An information security management system changes how you view processes. It sharpens the questions of who has access to what, which systems are critical, which workflows are documented—and which are not. In large corporations, dedicated departments are created for this. Small companies often lack the capacity. The risk, however, remains the same. Data loss is no less painful just because it happens on a smaller scale.
The assumption that an ISMS can only be implemented with great effort falls short. Much depends not on the size of the company, but on the clarity of its structures. Those who know responsibilities, document workflows, and securely operate the technical foundations already create the conditions on which a functioning ISMS can be built.
Atlassian systems as a foundation for lived information security: Jira, Confluence and the path to an effective ISMS
Jira and Confluence from Atlassian provide a robust foundation for this. Neither system is a security solution, but they support the structures an ISMS requires. Permission management, process documentation, workflow logic, version histories—all these functions contribute to stability. Above all, both systems remain affordable and operable for smaller companies. They can run in the cloud, scale with demand, and integrate into existing environments.
A good ISMS does not hinge on the standard. It emerges where workflows become visible. Jira maps the landscape of tasks, structures issues, and assigns responsibilities. Confluence serves as the system of record, as a logging instance, as an audit basis. Access controls, version states, commenting options—each element provides building blocks for traceability. Not as an end in itself, but as a foundation for security.
At Honicon, such integrations are central. The development of an ISMS does not begin in a vacuum but in the processes already in place. Systems are not replaced, but connected. Where workflows once ran via email, a ticketing system emerges. Where documents lay on network drives, a structured knowledge base grows. The goal is not exhaustive documentation, but the reduction of risks through clarity.
PragmaticIT security for SMEs:
With CyberRisikoCheck and Atlassian systems, make risks visible and secure processes
The German Federal Office for Information Security has created a standard in DIN SPEC 27076 that is specifically aimed at small and medium-sized enterprises. The so-called CyberRisikoCheck is based on pragmatic assessments and evaluates risks along concrete questions. Honicon is officially qualified to conduct this assessment. The review is practice-oriented, draws on real processes, reveals gaps, and specifies measures.
A company that provides 15 workplaces cannot boast an IT security department. But it carries the same responsibility. Customer data, internal financial figures, access to tools—each element requires protection. The difference lies not in the ambition, but in the path to get there. And with the right means, that path can be significantly shortened.
Automations in Jira significantly reduce manual effort. Escalation paths run in a controlled way, deadlines appear automatically, tickets document status changes without additional effort. Confluence picks up this information, displays it in dynamic dashboards, links policies to processes, and supplements inspection logs with commented entries. The effort decreases because the systems support what is already happening.
Risk often does not arise from missing technology, but from processes that are not lived. When an admin account remains because no one thinks of it. When a password change is required but not verified. When employees retain access to areas even though they leave the company. An ISMS does not uncover such points, but it demands an answer to them. And that is exactly where the work begins.
In this context, scalability does not mean that a company grows, but that the effort remains limited. A solution intended for 300 people does not fit a team of ten employees. Conversely, many principles apply regardless of size. Access only as needed. Clearly documented responsibilities. Regular review of critical systems.
ISMS as part of the corporate practice :
Create structures, integrate systems, live security
At Honicon, technology and consulting interlock. We do not just set up Confluence; we also structure the content. We do not just install Jira; we develop the rules for handovers, deadlines, and evidence. Our commitment does not end at the application layer: on request, we also design and implement the entire underlying infrastructure—whether on-premises or in the cloud. Through our partnerships with providers such as Hetzner and Red Hat, we can deliver tailored, high-performance, and secure system landscapes. The ISMS is not a standalone project; it becomes an integral part of everyday work. It must function without creating overhead—and close gaps before they become relevant.
The path to ISO 27001 certification may not yet be a priority for many small companies. But the step toward a fundamental understanding of security is within reach. Those who know which data must be protected also know where an ISMS has an impact. Whether through an external audit or internal self-assessment—the decisive factor is that the system works. Not on paper, but in operation.
An ISMS does not create security. It creates the conditions under which security becomes possible. And it sets standards that make it transparent how it is handled. That pays off not only for auditors but above all for the company itself. Those who control their information do not lose it to third parties. And those who understand processes address risks systematically—not reactively.