Skip to content

0. Start

The diagram below shows the overall space architecture. Colour coding is intentional: teal links the Fundamental tier to the All Staff audience, blue links the Advanced tier to IT staff. Click any node for a deeper dive.---

Architecture

The architecture rationale

The design rests on a two-tier control model sitting beneath a single unified policy layer. Every framework you've listed maps cleanly into one of two tiers:

The Fu[[EMS2/ems2/docs/2. Fundamental controls/index]]ndamental tier is your lowest common denominator: CMMC Level 1 (17 basic safeguarding practices from FAR 52.204-21), DEFSTAN Level 0 (the entry-level defence supplier baseline), and Cyber Essentials (the UK government's 5-control technical baseline covering firewalls, secure configuration, access control, malware protection, and patch management). The overlap between these three is substantial — roughly 80% of controls are shared — so a single set of Confluence pages can satisfy all three simultaneously, with small callout blocks noting any framework-specific nuance.

The Advanced tier is where NIST 800-171's 110 controls (which are identical to CMMC Level 2), the full DEFSTAN 05-138 control set, and ISO 27001 Annex A's 93 controls live. These require more technical depth and are authored primarily for your IT and security teams, not general staff.

ISO 27001's management system requirements (clauses 4–10) sit above the tiers as the policy governance layer. These clauses drive the 12 policies in the left column and apply universally — they provide the PDCA engine that keeps the whole system alive.

Confluence space structure

Here is the recommended page hierarchy. You should create this as a dedicated Confluence space (e.g. ISMS) rather than nesting it in an existing product space.

00 · About this space — A home page explaining the system, who owns it, how to use it, and a quick-reference table showing which section is relevant to each role. This is the first page every new employee should read.

01 · Policies — One child page per policy, each authored using a consistent template: purpose, scope, policy statements, roles and responsibilities, exceptions process, and review schedule. Each policy page should carry a Confluence label for its controlling framework(s) (e.g. iso27001, nist800171) so you can filter and report across them.

02 · Fundamental controls — This is the heart of what all staff and third parties need to follow. Structure child pages around the five Cyber Essentials domains (they provide the most accessible structure for non-technical readers). Within each page, use Scroll Content Manager content variants to reveal deeper CMMC Level 1 or DEFSTAN Level 0 detail only to the audiences that need it. For example, the Access Control page shows a simple "what you must do" summary to all staff, and reveals specific Active Directory configuration requirements to IT staff.

03 · Advanced controls — Organised around NIST 800-171's 14 control families (Access Control, Awareness and Training, Audit and Accountability, etc.), since these map well to DEFSTAN 05-138 and ISO 27001 Annex A. Each control family page should contain a master table showing the NIST control number, the corresponding ISO 27001 Annex A control(s), and the DEFSTAN reference. This becomes your authoritative cross-walk. Visible only to IT/technical staff and security team audiences in Scroll Content Manager.

04 · User guidance hub — Scenario-based guidance written in plain language: "How do I handle a suspected phishing email?", "What do I do before travelling with a company laptop?", "How do I share files with a third party securely?" Each scenario page uses SCM variants so the guidance depth adjusts by role without maintaining separate copies.

05 · Risk register — A structured Confluence page (or linked Jira board if your team uses Jira for tracking) formatted to capture asset, threat, vulnerability, likelihood, impact, risk score, treatment decision, and residual risk. This simultaneously satisfies ISO 27001 clause 6.1.2, NIST 800-171 3.11.1–3.11.3, and DEFSTAN's risk assessment requirements.

06 · Audit and evidence — A running log of completed control reviews, internal audit findings, corrective actions, and management review minutes. Use Confluence's native table macros or a linked spreadsheet. This is the section that an assessor or auditor will want to see.

07 · Reference library — Your cross-framework control mapping, a glossary, document templates (risk assessment form, incident report, supplier questionnaire), and a change log for the space itself.

Scroll Content Manager configuration

SCM's "Content Variants" feature (available in Scroll Content Manager Pro) is exactly what you need. You define variants as Confluence user groups, and content authors wrap sections in SCM macros that show or hide based on group membership.

Define the following Confluence groups and map them to SCM variants: isms-all-staff (default, fallback for everyone), isms-it-staff, isms-management, isms-security, and isms-third-party. Every page in the space should default to showing the isms-all-staff variant, with additional sections wrapped in conditional macros for elevated groups. This avoids creating parallel pages — a single "Access Control" page serves all audiences through layered disclosure.

A practical SCM page structure for a controls page would look like: an opening summary visible to everyone, a "what this means for you" block in an isms-all-staff variant, then a collapsible technical procedure block in an isms-it-staff variant, then an audit evidence table in an isms-security variant. Management users see an executive summary block with risk rating and compliance status rather than the technical detail.

Implementation roadmap

I'd recommend a phased approach. In the first phase (weeks 1–4), build the space skeleton and the 12 policy pages — this gets your ISO 27001 policy layer in place immediately and gives you something to show leadership. In the second phase (weeks 5–10), build out the Fundamental tier pages, configure SCM variants for all-staff and third-party audiences, and publish the user guidance hub. This delivers CMMC Level 1 and Cyber Essentials coverage. In the third phase (weeks 11–20), build the advanced controls section with the NIST 800-171 / DEFSTAN 05-138 / ISO 27001 Annex A cross-walk, and enable the IT staff and security SCM variants.

Click any node in the diagram above to get detailed content guidance for that section. I'd suggest starting with the Fundamental tier — want me to produce the full control list and page-by-page content plan for that first?