ISMS Copilot
Prompt engineering

Iterate and Refine with Multi-Turn Conversations

The Power of Conversation Context

Unlike one-off queries to generic AI tools, ISMS Copilot maintains conversation history within workspaces. Each follow-up question builds on previous responses, letting you refine policies, expand on specific controls, or adjust recommendations without repeating context.

This iterative approach mirrors how compliance professionals actually work: start with a framework overview, drill into priority controls, generate initial drafts, then refine based on organizational specifics and audit feedback.

How Context Persistence Works

Within a workspace conversation, ISMS Copilot remembers:

  • Custom instructions set for the workspace

  • Previous queries and responses in the current thread

  • Frameworks, controls, and organizational details mentioned earlier

  • Documents and policies generated in prior messages

  • Clarifications and constraints you've specified

This lets you reference "the access control policy from earlier" or "expand on A.5.15 from the previous response" without restating everything.

Start new workspace conversations for unrelated projects (different clients, frameworks, or phases) to prevent context confusion. Use the same conversation for iterating on connected tasks.

Common Iteration Patterns

1. Explore → Focus → Implement

Begin broad, narrow to specifics, then generate deliverables.

Example conversation:

  1. Explore: "What are the key SOC 2 CC7 controls for system operations?"

  2. Focus: "Expand on CC7.2 (system monitoring) for a SaaS platform using Datadog and PagerDuty"

  3. Implement: "Draft a system monitoring procedure for CC7.2 including alert thresholds, escalation paths, and incident logging"

  4. Refine: "Add a section on false positive management and tune alert thresholds for 99.9% uptime SLA"

Each turn deepens from concept to implementation to operational detail.

2. Generate → Review → Improve

Create initial output, identify gaps, then enhance.

Example conversation:

  1. Generate: "Create a risk assessment template for ISO 27001 A.5.7 covering our AWS infrastructure"

  2. Review: "Does this template address multi-region deployment risks and third-party integrations?"

  3. Improve: "Add sections for cross-region data replication risks and API integration security assessments"

  4. Validate: "What evidence do auditors expect for this risk assessment approach?"

Iterative refinement produces audit-ready outputs without starting over.

3. Compare → Decide → Customize

Evaluate options, select approach, then tailor to your organization.

Example conversation:

  1. Compare: "What are the pros and cons of role-based vs. attribute-based access control for ISO 27001 A.5.15?"

  2. Decide: "We'll use RBAC. What roles should we define for a 50-person SaaS company with engineering, sales, and support teams?"

  3. Customize: "Generate an RBAC matrix mapping those roles to systems: AWS, GitHub, Salesforce, Zendesk, and admin tools"

  4. Implement: "Create an access provisioning procedure using this RBAC model with approval workflows"

Decisions inform subsequent steps without restating rationale.

4. Control → Evidence → Verification

Implement control, identify evidence needs, plan validation.

Example conversation:

  1. Control: "How do I implement ISO 27001 A.8.15 logging for AWS CloudTrail and application logs?"

  2. Evidence: "What evidence demonstrates A.8.15 compliance for an auditor?"

  3. Verification: "Create a quarterly log review checklist to verify A.8.15 effectiveness and maintain evidence"

  4. Document: "Draft the logging section of our ISMS documentation referencing these controls and evidence"

End-to-end implementation in one conversation thread.

Effective Follow-Up Techniques

Reference Previous Outputs

Use phrases that leverage conversation memory:

  • "Expand on the third point from your last response"

  • "Apply the risk methodology we just discussed to database encryption"

  • "Update the policy draft to include those evidence requirements"

  • "Add the tools you mentioned (Okta, AWS IAM) to the access control matrix"

Build Incrementally

Add complexity gradually rather than all at once:

  1. "Create a basic incident response procedure for ISO 27001 A.5.24"

  2. "Add communication templates for internal escalation and customer notification"

  3. "Include integration with our PagerDuty alerting and Jira ticketing workflow"

  4. "Expand the post-incident review section with root cause analysis steps"

Layering details prevents overwhelming initial outputs.

Test Understanding

Verify alignment before extensive generation:

  • "Before drafting the full policy, confirm: should it cover both employees and contractors?"

  • "Does this approach satisfy both ISO 27001 A.6.1 and our GDPR obligations?"

  • "Is a quarterly review frequency sufficient for SOC 2 CC6.1, or should it be monthly?"

Course-correct early to avoid rework.

Request Alternatives

Explore options within the conversation:

  • "What's an alternative approach for smaller teams with limited budget?"

  • "Show me a simplified version for initial implementation, then the full enterprise approach"

  • "Compare manual vs. automated solutions for this control"

Conversation context resets between different workspace conversations. Don't expect ISMS Copilot to remember details from a separate client's workspace or a different conversation thread within the same workspace.

Examples by Scenario

Policy Development Iteration

Turn 1: "Draft an access control policy for SOC 2 CC6 covering user provisioning, reviews, and termination"

Turn 2: "Add a section on privileged access management for admin roles in AWS and GitHub"

Turn 3: "Include emergency access procedures for on-call engineers with post-access logging"

Turn 4: "Revise the review frequency from quarterly to monthly for privileged accounts, quarterly for standard users"

Turn 5: "Add references to our Okta SSO configuration and role-based groups"

Result: Comprehensive, customized policy built through refinement.

