ISMS Copilot
All Collections
Security
How to Secure Your ISMS Copilot Account

How to Secure Your ISMS Copilot Account

Overview

Securing your ISMS Copilot account protects your sensitive compliance data, client information, and conversation history. This guide shows you how to choose the right authentication method, configure security settings, and follow best practices to keep your account safe.

Who This Is For

This article is for:

  • New users setting up their ISMS Copilot account

  • Security-conscious professionals handling sensitive data

  • Compliance consultants managing multiple client projects

  • Anyone who wants to improve their account security

Before You Begin

What You'll Need

  • An active email address for account notifications

  • Access to a strong password manager (recommended)

  • Optional: Google or Microsoft account for OAuth authentication

For maximum security, use a password manager like 1Password, Bitwarden, or LastPass to generate and store unique passwords for each service you use.

Choosing an Authentication Method

ISMS Copilot offers three authentication methods. Choose the one that best fits your security requirements:

Option 1: Email & Password (Good Security)

Best for:

  • Users who prefer traditional authentication

  • Organizations that don't use Google or Microsoft

  • Users who want complete control over credentials

Security level: Good (if using a strong, unique password)

How to set up:

  1. Go to the ISMS Copilot login page

  2. Click Sign Up

  3. Enter your email address

  4. Create a strong password that meets all requirements:

    • Minimum 8 characters

    • At least one uppercase letter (A-Z)

    • At least one lowercase letter (a-z)

    • At least one number (0-9)

    • At least one special character (!@#$%^&*()_+-=[]{}|;':"<>?,./`)

  5. Check the box: I agree to the terms and conditions and the data processing agreement

  6. Click Create account

Expected result: "Success! Please check your email to confirm your account."

Never reuse passwords across different services. If one service is compromised, attackers could access all your accounts using the same password. Always use a unique password for ISMS Copilot.

Option 2: Google OAuth (Better Security)

Best for:

  • Users with Google Workspace or Gmail accounts

  • Organizations already using Google for authentication

  • Users who want to enable Google's 2-Step Verification

Security level: Better (especially if Google 2FA is enabled)

How to set up:

  1. Go to the ISMS Copilot login page

  2. Click Continue with Google

  3. Select your Google account

  4. Review the permissions request

  5. Click Allow to grant access

Expected result: You're automatically logged in and redirected to the ISMS Copilot home page.

When you use Google OAuth, ISMS Copilot never sees or stores your Google password. Authentication is handled entirely by Google, and you can revoke access at any time through your Google account settings.

Option 3: Microsoft/Azure OAuth (Better Security)

Best for:

  • Users with Microsoft 365 or Azure AD accounts

  • Enterprise organizations using Microsoft authentication

  • Users who want to leverage Microsoft's multi-factor authentication

Security level: Better (especially if Microsoft MFA is enabled)

How to set up:

  1. Go to the ISMS Copilot login page

  2. Click Continue with Microsoft

  3. Enter your Microsoft email address

  4. Enter your Microsoft password

  5. Complete any MFA challenges if enabled

  6. Review the permissions request

  7. Click Accept to grant access

Expected result: You're automatically logged in and redirected to the ISMS Copilot home page.

Security Comparison

Method

Security Level

MFA Support

Best Use Case

Email & Password

Good

No (native)

Traditional authentication preference

Google OAuth

Better

Yes (via Google)

Google Workspace users

Microsoft OAuth

Better

Yes (via Microsoft)

Microsoft 365 / Azure AD users

Enabling Multi-Factor Authentication (MFA)

ISMS Copilot doesn't have native MFA, but you can add this security layer through OAuth providers.

For Google OAuth Users

  1. Go to https://myaccount.google.com/security

  2. Find the section 2-Step Verification

  3. Click Get Started

  4. Choose your verification method:

    • Google Authenticator app (most secure)

    • SMS text message (less secure but convenient)

    • Phone call

    • Security key (hardware token - highest security)

  5. Follow Google's setup instructions

  6. Save backup codes in a secure location

Expected result: Every time you log in to ISMS Copilot with Google, you'll need to provide your second factor.

For Microsoft OAuth Users

  1. Go to https://account.microsoft.com/security

  2. Click Advanced security options

  3. Find Two-step verification

  4. Click Set up two-step verification

  5. Choose your verification method:

    • Microsoft Authenticator app (most secure)

    • SMS text message

    • Phone call

    • Security key (FIDO2) (highest security)

  6. Follow Microsoft's setup instructions

  7. Save recovery codes in a secure location

Expected result: Every time you log in to ISMS Copilot with Microsoft, you'll need to provide your second factor.

Enabling MFA on your OAuth provider adds a critical security layer to your ISMS Copilot account. Even if someone steals your password, they cannot access your account without your second factor.

