Overview
Kertos is Europe's leading all-in-one compliance platform built specifically for the European market, offering comprehensive solutions for privacy (GDPR, DSAR automation), information security (ISO 27001, SOC 2, TISAX), and AI governance (ISO 42001, EU AI Act). With its European data infrastructure, KAIA AI assistant, and extensive integration ecosystem, Kertos excels at automating compliance workflows and centralizing documentation. ISMS Copilot complements Kertos by providing specialized, framework-agnostic compliance expertise for nuanced interpretation, policy customization, strategic planning, and complex scenarios that require deep regulatory knowledge beyond platform automation.
Who This Is For
This guide is for:
European companies using Kertos who need expert guidance on NIS2, DORA, and EU-specific regulations alongside standard frameworks
Compliance teams managing multiple frameworks in Kertos who want AI assistance for cross-framework policy alignment
Organizations leveraging Kertos' automation who need help with custom control design and evidence quality assurance
Scale-ups and mid-sized businesses using Kertos who require deep compliance expertise without hiring full-time specialists
How Kertos and ISMS Copilot Work Together
What Kertos Does Best
Kertos excels as Europe's comprehensive compliance automation platform with deep EU regulatory focus:
Multi-framework management: Single platform for ISO 27001, ISO 42001, ISO 27701, SOC 2, TISAX, GDPR, NIS2, DORA, and EU AI Act—manage all compliance frameworks simultaneously with intelligent overlap mapping
Privacy automation: Complete Privacy Management System (PMS) with RoPA (Record of Processing Activities), automated DSAR (Data Subject Access Request) handling, Shadow IT discovery, and GDPR documentation generation
KAIA AI assistant: Built-in AI guide for intuitive compliance management, policy generation, and framework navigation within the Kertos platform
Certifiable ISMS: Automated ISMS setup for ISO 27001, TISAX, and other security certifications with continuous compliance monitoring
AI governance (AIMS): Dedicated AI Management System for ISO 42001 and EU AI Act compliance, including AI inventory, risk assessment, and responsible AI frameworks
EU regulatory focus: Purpose-built for European companies navigating GDPR, NIS2, DORA, and the EU AI Act with EU data residency
Extensive integrations: Over 100 integrations for automated asset discovery, data mapping, and evidence collection across your tech stack
Collaborative workflows: Document Management System (DMS) with team collaboration, approval workflows, and version control
Trust Center: Public-facing compliance portal for sharing certifications and security posture with customers
Expert support: Access to external DPO (Data Protection Officer) services and compliance specialists
Kertos' European advantage: Organizations using Kertos report 80% faster compliance achievement compared to traditional approaches. Kertos combines European regulatory expertise with powerful automation, making it ideal for companies navigating the complex EU compliance landscape while scaling internationally.
Where ISMS Copilot Adds Value
ISMS Copilot complements Kertos' automation with deep, framework-agnostic expertise for judgment-intensive compliance decisions:
1. EU Regulatory Interpretation and Guidance
Kertos provides frameworks and automation; ISMS Copilot offers nuanced interpretation of complex EU regulations:
NIS2 implementation: "We're subject to NIS2 as an essential entity. How do the NIS2 cybersecurity requirements map to our existing ISO 27001 controls in Kertos?"
DORA compliance: "As a fintech, we need DORA compliance. What additional security requirements exist beyond our SOC 2 certification, and how should we structure our ICT risk management?"
EU AI Act classification: "We're using AI for customer service and fraud detection. How should we classify these AI systems under the EU AI Act, and what compliance obligations result?"
GDPR edge cases: "We're processing employee data across multiple EU countries. What specific GDPR requirements apply to international data transfers within the EU?"
Best practice: Use ISMS Copilot to understand the "why" behind EU regulatory requirements before configuring Kertos workflows. This ensures your automation captures what regulators actually expect, not just what's easy to document.
2. Multi-Framework Policy Harmonization
Kertos manages multiple frameworks, but harmonizing policies requires compliance expertise:
Cross-framework alignment: "We're managing ISO 27001, SOC 2, GDPR, and NIS2 in Kertos. How should we structure a unified Information Security Policy that satisfies all four frameworks without redundancy?"
Policy customization: Upload Kertos-generated policy and ask: "Review this Data Protection Policy for a B2B SaaS company. What industry-specific requirements should we add beyond Kertos' templates?"
