ISMS Copilot
AI Safety

How ISMS Copilot Implements ISO 42001

ISMS Copilot is built on comprehensive ISO 42001:2023 compliance practices, demonstrating the same AI management system standards we help our customers achieve. This article provides transparency into how we implement AI governance, risk management, and lifecycle controls in our own platform.

Our ISO 42001 implementation is documented in our internal GRC (Governance, Risk & Compliance) repository with design documents, impact assessments, testing plans, and audit checklists—the same artifacts we recommend for our customers.

Who This Is For

This article is for:

  • Compliance professionals evaluating ISMS Copilot's AI governance maturity

  • Risk managers assessing AI management system controls

  • Auditors verifying ISO 42001 conformance evidence

  • Organizations seeking vendors with documented AI governance

AI System Classification

We've conducted a comprehensive AI Impact Assessment (AIIA) for ISMS Copilot 2.0:

Risk Classification:

  • Overall Score: 1.9 (Low Risk on 1-5 scale)

  • EU AI Act Classification: Limited Risk

  • Use Case: Compliance assistance and policy generation (not automated decision-making affecting legal rights)

What This Means:

  • ISMS Copilot is not classified as "high-risk" under EU AI Act definitions

  • No critical safety, legal rights, or infrastructure impacts

  • Transparency obligations apply (disclosure of AI use, human oversight emphasis)

  • Standard data protection and security controls sufficient

Our low-risk classification reflects our design philosophy: AI assists compliance professionals, never replaces them. All outputs require human review and professional judgment.

AI System Design Documentation

Our AI System Design Document (AI-SDD-001) serves as the primary engineering reference and ISO 42001:2023 evidence artifact. It documents:

Architecture Components:

  • Dynamic framework knowledge injection system (v2.5+)

  • Multi-provider AI integration (OpenAI, Anthropic, Mistral, xAI)

  • Infrastructure stack (Vercel Edge, Fly.io, Supabase)

  • Data flows and isolation boundaries

ISO 42001 Mapping:

Every design decision maps to specific ISO 42001 controls. For example:

  • A.4 (Resources): EU-hosted infrastructure (Frankfurt), GDPR-compliant processors

  • A.5 (Impact Assessment): Documented AIIA with bias, privacy, security, societal impact analysis

  • A.6 (Responsible Development): Secure development lifecycle, regression testing, SAST/DAST scanning

  • A.7 (Data Management): Zero data retention agreements, workspace isolation, user-controlled retention

  • A.8 (User Interaction): Transparency notices, human-in-the-loop design, verification disclaimers

  • A.9 (Responsible Use): Purpose limitation, jailbreak prevention, content scope guardrails

See our AI System Technical Overview for detailed architecture transparency.

AI Risk Management

We maintain a structured AI risk register addressing ISO 42001 Clause 6.1 requirements:

Key Risks Identified:

  • Hallucinations (R-AI-001): AI generating factually incorrect compliance guidance

  • Bias (R-AI-002): Unequal quality of responses across frameworks or regions

  • Privacy Leakage (R-AI-003): Accidental disclosure of training data or user content

  • Model Drift (R-AI-004): Performance degradation over time

  • Adversarial Attacks (R-AI-005): Jailbreaks, prompt injection, safety bypass attempts

Mitigation Controls:

  • Hallucinations: Dynamic framework knowledge injection (regex-based detection, verified knowledge provided to AI before response generation)

  • Bias: Regional parity testing (±20% depth threshold), multi-framework coverage expansion

  • Privacy: Zero data retention (ZDR) agreements with all AI providers, workspace isolation, encryption at rest

  • Drift: Continuous performance monitoring (P95 latency, user satisfaction scores), automated regression testing

  • Adversarial: Prompt injection protection, jailbreak prevention guardrails, content scope enforcement

Our risk register is reviewed quarterly and updated when new AI capabilities are deployed. All risks map to ISO 42001 Annex A controls.

Bias Testing & Fairness

Our AI Bias & Fairness Testing Plan addresses ISO 42001 A.5 (Impact Assessment) requirements:

Testing Methodology:

  • Regional Parity: Response quality measured across geographic contexts (EU, US, Asia-Pacific)

  • Framework Parity: Accuracy validated across all 9 supported frameworks (ISO 27001, GDPR, SOC 2, etc.)

  • Depth Threshold: No region/framework receives

  • Transparency: Model limitations disclosed in user-facing documentation

Current Results:

  • All frameworks meet parity thresholds (sample testing conducted)

  • No systematic bias detected in compliance guidance generation

  • Ongoing monitoring integrated into regression testing

Performance Monitoring

Our AI Model Performance Monitoring Plan ensures continuous compliance with ISO 42001 Clause 9 (Performance Evaluation):

Monitored Metrics:

  • Response Time: P95 latency target

  • Accuracy: Framework knowledge injection grounding validation

  • User Satisfaction: Target >80% satisfaction (measured through feedback)

  • Hallucination Rate: Tracked through user reports and automated detection

  • Error Rates: API failures, retrieval failures, timeout incidents

Monitoring Infrastructure:

  • Real-time performance dashboards (internal only)

  • Automated alerting for threshold breaches

  • Weekly performance reviews

  • Quarterly trend analysis and reporting

See our Status Page for real-time AI system availability and incident reporting.