Password Security Best Practices

Creating a Strong Password

If you use email & password authentication, follow these guidelines:

Do:

  • Use at least 12-16 characters (longer is better)

  • Use a password manager to generate random passwords

  • Create a unique password for ISMS Copilot (never reuse)

  • Include uppercase, lowercase, numbers, and special characters

  • Use passphrases: "Compliance!Audit@2024#ISO27001" (easy to remember, hard to crack)

Don't:

  • Use personal information (name, birthday, company name)

  • Use common words or patterns ("Password123!")

  • Reuse passwords from other services

  • Share your password with colleagues

  • Write passwords on sticky notes or unencrypted files

Common password patterns like "Password123!" or "Welcome2024!" are the first combinations attackers try. These passwords can be cracked in seconds using automated tools.

Password Reset Process

If you forget your password or suspect it's been compromised:

  1. Go to the ISMS Copilot login page

  2. Click Forgot your password?

  3. Enter your registered email address

  4. Click Send reset link

  5. Check your email inbox for a password reset message

  6. Click the reset link in the email (valid for 24 hours)

  7. Enter a new strong password

  8. Click Reset password

Expected result: "Password successfully reset. You can now log in with your new password."

If you don't receive the password reset email within 10 minutes, check your spam/junk folder. Some email providers incorrectly filter automated messages.

Configuring Data Retention

Control how long your conversation data is stored to balance security and compliance needs.

Setting Your Retention Period

  1. Click the user menu icon (top right corner)

  2. Select Settings

  3. In the Data Retention Period field, choose:

    • Short retention (1-30 days): For highly sensitive temporary work

    • Medium retention (90-365 days): For most compliance projects

    • Long retention (1-7 years): For projects requiring long-term records

    • Keep Forever: For permanent organizational knowledge base

  4. Click Save Settings

Expected result: Settings dialog closes and retention period is saved.

Data older than your retention period is automatically deleted every day. This deletion is permanent and cannot be undone. Set retention periods carefully based on your compliance and legal requirements.

Retention Recommendations by Use Case

Use Case

Recommended Retention

Reasoning

Temporary consulting projects

90-180 days

Keep data through project completion plus buffer

Annual compliance audits

365-730 days

Retain evidence through next year's audit

Highly confidential work

30-60 days

Minimize exposure window for sensitive data

Organizational knowledge base

Keep Forever

Build institutional knowledge over time

ISO 27001 implementation

2-3 years

Cover initial certification + first recertification

Session Security

How Sessions Work

When you log in to ISMS Copilot:

  • A secure JWT (JSON Web Token) is generated

  • The token is stored in your browser's session storage

  • Each request to ISMS Copilot includes this token

  • Tokens expire automatically after a period of inactivity

  • Closing your browser clears the session storage

Logging Out Securely

  1. Click the user menu icon (top right corner)

  2. Select Logout from the dropdown

  3. You'll be redirected to the login page

Expected result: Your session token is cleared and you must log in again to access ISMS Copilot.

Always log out when using shared or public computers. Anyone who accesses the computer after you could access your ISMS Copilot account if you remain logged in.

Session Best Practices

  • Don't leave ISMS Copilot open and unattended on shared computers

  • Close your browser when finished on public WiFi networks

  • Clear your browser cache periodically

  • Use private/incognito mode when accessing from shared devices

Workspace Security

Why Workspaces Matter for Security

Workspaces provide data isolation for different projects or clients:

  • Each workspace has separate conversation history

  • Uploaded files are tied to specific workspaces

  • Custom instructions stay within each workspace

  • Deleting a workspace removes all associated data

Secure Workspace Practices

For Compliance Consultants:

  1. Create one workspace per client

  2. Name workspaces clearly but avoid including sensitive client identifiers

  3. Set workspace-specific retention periods matching client contracts

  4. Delete workspaces when projects conclude

For Organizations:

  1. Create workspaces by project, department, or framework

  2. Limit who has access to sensitive workspace information

  3. Document workspace structure in your data inventory

  4. Archive or delete completed projects regularly

Use descriptive but non-sensitive workspace names. Instead of "Acme Corp - Financial Audit 2024", use "Client A - ISO 27001 Project" to reduce exposure if your screen is visible to others.

Deleting a Workspace

  1. Go to the Workspaces page

  2. Find the workspace you want to delete

  3. Click the Delete button on the workspace card

  4. A confirmation dialog appears: "Are you sure?"

  5. Click Delete to confirm

Expected result: The workspace and all its conversations, files, and custom instructions are permanently deleted.

Workspace deletion is immediate and permanent. Export any important data before deleting a workspace. This action cannot be undone.