Regulatory completeness: "Does our Access Control Policy created in Kertos meet both ISO 27001:2022 and NIS2 technical requirements for identity and access management?"
AI governance policies: "We need to create AI governance policies for ISO 42001 and EU AI Act. What additional requirements exist beyond our existing ISO 27001 security policies in Kertos?"
3. Custom Control Design and Implementation
Kertos automates control monitoring, but designing effective controls requires understanding auditor expectations:
Control effectiveness criteria: "I'm using Kertos to monitor access reviews. What specific evidence should I collect to demonstrate ISO 27001 A.5.18 compliance to certification auditors?"
Technical implementation: "Kertos requires implementing encryption controls. What specific AWS configurations satisfy ISO 27001 A.8.24 and NIS2 encryption requirements?"
Control gap identification: "We have SOC 2 in Kertos and are adding TISAX for automotive customers. What TISAX-specific controls require implementation beyond SOC 2?"
Compensating controls: "We have a legacy system that can't meet standard MFA requirements. How should I design and document compensating controls for ISO 27001 compliance?"
4. AI Governance and EU AI Act Compliance
Kertos provides AIMS framework, but AI governance requires specialized interpretation:
AI system classification: "We've documented our AI systems in Kertos' AI inventory. How should I classify each system under EU AI Act risk categories (minimal, limited, high, unacceptable)?"
Risk assessment depth: "What specific AI risks should we assess for ISO 42001 A.7.4 when using large language models for customer support?"
Transparency requirements: "The EU AI Act requires transparency for certain AI systems. What documentation and user notifications are required for our AI-powered recommendation engine?"
ISO 42001 implementation: "We're implementing ISO 42001 alongside ISO 27001 in Kertos. What are the key differences in controls, and where should we focus additional effort?"
5. Privacy and GDPR Deep-Dive Guidance
Kertos automates GDPR workflows, but complex privacy scenarios require expert interpretation:
Data processing basis: "We're creating RoPA in Kertos. For our marketing analytics, which legal basis should we use—legitimate interest or consent? What are the implications?"
DPIA requirements: "Kertos flags that we need a Data Protection Impact Assessment. What specific analysis should our DPIA include for our AI-powered hiring tool?"
International transfers: "We're using US-based cloud services. How should we document Schrödinger II compliance and supplementary measures in Kertos?"
DSAR complexity: "A customer submitted a complex DSAR requesting data across multiple systems. What's our legal obligation regarding data from third-party integrations we don't directly control?"
6. Strategic Compliance Planning
Kertos provides the platform; strategic decisions require compliance expertise:
Framework prioritization: "We need compliance for both EU and US customers. Should we pursue ISO 27001, SOC 2, or both? What's the optimal implementation sequence in Kertos?"
Scope definition: "How should we define our ISO 27001 certification scope in Kertos for a company with multiple products, geographic locations, and data processing operations?"
Certification timeline: "What are realistic milestones for achieving ISO 27001 and NIS2 compliance simultaneously using Kertos?"
Resource allocation: "Which compliance activities in our Kertos implementation require dedicated staff time vs. what the platform automates independently?"
7. Audit Preparation and Response
Kertos organizes evidence, but audit success requires understanding auditor thinking:
Mock audit questions: "Generate 30 likely ISO 27001 Stage 2 audit questions for a European scale-up, focusing on areas where auditors probe beyond automated evidence"
Evidence adequacy: "Kertos collected 12 months of access review evidence. Is this sufficient for ISO 27001 certification, or do auditors typically expect additional documentation?"
Auditor question interpretation: "The auditor asked about our 'risk treatment plan.' What are they looking for, and what evidence from Kertos should I reference?"
Exception documentation: "How should I document and justify the control exceptions flagged in Kertos for the certification audit?"
8. Vendor and Third-Party Risk Management
Kertos provides vendor management tools, but risk evaluation requires judgment:
Risk assessment criteria: "What specific security questions should I ask in Kertos' vendor assessments for SaaS providers processing personal data under GDPR?"
Criticality classification: "How should I classify vendors in Kertos' vendor management system to determine assessment frequency and depth for NIS2 supply chain requirements?"
DPA requirements: "What clauses must be included in Data Processing Agreements with our vendors to satisfy GDPR Article 28 requirements?"
