ISMS Search Playbook

Rafia Rizwan

March 12, 2026

A practical guide showing how to build fast ISMS search in SharePoint using metadata, saved views, and naming standards to retrieve policies, risks, and evidence in seconds.

Retrieval • Audit Speed • SharePoint Views • “Where Is It?” Fix

ISMS Search Playbook

Find Any Policy, Risk, or Evidence in 10 Seconds Using SharePoint Views (No More “Where Is It?”)

The fastest way to break audit readiness is simple: people can’t find the right document at the right time.
If your ISMS lives in SharePoint, you can fix this without buying new tools by designing views, metadata, and saved filters
that turn SharePoint into a 10-second ISMS search engine.
Here’s the playbook we use in our SharePoint ISMS solution.

What breaks audits

Proof exists, but people can’t retrieve it fast.

What fixes it

Metadata + saved views for repeat questions.

The goal

10 seconds from question → evidence.

The real ISMS problem isn’t missing controls it’s missing retrieval

Most teams have the evidence somewhere: a policy PDF, a vendor SOC report, an access review spreadsheet, a risk acceptance approval, a management review minutes pack.
But when someone asks for a specific item, the team starts hunting folders and chats.

High intent truth

If your ISMS can’t retrieve proof quickly, it’s not operational. It’s an archive.

The 10-Second Rule (what “good” looks like)

A SharePoint ISMS should let you answer these instantly:

“Show me the latest approved Access Control Policy.”
“Show me all active high risks.”
“Show me evidence for ISO A.5.23 for the last quarter.”
“Show me expiring risk acceptances in the next 30 days.”
“Show me vendor due diligence for our critical vendors.”

If it takes longer than 10 seconds, you don’t need more folders you need better views.

The 3 ingredients of 10-second ISMS search

Metadata

Tag content so it can be filtered fast.

Views

Saved filters that answer repeat questions.

Naming standards

So humans can scan quickly.

Step 1: Use the right SharePoint objects for each ISMS item

Policies → Document Library (versioning + approvals)
Procedures/Runbooks → Document Library
Evidence → Document Library (evidence period + control tags)
Risks → SharePoint List (structured fields, not documents)
Risk acceptances/exceptions → SharePoint List (+ linked evidence)
Vendors → SharePoint List (+ linked evidence)
Internal audits → List (findings) + Library (reports/evidence)
Management reviews → Library (minutes packs) + List (actions)

Lists filter better than folders. That’s why this matters.

Step 2: Add the metadata that makes views powerful

If you add only a few columns, add these. This is what turns SharePoint into a real ISMS search engine.

A) Policies library metadata (minimum)

Document type: Policy
Status: Draft / Approved / Retired
Owner
Framework: ISO / SOC 2 / Both
Review date (next review due)
Applies to: Org / Product / Team (optional)

B) Evidence library metadata (minimum)

Evidence type (Access review / Log review / Vendor review / Incident / Change / Training)
Framework: ISO / SOC 2 / Both
Control ID(s): A.5.23, CC6.1, etc.
Evidence period: Month / Quarter / Year (e.g., 2026-Q1)
Owner
Approved: Yes/No + approval date

C) Risks list fields (minimum)

Risk ID
Title
Risk owner
Category: Identity / Cloud / Vendor / App / Privacy / Availability
Inherent rating: High/Med/Low
Residual rating: High/Med/Low
Status: Active / Mitigating / Accepted / Closed
Review date
Related controls (optional)

D) Risk acceptance list fields (minimum)

RA ID
Linked risk
Exception type (patching, vendor, logging, etc.)
Approver
Acceptance date
Expiry date (required)
Conditions/compensating controls
Evidence link

Step 3: Build the saved views that answer 80% of ISMS questions

These are the views we recommend. They’re designed for speed and audits.

