Opexo – Pre-built areas

Note – Opexo is now part of ISMS.online

Depending on the subscription option you have chosen your opexo service comes with a powerful suite of pre-built areas to support you on the journey to ISO certification, making the ongoing management and improvement thereafter much easier too.

These pre-built areas fall into four main types of initiative with each one offering distinct features tailored to support the job you need to get done at the time. In addition to the pre-built areas opexo lets you create your own initiatives too, allowing you to effectively plan and deliver your business all in one place beyond the actual core management system.  So if you want to do other work on the platform once you are confident about the use of the areas below, go right ahead (subject of course to reasonable use and the terms of opexo!)

Let’s take a brief look at each type of pre-built area below:



A place for yourself or with others to organise and structure related work, in a SMART auditable well-governed fashion. pre-built examples include:

ISO Policies & Controls

A workspace from which to describe and demonstrate effective management for all the relevant requirements, policies and controls to meet your ISO goals. This area also includes the integrated risk treatment plan. It helps you meet all the requirements for documentation of the management system, show your regular reviews and approvals are happening and a host of other benefits.


opexo progress overview


Management Review Board

A workspace from which to demonstrate effective management reviews for the scope of the management system in line with 9.3.


management review


Audit Plan and Delivery

A workspace to demonstrate the audit plan and delivery of the audits across the certification scope in line with 9.2.

Business Continuity Plan

A workspace from which to plan and deliver the BCP elements required in line with Annex A 17 from ISO 27001.

The service also come with project frameworks for HR lifecycle management and managing information security in projects.


Tracks are great to move and track (usually) small unrelated pieces of work through a simple consistent workflow process. Examples include:

Incidents, Nonconformities, Actions & Improvements

A workspace for tracking and managing work items in line with 10.2.

Information Security Incident Management

An initiative area to capture any recorded information security-specific incidents in line with ISO 27001:2013/17 Annex A 16 and determine what actions need to be taken to effectively address them and prevent future occurrences. It is also configured with GDPR and UK Data Protection Act 2018 requirements.


information security incident management


Information Asset Inventory

A workspace to capture and manage information assets in line with ISO 27001:2013 A8.1.1


information asset inventory


Other use case examples (not preconfigured) include GDPR personal data inventory records processing, subject access requests, patching management, business unit tasking, support ticket tracking, along with pipeline and ideas management.


Ideal for sharing and communicating simple unstructured information – notes, documents, discussions, tasks and KPis with a specific group of people, such as your entire organisation, a department, team or just one colleague.  You can also work with external colleagues in a similar fashion. It’s a bit like sharepoint or dropbox but with all the other benefits of opexo wrapped around it too!

Team Communications & Awareness

A group for communications and awareness with staff (and other key interested parties) about the management system. You have to show how people are engaged and compliant – this simple group approach helps with that if you dont have other easily auditable ways of communicating, tasking and discussing with those stakeholders.


team communications on platform



Risk register and treatment plan

The treatment plan helps you track all your Risks in one place. Risks can be scored based on their likelihood and impact. Each Risk has its own treatment area so you can demonstrate your mitigations, set owners and reminders and ensure good risk management.


risk and treatments map