Supply chain security: "NIS2 requires supply chain security measures. What specific controls should we implement for critical suppliers beyond standard vendor assessments?"
Complementary roles: ISMS Copilot doesn't replace Kertos' workflow automation, document management, or integration ecosystem. Instead, it provides the deep compliance expertise that helps you configure Kertos correctly, interpret complex requirements, and make strategic decisions that automation platforms can't make independently.
Common Workflows Combining Both Tools
Workflow 1: Multi-Framework Compliance Expansion
Scenario: You have ISO 27001 in Kertos and need to add NIS2 compliance.
In Kertos: Add NIS2 framework and review automated control mapping showing overlap with existing ISO 27001
In ISMS Copilot: Analyze gaps: "I have ISO 27001:2022 certification. What additional NIS2 requirements exist beyond my ISO controls, and where are the key differences?"
In ISMS Copilot: Implementation guidance: "For NIS2 incident reporting requirements, what incidents must be reported within 24 hours vs. 72 hours, and what information must reports include?"
In Kertos: Configure NIS2-specific controls, incident response workflows, and reporting templates based on ISMS Copilot guidance
In ISMS Copilot: Policy review: "Review this unified Security Policy to ensure it satisfies both ISO 27001 and NIS2 requirements"
In Kertos: Deploy updated policies and track compliance across both frameworks
Workflow 2: AI System Governance Implementation
Scenario: Implementing ISO 42001 and EU AI Act compliance for your AI products.
In ISMS Copilot: Understand requirements: "We're building an AI-powered customer support chatbot. What are our obligations under the EU AI Act, and does this qualify as a high-risk system?"
In ISMS Copilot: Risk assessment guidance: "What specific AI risks should we assess for this chatbot under ISO 42001, and what evidence should we collect?"
In Kertos: Document AI system in AIMS module, create AI inventory entry with classification and risk assessment
In ISMS Copilot: Control design: "What controls should we implement to ensure AI transparency and explainability for EU AI Act compliance?"
In Kertos: Implement controls, document in AIMS, and track ongoing compliance monitoring
In Kertos: Generate required AI governance documentation and integrate with broader ISMS
Workflow 3: GDPR Privacy Automation
Scenario: Automating GDPR compliance for a B2C company processing customer data.
In Kertos: Use Shadow IT discovery to identify all systems processing personal data
In ISMS Copilot: Legal basis determination: "For each data processing activity, how should I determine the appropriate legal basis—consent vs. legitimate interest vs. contract necessity?"
In Kertos: Create comprehensive RoPA with legal bases, data categories, retention periods, and international transfers
In ISMS Copilot: DPIA necessity: "Which processing activities require a DPIA under GDPR, and what should these assessments include?"
In Kertos: Configure automated DSAR workflows, set up employee training, and deploy privacy policies
In Kertos: Monitor ongoing GDPR compliance with automated checks and alerts
Workflow 4: Audit Preparation
Scenario: Preparing for ISO 27001 certification audit.
In Kertos: Review compliance dashboard, address flagged control gaps, ensure all documentation is current
In ISMS Copilot: Generate audit scenarios: "Create 25 likely ISO 27001 Stage 2 audit questions for a European SaaS scale-up, focusing on areas auditors typically probe beyond documentation"
In ISMS Copilot: Evidence review: "What manual evidence might certification auditors request that Kertos' automation doesn't automatically collect?"
Practice responses: Use ISMS Copilot to refine answers to anticipated questions
In Kertos: Organize all evidence in DMS, ensure audit trail completeness, grant auditor access
During audit: Reference Kertos for evidence; consult ISMS Copilot for complex question interpretation
Workflow 5: Policy Customization and Harmonization
Scenario: Creating unified policies for multiple frameworks.
In Kertos: Generate policy templates from Kertos library for ISO 27001, SOC 2, and GDPR
Export policies: Download policies for detailed review
In ISMS Copilot: Upload each policy: "Review this Information Security Policy for a European fintech. How can I harmonize this to satisfy ISO 27001, SOC 2, DORA, and NIS2 simultaneously?"
In ISMS Copilot: Industry requirements: "What additional requirements should we add for financial services regulation beyond standard frameworks?"