Gap Analysis Deep Dive

Turn 1: "Analyze our current security posture against ISO 27001:2022 Annex A.8 (technical controls)"

Turn 2: "Focus on the gaps you identified in A.8.1 (user endpoint devices) and A.8.15 (logging)"

Turn 3: "For the endpoint management gap, what tools satisfy A.8.1 for a remote-first team using macOS and Windows?"

Turn 4: "Create an implementation plan for Jamf (macOS) and Intune (Windows) addressing A.8.1 requirements"

Turn 5: "What evidence will auditors need to verify A.8.1 compliance with these tools?"

Result: From high-level gap to tool selection to implementation plan in one thread.

Multi-Framework Alignment

Turn 1: "We need to satisfy both ISO 27001 A.5.24 (incident management) and SOC 2 CC7.3-7.5. What overlaps exist?"

Turn 2: "Create a unified incident response plan addressing both frameworks"

Turn 3: "Add specific sections for the unique SOC 2 requirements you mentioned (availability incidents and communication timelines)"

Turn 4: "Include a table mapping each procedure step to the relevant ISO 27001 and SOC 2 controls for audit traceability"

Result: Efficient single plan with clear compliance mapping.

Implementation Troubleshooting

Turn 1: "How do I implement MFA for ISO 27001 A.5.17 using Okta?"

Turn 2: "We have legacy applications that don't support SAML. How do we handle those?"

Turn 3: "Suggest a compensating control for the legacy apps until we can migrate them"

Turn 4: "Document the compensating control approach for auditor review, including timeline for full MFA migration"

Result: Pragmatic solution accounting for technical constraints.

Managing Long Conversations

When to Continue vs. Start Fresh

Continue the conversation when:

  • Building on previous outputs (refining policy, expanding procedure)

  • Working through related controls in sequence (A.5.1 → A.5.2 → A.5.3)

  • Iterating on a single deliverable (risk assessment refinement)

  • Troubleshooting implementation of a discussed control

Start a new conversation when:

  • Switching to unrelated framework or domain (SOC 2 → GDPR)

  • Different project phase (moving from implementation to audit prep)

  • Context becomes too complex (10+ back-and-forth turns on multiple topics)

  • You need a clean slate without prior assumptions

Summarizing for Clarity

In long conversations, periodically summarize:

Example: "To confirm our decisions so far: we're using RBAC with 5 roles (Admin, Developer, Sales, Support, Contractor), quarterly access reviews except monthly for admins, Okta SSO for all apps except the legacy CRM which gets compensating controls. Now let's draft the formal policy."

This resets shared understanding and prevents drift.

Use the answer style dropdown (Concise/Normal/Detailed) strategically: Concise for quick iterations, Detailed for initial drafts, Normal for most refinements.

Combining Iteration with Other Techniques

Iteration + Custom Instructions

Set workspace instructions for consistent context across all turns:

Instruction: "Healthcare SaaS, 80 employees, AWS infrastructure, implementing ISO 27001:2022 with HIPAA alignment, audit in 8 months"

Query sequence: Each query inherits this context without restating

Iteration + File Uploads

Upload once, reference throughout conversation:

  1. Upload: Attach current access control policy (PDF)

  2. Turn 1: "Review this policy against SOC 2 CC6 and identify gaps"

  3. Turn 2: "Rewrite the access review section to address the gaps you found"

  4. Turn 3: "Add the evidence requirements you mentioned to a new Appendix A"

Iteration + Personas

Switch personas mid-conversation for different perspectives:

  1. Implementer persona: "Give me step-by-step MFA implementation for Okta"

  2. Auditor persona: "Review that implementation plan—what evidence will be missing?"

  3. Consultant persona: "How do I justify the implementation cost to our CFO?"

Multiple viewpoints on the same topic in one thread.

Recognizing Diminishing Returns

Stop iterating when:

  • You're making micro-adjustments that don't improve audit readiness

  • Follow-ups aren't incorporating previous context accurately (sign of conversation overload)

  • You're asking the same question rephrased multiple times

  • Outputs are becoming less useful or more generic

At that point, save the best version and move to implementation or start a fresh conversation.

Saving Iterative Work

Best practices for preserving conversation outputs:

  • Copy final versions to your documentation repository after each major refinement

  • Use the conversation as an audit trail showing how the policy/procedure evolved

  • Export key responses for review with stakeholders before further iteration

  • Name workspaces clearly to find conversations later ("ISO 27001 - Access Controls - Client ABC")

Multi-turn conversations are where ISMS Copilot's specialization shines. Generic AI tools lose context or accuracy after 2-3 turns. ISMS Copilot maintains compliance-specific understanding through entire implementation projects.

Next Steps

Start a multi-turn conversation for your next compliance task. Begin with a high-level query, then use 3-5 follow-ups to refine the output into an implementation-ready deliverable. Notice how context preservation accelerates quality.

Back to Prompt Engineering Overview

Was this helpful?