Compliance & Audit
Enterprise Checklists for Jira is engineered for environments that need to defend their checklist evidence in front of auditors — SOC 2, SOX, HIPAA, ITIL, and ISO 27001 programmes. This page covers what the app does (and equally importantly, what it does not claim) so you can map it cleanly into your control framework.
Automated Audit Trail
Every interaction is logged automatically — no user action required.
- Events captured: create item, check, uncheck, edit text, delete, reorder, and template sync.
- Dual-write storage:
- An authoritative log in the app’s Forge storage (the source of truth for exports and external audit).
- A best-effort summary written to the Checklist Audit Log custom field, so recent activity surfaces in Jira’s native History tab.
- Tamper-evident, not cryptographically immutable. The log is automated and protected by Jira’s field-level access controls; it is not a blockchain. Any marketing or internal control documentation should describe it as an automated audit trail, not as immutable.
Issue State Locking
A SOC 2-aligned guarantee that no one can quietly alter a closed ticket’s Definition of Done.
- When an issue’s status enters the
Donestatus category — Done, Closed, Resolved, or any custom status mapped to that category — the checklist becomes read-only. - All mutation operations (check, uncheck, edit, delete, reorder, apply template) are rejected both in the UI and on the backend, so API and Automation paths cannot bypass the lock either.
- The checklist remains visible and exportable; only modification is blocked.
CSV Audit Export
Pulled by authorised users (Jira Admins, Project Admins) for evidence collection.
- Per-issue export — directly from the checklist panel on a single issue.
- Bulk per-project export — from the Export tab of the Admin Dashboard, paginated for large estates.
- Auditor-friendly columns — the Issue Key column uses the human-readable Jira key (e.g.
CMSP-7) so auditors can cross-reference straight back to the issue. - OWASP formula-injection protection — leading
=,+,-,@, tab, and CR characters in user-controlled fields are neutralised so opening the CSV in Excel or Google Sheets cannot execute formulas.
Workflow Enforcement
The Checklist Complete workflow validator blocks transitions to a target status unless every checklist item is checked. Issues with no checklist pass the validator (so legacy tickets are not stranded). Combined with state locking, this gives you both a gate before close and a freeze after close.
Native Notifications & Automation
- Watcher / assignee notifications fire natively on item completion (admin-toggleable), so the collaboration loop is not silent.
- Every check / uncheck writes to the issue property
enterprise-checklist-event, which any Jira Automation rule can consume via the Issue property changed trigger — for evidence routing into ticketing, GRC, or chat tools.
Mapping to Common Frameworks
| Framework | Control area | How the app helps |
|---|---|---|
| SOC 2 | CC7.2 / CC8.1 — change management & monitoring | Automated audit trail of every checklist mutation; state locking on Done; CSV evidence export. |
| SOX | ITGC change controls | Checklist Complete validator on production-impacting transitions; bulk audit export per project. |
| HIPAA | §164.308(a)(1) administrative safeguards | Cloud Infrastructure ePHI Baseline starter template; per-project enablement; restricted edit permissions inherited from Jira. |
| ITIL | Change & incident management | Incident Management and Production Deployment starter templates with Read-Do typing for sequential procedures. |
| ISO 27001 | A.12.1.2 change management | Append-only template sync preserves local edits; auditor-readable CSV export. |
GDPR & Data Residency
- Forge data boundaries. All checklist data lives within Atlassian’s Forge storage, inheriting Atlassian’s data residency commitments.
- Personal Data Reporting API. A weekly scheduled job reports tracked Atlassian account IDs to Atlassian’s Personal Data Reporting API.
- Right to be forgotten. When Atlassian signals an account is closed, all checklist records referencing that account are anonymised — the account ID is replaced with a sentinel value, while audit log integrity is preserved.
Accessibility
- WCAG 2.1 Level AA compliant.
- All interactions — check, uncheck, edit, reorder, delete, apply template — are fully keyboard-navigable and screen-reader compatible.
Security
- Input validation at every entry point (UI, REST, automation paths).
- Markdown sanitisation on render to prevent XSS in item text.
- CSV formula-injection protection as described above.
- No PII in application logs. Account IDs and display names never appear in operational logs.
- Concurrency safety. Simultaneous edits to the same checklist are guarded by optimistic concurrency control, so conflicting writes never cause silent data loss.
Internationalisation
The app currently ships in English. The UI is fully externalised for localisation.