking, and audit workflows—a quick search for "GRC”, “compliance,” or “risk management” should surface some options.

We’ve also been working on Cat the Compliant, an app designed to help teams track audits, manage compliance frameworks like SOC 2 and ISO 27001, and centralize reporting inside Jira.

Would love to hear more about your experience embedding GRC in Jira - what worked well, and what challenges did you face?

Cheers,
Ignat