Customization: Edit policies based on ISMS Copilot recommendations
In Kertos: Upload finalized policies, deploy to employees via DMS, track acknowledgments and version control
Practical Examples
Example 1: NIS2 and ISO 27001 Control Mapping
Situation: Understanding how NIS2 requirements relate to existing ISO 27001 controls in Kertos.
Ask ISMS Copilot: "We have ISO 27001:2022 implemented in Kertos. What are the key differences between ISO 27001 security controls and NIS2 technical requirements? Where are the gaps we need to address?"
ISMS Copilot guidance: Identifies that NIS2 requires specific incident reporting timelines (24/72 hours), supply chain security measures beyond ISO 27001, and governance requirements like mandatory cybersecurity training for management. Explains which ISO controls map directly and which require enhancement.
Example 2: EU AI Act Risk Classification
Situation: Classifying AI systems in Kertos' AIMS module.
Ask ISMS Copilot: "We have three AI systems: (1) internal employee chatbot, (2) customer-facing product recommendation engine, (3) automated credit scoring for loan applications. How should each be classified under the EU AI Act risk framework?"
ISMS Copilot guidance: Explains that credit scoring is high-risk (affects access to essential services), recommendations are likely limited-risk (requiring transparency), and internal chatbot is minimal-risk. Details specific obligations for each category including conformity assessment, transparency requirements, and documentation needs.
Example 3: GDPR Legal Basis Determination
Situation: Completing RoPA in Kertos and selecting legal basis for processing.
Ask ISMS Copilot: "We're creating our RoPA in Kertos for a marketing automation platform. For analytics and personalization, should we use consent or legitimate interest as legal basis? What are the implications of each choice?"
ISMS Copilot guidance: Explains the balancing test for legitimate interest, consent requirements under GDPR, when each is appropriate, documentation requirements for each basis, and implications for user rights and DSAR responses.
Example 4: Cross-Framework Policy Writing
Situation: Creating a single policy that satisfies multiple frameworks.
Ask ISMS Copilot: Upload policy and ask: "Review this Incident Response Policy created in Kertos. How should I enhance it to simultaneously satisfy ISO 27001 A.16, SOC 2 CC7.3, NIS2 incident reporting, and GDPR personal data breach notification?"
ISMS Copilot guidance: Identifies framework-specific requirements like NIS2's 24-hour initial reporting, GDPR's 72-hour breach notification to DPA, SOC 2's emphasis on service availability, and ISO 27001's focus on lessons learned. Provides integrated policy structure satisfying all requirements.
When to Use Each Tool
Task | Use Kertos | Use ISMS Copilot |
|---|---|---|
Automate GDPR RoPA and DSAR workflows | ✓ | |
Interpret NIS2 or EU AI Act requirements | ✓ | |
Manage multi-framework compliance status | ✓ | |
Customize policies for industry requirements | ✓ | |
Discover Shadow IT and map data flows | ✓ | |
Understand framework-specific control nuances | ✓ | |
Automate asset management and monitoring | ✓ | |
Design custom control implementation logic | ✓ | |
Manage document collaboration and approval | ✓ | |
Prepare for auditor questions and scenarios | ✓ | |
Integrate with 100+ tools for automation | ✓ | |
Interpret complex GDPR legal basis decisions | ✓ | |
Create public Trust Center for customers | ✓ | |
Classify AI systems under EU AI Act | ✓ | |
Track employee security training completion | ✓ |
The powerful combination: Use Kertos for comprehensive workflow automation, document management, and multi-framework compliance tracking across the European regulatory landscape. Use ISMS Copilot for deep regulatory interpretation, policy customization, strategic planning, and complex scenarios requiring specialized compliance expertise.
