EvidencePack — User documentation

This page is the entry point. Detailed guides live in the Atlassian Marketplace listing and in your installed app's help footer.

Quick start

1. Install EvidencePack from the Atlassian Marketplace onto your Jira or Confluence site.
2. Open the EvidencePack global page from Jira or Confluence.
3. Choose a starter framework — SOC 2 or ISO 27001 — in onboarding.
4. Map at least one Jira JQL or Confluence CQL source to a control.
5. Click Collect evidence.
6. Open the Export view and copy the JSON, CSV, or Markdown pack.

Mapping sources

For each control, add one or more evidence sources — a JQL or CQL query that returns the issues or pages that count as evidence.

Example Jira JQL mappings

-- Change management evidence (SOC2-CC8.1)
project = ENG AND labels = change-management AND status = Done ORDER BY updated DESC

-- Access reviews (SOC2-CC6.1)
project = SEC AND issuetype = "Access Review" AND created >= -180d

-- Incident postmortems (SOC2-CC7.3)
project = INC AND issuetype = Incident AND status = Resolved ORDER BY updated DESC

Example Confluence CQL mappings

-- Change management policy
space = "SEC" AND title ~ "Change Management"

-- Risk register (SOC2-CC3.2)
space = "RISK" AND label = "risk-register"

-- Incident response runbook
space = "OPS" AND title ~ "Incident Response"

Heads up: from 2026-06-11 Jira Cloud rejects invalid JQL with a zero-result response (no partial matches). If a source unexpectedly returns 0 items, double-check the JQL syntax in Jira's filter UI.

Control statuses

• Ready — sources returned enough fresh evidence; no action needed.
• Evidence found — evidence returned, but with at least one warning.
• Needs evidence — below minimum item count or a source failed.
• Stale evidence — items exist but all are older than the staleness threshold.
• Not configured — no enabled sources mapped to this control.

Export

EvidencePack produces three artifacts per run: JSON (for tooling), CSV (for spreadsheets), and Markdown (human-readable). Forge UI Kit cannot trigger native file downloads, so each artifact is rendered inline — select-all and copy. A Custom-UI download surface that bundles all three into a .zip is on the roadmap.

Remediation

From any control detail page, click Create remediation issue to open a Jira issue tracking missing or stale evidence. The summary, description, and labels are auto-filled from the control template plus the latest run's warnings. Project key and issue type are remembered for next time.

Limits

• 50 items per source per run — to stay within Forge's 25-second resolver timeout. Order your JQL/CQL by updated DESC to capture the most recent evidence.
• 25 retained runs — older runs are auto-deleted.
• Metadata only — EvidencePack never stores issue descriptions or page bodies.

Security

See our security overview and privacy policy. EvidencePack runs entirely on Atlassian Forge with no external data egress.

Disclaimers

EvidencePack helps you collect and organise evidence relevant to SOC 2 and ISO 27001 audits. It does not certify your organisation as compliant and does not constitute legal, security, or compliance advice. SOC 2 is a service mark of the AICPA; ISO 27001 is a standard of the ISO.