AI Lifecycle Governance

We apply structured controls across the entire AI system lifecycle:

Design & Development (ISO 42001 A.6)

  • Requirements Definition: Functional, performance, safety, and data handling requirements documented for every AI feature

  • Security by Design: SAST/DAST scanning, prompt injection testing, adversarial testing

  • Regression Testing: 100% test pass required before deployment

  • Code Review: All AI system changes reviewed by senior engineers

Deployment (ISO 42001 A.8)

  • Pre-Deployment Validation: Checklist covering tests passed, security cleared, documentation updated, monitoring configured

  • Rollback Plans: Immediate rollback capability for failed deployments

  • User Communication: Release notes, changelog updates, feature announcements

Operation & Monitoring (ISO 42001 A.7)

  • Continuous Monitoring: Performance, accuracy, error rates tracked in real-time

  • Incident Response: 24-hour reporting for significant incidents (NIS2-aligned)

  • User Feedback Loops: Support tickets, feature requests, adverse impact reports reviewed regularly

Retirement (ISO 42001 Clause 8)

  • Data deletion processes aligned with user retention settings

  • Communication to users before feature deprecation

  • Knowledge retention for future system improvements

Internal Audit Process

We maintain an AI Management System Internal Audit Checklist covering all ISO 42001 clauses and Annex A controls:

Audit Scope:

  • Clause 4-10 compliance (context, leadership, planning, support, operation, performance evaluation, improvement)

  • Annex A control implementation (AI-specific controls)

  • Evidence collection (policies, risk assessments, testing records, monitoring logs)

Audit Frequency:

  • Annual comprehensive AIMS audit

  • Quarterly risk register reviews

  • Ad-hoc audits for major AI system changes

Findings Management:

  • Nonconformities (NCs) logged and tracked to closure

  • Opportunities for improvement (OFIs) prioritized in roadmap

  • Management review includes audit findings and corrective actions

Our internal audit process mirrors external certification audits, preparing us for potential third-party ISO 42001 certification in the future.

Zero Data Retention Commitment

All AI providers (OpenAI, Anthropic, Mistral, xAI) operate under Zero Data Retention (ZDR) agreements:

ZDR Terms:

  • No user data retained beyond request processing

  • No model training on customer content

  • GDPR-compliant data transfers (Standard Contractual Clauses)

  • Enterprise security standards enforced

Compliance Alignment:

  • ISO 42001 A.7.2: Data management and retention controls

  • GDPR Article 28: Processor obligations

  • ISO 27001 A.5.34: Privacy and protection of PII

See our Register of Processing Activities for detailed processor information and data flows.

Transparency & Disclosure

ISO 42001 A.8.3 requires transparency about AI system use. We implement this through:

User-Facing Disclosures:

  • Clear identification of AI-generated content (chat interface, assistant branding)

  • Limitations acknowledged in every AI interaction ("always verify critical information")

  • Model capabilities and constraints documented publicly

  • Human review emphasis ("AI assists, never replaces professional judgment")

Technical Transparency:

  • Architecture publicly documented (dynamic knowledge injection, multi-provider)

  • Testing practices disclosed (regression, bias, adversarial)

  • Monitoring metrics shared (performance targets, hallucination tracking)

  • Incident communication via status page and email alerts

Continuous Improvement

ISO 42001 Clause 10 requires ongoing AIMS improvement. Our practices include:

Feedback Integration:

  • User reports of hallucinations drive knowledge base updates

  • Security testing findings trigger safety enhancements

  • Performance monitoring identifies optimization opportunities

  • Regulatory changes reflected in documentation and controls

Innovation Pipeline:

  • New frameworks added to knowledge injection system (NIST 800-53, PCI DSS planned)

  • Enhanced bias testing for emerging use cases

  • Advanced monitoring capabilities (drift detection, adversarial pattern recognition)

  • Third-party ISO 42001 certification exploration

What This Means for Customers

Our ISO 42001 implementation provides assurance that:

  • Governance: AI systems are managed with structured policies, risk assessments, and lifecycle controls

  • Transparency: You have visibility into how AI works, what it can/can't do, and how we monitor it

  • Safety: Risks like hallucinations, bias, and privacy leakage are actively mitigated and monitored

  • Accountability: Clear ownership, incident response, and continuous improvement processes

  • Trust: We practice the same AI management standards we help you achieve

If you're pursuing ISO 42001 certification, our internal documentation (available on request for enterprise customers) can serve as reference implementation examples.

Documentation Access

Our ISO 42001 implementation documentation includes:

  • AI System Design Document (AI-SDD-001): Architecture, data flows, risk mappings

  • AI Impact Assessment (AI-IMP-001): Risk classification, EU AI Act alignment

  • AI Bias & Fairness Testing Plan: Methodology, thresholds, test results

  • AI Model Performance Monitoring Plan: Metrics, monitoring infrastructure, alerting

  • AIMS Internal Audit Checklist: Clause/control coverage, findings, evidence

Availability:

  • High-level summaries published in help center (this article, AI Safety collection)

  • Detailed technical documents available on request for enterprise customers and auditors

  • External Trust Center provides governance policies and certifications

What's Next

Getting Help

For questions about our ISO 42001 implementation or to request detailed documentation:

  • Contact support through the Help Center menu

  • Review the Trust Center for governance policies

  • Check the Status Page for AI system status

Was this helpful?