Integration Best Practices
1. Leverage Kertos Automation with ISMS Copilot Expertise
Understand before automating: Use ISMS Copilot to understand regulatory requirements before configuring Kertos workflows
Validate automation scope: Ask ISMS Copilot whether your Kertos automation adequately covers framework expectations
Optimize control design: Use ISMS Copilot to design control logic that Kertos will monitor and evidence
2. Enhance Multi-Framework Policy Quality
Template foundation: Use Kertos' policy library as your starting point
Expert customization: Upload policies to ISMS Copilot for framework-specific and industry-specific enhancement
Harmonization validation: Ensure policies satisfy multiple frameworks when managing ISO 27001, NIS2, GDPR, and others simultaneously
3. Navigate EU Regulatory Complexity
Framework relationships: Use ISMS Copilot to understand how NIS2, DORA, GDPR, and ISO standards interact and overlap
Implementation sequencing: Get guidance on which frameworks to pursue first and how to build on existing compliance
Regulatory interpretation: Clarify ambiguous EU regulatory requirements before implementing in Kertos
4. Organize Framework-Specific Work
In Kertos: Manage all frameworks, documents, and evidence in a centralized platform
In ISMS Copilot: Create framework-specific workspaces ("Company - ISO 27001," "Company - NIS2") for focused guidance without context confusion
Cross-reference: When ISMS Copilot provides implementation guidance, execute and document in Kertos
Cost and Resource Considerations
Investment Overview
Kertos: Comprehensive compliance platform with pricing based on company size, frameworks, and modules
ISMS Copilot: Specialized compliance AI starting at $20/month individual or team plans for organizations
Combined Value Proposition
Organizations using both tools report:
Reduced external consultant dependency: Handle complex EU regulatory questions in-house instead of hiring specialized consultants
Better policy quality: Industry-specific and framework-specific customization reduces auditor findings
Faster multi-framework implementation: Confidently expand compliance scope with AI-guided requirement analysis
Enhanced AI governance: Navigate ISO 42001 and EU AI Act complexity with specialized expertise
Strategic decision confidence: Make framework selection and scope decisions with deep understanding of implications
ROI perspective: If ISMS Copilot helps you correctly interpret NIS2 incident reporting requirements and configure Kertos workflows correctly the first time (vs. consultant guidance at €200-300/hour for 3-5 hours), it pays for months of subscription. Most Kertos users report 10-20 hours monthly of complex questions where ISMS Copilot provides expert guidance.
Limitations and Boundaries
What This Combination Doesn't Replace
External auditors and DPOs: You still need independent auditors for certifications and may require external Data Protection Officers for GDPR
Executive accountability: Leadership must own compliance strategy, risk decisions, and resource allocation
Legal expertise: Complex regulatory questions may require compliance attorneys, especially for novel EU regulations
Technical implementation: Both tools provide guidance and automation, but your team implements controls
When You Might Still Need Consultants
First-time complex certifications: First ISO 27001 or navigating new regulations like NIS2 may benefit from consultant oversight
Multi-national complexity: Operations spanning EU and non-EU jurisdictions with varied regulations may need specialized advisors
Industry-specific regulations: Highly regulated sectors (finance, healthcare, critical infrastructure) may require specialized consultants
Significant compliance gaps: Organizations with major deficiencies may need consultant-led remediation programs
Getting Started
If You're Already Using Kertos
Identify expertise gaps: What regulatory questions arise as you work in Kertos that require deeper interpretation?
Try policy enhancement: Export a policy from Kertos and upload to ISMS Copilot for customization recommendations
Explore EU regulations: Ask ISMS Copilot to explain NIS2 or EU AI Act requirements and how they relate to your existing frameworks
Prepare for audit: Generate mock audit questions for your frameworks to strengthen audit readiness
Evaluate value: Track how often ISMS Copilot answers complex questions that would require consultant time
If You're Evaluating Both Tools
Start with Kertos: Kertos provides the operational foundation—automation, workflows, document management, integration ecosystem
Add ISMS Copilot for expertise: Layer on ISMS Copilot for regulatory interpretation, policy customization, and strategic guidance
Define integration workflow: Establish when you use each tool and how they complement each other in your compliance program
What's Next
Welcome to ISMS Copilot - Get started with ISMS Copilot
Organizing Work with Workspaces - Create framework-specific workspaces for organized guidance
How to Create ISO 27001 Policies Using AI - Enhance Kertos policies with AI customization
How to Conduct ISO 27001 Gap Analysis Using ISMS Copilot - Supplement Kertos framework mapping with detailed analysis
How to Prepare for SOC 2 Audit Using ISMS Copilot - Prepare for audits with AI-generated scenarios and guidance
Getting Help
Questions about using ISMS Copilot alongside Kertos?
Contact ISMS Copilot support for guidance on integrating AI expertise with Kertos workflows
Join the ISMS Copilot community to connect with other European compliance professionals using both tools
Check the Help Center for workflow templates and integration best practices