Area	View name	Filter / Group / Sort	Use case
Policies	1) Approved Policies (Current)	Status = Approved; Sort Title A–Z	Instant “current version” retrieval
Policies	2) Policies Due for Review (Next 60 Days)	Review date within 60 days; Sort by review date	Prevents expired policy findings
Policies	3) Policies by Framework	Group by Framework (ISO/SOC2/Both)	Quick ISO vs SOC proof
Evidence	4) This Quarter’s Evidence Pack	Evidence period = current quarter	Internal audits + management review prep
Evidence	5) Evidence Missing Approval	Approved = No	Closes the loop (upload ≠ reviewed)
Evidence	6) Evidence by Control ID	Filter Control ID contains (A.5.23 / CC6.1)	Instant control-to-evidence traceability
Evidence	7) ISO Evidence Only	Framework = ISO	ISO surveillance audits
Evidence	8) SOC 2 Security Evidence Only	Framework = SOC 2; Evidence type in (Access/Change/Logging/Incident/Vendor)	Type II operating evidence
Evidence	9) Evidence Due Soon (Next 30 Days)	Next due date within 30 days (if tracked)	Creates cadence without chasing
Risks	10) Top Risks (High Residual)	Residual = High; Status ≠ Closed	Leadership reporting
Risks	11) Risks by Category	Group by Category	Shows concentration (vendor/cloud/identity)
Risks	12) Risks Needing Review (Next 30 Days)	Review date within 30 days	Prevents stale risk registers
Risk acceptance	13) Expiring Risk Acceptances (Next 60 Days)	Expiry within 60 days; Status = Active	Avoid “accepted forever” findings
Risk acceptance	14) Risk Acceptances Without Compensating Controls	Compensating controls is blank	Forces defensible acceptances
Vendors	15) Critical Vendors – Review Status	Tier = Critical; Sort next review due	Board pack + audit sampling
Vendors	16) Vendors Missing Assurance	Assurance type = None OR Expired	Stops vendor due diligence gaps

Step 4: Add one “ISMS Search Home” page (your shortcut dashboard)

Create a SharePoint page called ISMS Search with buttons to your top views. This reduces training time dramatically.
People stop browsing folders and start using saved views.

Recommended buttons

Approved Policies
Evidence This Quarter
Evidence by Control ID (with a note: “filter by A.5.23 / CC6.1”)
Top Risks
Expiring Risk Acceptances
Critical Vendors

Step 5: Make your naming conventions support search (not fight it)

Metadata powers views, but naming still matters for human scanning.

Policy naming

Policy – [Topic] – vX.X – Approved – YYYY-MM-DD

Evidence naming

[Control ID] – [Evidence Type] – [Period] – [Short Description]
CC6.1 – Access Review – 2026-Q1 – Admin Roles

A.5.23 – Vendor Review – 2026 – Cloud Provider

The auditor test (do this once and your ISMS gets stronger)

Pick one control and attempt a 10-second retrieval:

Test

“Show evidence for ISO 27001 A.5.23 cloud services for last quarter.”

If a view can filter to: Control ID = A.5.23 and Evidence period = 2026-Q1, you pass.
If not, you don’t need new tools. You need better tagging and views.

Want your ISMS to feel like “Google for audit evidence”?

We’ll configure metadata and saved views so your team can answer auditor and customer questions in seconds not half an hour.

Book a “10-Second Search” Demo

Download the ISMS SharePoint Views Pack

Want the exact view list and column design? Download our ISMS Search Playbook + Views Pack.

Pack includes:

recommended metadata columns (Policies, Evidence, Risks, Vendors)
16 saved views (filters + sorting)
naming conventions
ISMS Search Home page layout

Explore ISMS SharePoint Solution

Follow Canadian Cyber

Practical cybersecurity + compliance guidance:

Website

LinkedIn

YouTube

Instagram

TikTok

Website
Contact

2026

Mar

Corrective Action Register in SharePoint

A practical guide to creating a corrective action register in SharePoint that tracks audit findings, remediation actions, owners, deadlines, and verification evidence.

Rafia Rizwan