Browser Security Settings

Keep Your Browser Updated:

  • Enable automatic browser updates

  • Use current versions of Chrome, Firefox, Safari, or Edge

  • Avoid outdated browsers (Internet Explorer, old Safari versions)

Privacy Settings:

  • Enable "Do Not Track" in browser settings

  • Block third-party cookies

  • Clear browsing data periodically

  • Use HTTPS-only mode if available

Extensions & Add-ons:

  • Only install trusted browser extensions

  • Review extension permissions carefully

  • Disable or remove unused extensions

  • Be cautious with extensions that modify web pages

Network Security

Safe Networks for ISMS Copilot

Recommended Networks:

  • Your organization's secure WiFi

  • Your home WiFi (with WPA3 or WPA2 encryption)

  • Mobile data connection (4G/5G)

  • Trusted VPN connection

Networks to Avoid:

  • Public WiFi at cafes, airports, or hotels (unless using VPN)

  • Open networks without passwords

  • Networks with suspicious or unfamiliar names

  • Public computers at internet cafes or libraries

Public WiFi networks can be monitored by attackers. Although ISMS Copilot uses HTTPS encryption, avoid accessing sensitive compliance data on public networks unless using a trusted VPN.

Using a VPN

If you must access ISMS Copilot on public networks:

  1. Use a reputable VPN service (NordVPN, ExpressVPN, ProtonVPN)

  2. Connect to the VPN before opening ISMS Copilot

  3. Verify the VPN connection is active (check for VPN icon)

  4. Access ISMS Copilot normally

  5. Log out and disconnect VPN when finished

Recognizing Security Threats

Phishing Attacks

Warning signs of phishing emails:

  • Sender email doesn't match @ismscopilot.com domain

  • Urgent language pressuring immediate action

  • Suspicious links (hover to preview URL before clicking)

  • Requests for password or payment information

  • Poor grammar or spelling errors

  • Generic greetings ("Dear User" instead of your name)

ISMS Copilot will NEVER ask you to provide your password via email, phone, or chat. Any such request is a phishing attempt. Report it immediately and do not respond.

What to Do If You Suspect Phishing

  1. Do not click any links in the suspicious email

  2. Do not download any attachments

  3. Do not reply to the email

  4. Forward the email to ISMS Copilot support

  5. Delete the email from your inbox

  6. If you clicked a link, change your password immediately

Account Monitoring

Regular Security Checks

Perform these checks monthly:

  1. Review your workspaces: Check for any unfamiliar workspaces or conversations

  2. Audit conversation history: Look for messages you didn't send

  3. Check account settings: Verify email address and retention period haven't changed

  4. Review billing information: Premium users should check subscription status

Signs of Unauthorized Access

Contact support immediately if you notice:

  • Workspaces you didn't create

  • Conversations or messages you don't recognize

  • Changes to account settings you didn't make

  • Unexpected password reset emails

  • Login notifications from unfamiliar locations (if implemented)

Incident Response

If Your Account Is Compromised

  1. Change your password immediately

    • Use the password reset process

    • Create a new, unique password

  2. Review account activity

    • Check all workspaces for unauthorized changes

    • Review conversation history

    • Check uploaded files

  3. Contact ISMS Copilot support

    • Report the security incident

    • Request audit logs if available

    • Follow support's remediation guidance

  4. Notify affected parties

    • If client data may have been accessed, notify clients

    • Document the incident for your compliance records

    • Follow your organization's incident response procedures

If you discover a data breach involving client information, you may have legal obligations to report it under GDPR or other regulations. Consult your legal or compliance team immediately.

Security Checklist

Initial Setup

  • ✓ Choose authentication method (OAuth with MFA recommended)

  • ✓ Create strong, unique password (if using email authentication)

  • ✓ Verify email address

  • ✓ Enable MFA on OAuth provider

  • ✓ Set appropriate data retention period

  • ✓ Review and accept privacy policy

Ongoing Security

  • ✓ Log out on shared computers

  • ✓ Avoid public WiFi without VPN

  • ✓ Keep browser updated

  • ✓ Review account activity monthly

  • ✓ Delete completed workspaces

  • ✓ Update passwords quarterly (email authentication)

  • ✓ Be vigilant for phishing attempts

Limitations

Features Not Currently Available

  • Native multi-factor authentication (use OAuth providers instead)

  • Session management dashboard (can't view active sessions)

  • Login alerts for new devices or locations

  • IP address whitelisting

  • Hardware security key support (FIDO2/WebAuthn)

  • Single Sign-On (SSO/SAML) for enterprises

What's Next

Getting Help

If you need security assistance:

  • Contact support through the Help Center menu

  • For suspected security incidents, mark your message as urgent

  • For password resets, use the "Forgot your password?" link

  • Check the Status Page for service issues

Was this helpful?