Keep ISMS Copilot in Compliance Character
Overview
ISMS Copilot is designed to operate as a specialized compliance assistant, not a general-purpose AI. Keeping it "in character"—focused on information security frameworks, audit-ready outputs, and professional tone—ensures accurate, reliable results that meet compliance standards.
This guide shows you how to configure ISMS Copilot to maintain consistent compliance behavior across all interactions.
Why Character Consistency Matters
Deviations from compliance character can lead to:
Off-topic responses that waste quota and time
Inconsistent documentation tone across policies
Hallucinations when the AI operates outside its expertise
Audit findings due to informal or incomplete outputs
ISMS Copilot's specialized training anchors it in compliance domains, but your prompts and settings reinforce this focus—especially in edge cases or ambiguous queries.
Select the Right Persona
Auditor Persona
Optimized for verification, evidence collection, and gap analysis.
Use when:
Conducting internal audits or mock assessments
Reviewing existing documentation for compliance gaps
Preparing for external certification audits
Analyzing uploaded policies or risk assessments
Characteristics:
Skeptical, evidence-focused tone
Emphasizes testing procedures and validation
Highlights potential non-conformances
References specific control requirements and audit criteria
Implementer Persona
Optimized for policy creation, deployment planning, and operational procedures.
Use when:
Drafting new policies or updating existing ones
Creating control implementation guides
Building risk registers or asset inventories
Developing training materials or awareness programs
Characteristics:
Practical, action-oriented tone
Focuses on deployment steps and operationalization
Provides templates and structured formats
Balances compliance requirements with business feasibility
Switching personas mid-conversation can introduce inconsistency. Choose your persona at the start of each workspace or project, and stick with it.
Use Custom Instructions to Reinforce Character
Define Compliance Role
Set custom instructions that anchor ISMS Copilot in your specific compliance context.
Example custom instruction:
You are a compliance assistant for a SaaS company implementing ISO 27001:2022 and SOC 2 Type II. All outputs should:
- Reference specific control numbers (Annex A for ISO, CC criteria for SOC 2)
- Use formal, audit-ready language
- Include verification steps or evidence requirements
- Align with cloud infrastructure best practices
- Avoid reproducing copyrighted framework textSpecify Output Tone
Explicitly define the professional tone you need for compliance documentation.
Example tone instruction:
Tone: Formal and authoritative, suitable for external auditor review. Avoid casual language, humor, or subjective opinions. Use third-person perspective for policies (e.g., "The organization shall..." not "You should...").Enforce Framework Focus
List the frameworks you're working with to prevent off-topic drift.
Example framework instruction:
Active frameworks: ISO 27001:2022, GDPR, NIST CSF 2.0. Do not reference outdated versions (e.g., ISO 27001:2013) or out-of-scope standards (e.g., PCI-DSS) unless explicitly asked.Overly restrictive custom instructions can cause refusals on legitimate queries. Balance specificity with flexibility by using "primarily" or "unless requested" phrasing.
Structure Prompts for Compliance Context
Lead with Framework References
Start queries with explicit framework context to anchor responses.
Weak prompt (may drift):
How do I manage access controls?Strong prompt (stays in character):
What are the ISO 27001:2022 Annex A.5.15 requirements for access control, and what evidence do auditors typically look for?Specify Deliverable Format
Define the exact compliance artifact you need.
Example:
Generate a SOC 2 CC6.1 control testing procedure with these sections:
1. Control Objective
2. Control Activity
3. Test Steps (numbered)
4. Expected Evidence
5. Sample Size
6. Testing FrequencyInclude Audience Context
Tell ISMS Copilot who will review the output to maintain appropriate tone.
Example:
Create an executive summary of our ISO 27001 gap analysis for the Board of Directors. Focus on high-level risks and remediation timelines, not technical control details.Use Scenarios to Maintain Realism
Provide Business Context
Describe realistic compliance scenarios to ground ISMS Copilot's responses.
Example scenario-based prompt:
Scenario: Our organization is a B2B SaaS platform with 50 employees, AWS infrastructure, and no on-premises systems. We're 6 months from ISO 27001 certification audit. Generate an asset register template aligned with Annex A.5.9 requirements, focusing on cloud assets and SaaS dependencies.Use Real-World Constraints
Include practical limitations to keep outputs actionable.
Example:
Our compliance budget is limited, and we have no dedicated security team. Recommend cost-effective controls for ISO 27001 A.8.1 (asset responsibility) that can be implemented with existing IT staff.Scenario-based prompts reduce hallucinations by forcing ISMS Copilot to balance framework requirements with realistic business constraints.
Reinforce Character with Follow-Up Prompts
Reference Previous Compliance Context
Maintain consistency by explicitly connecting follow-up queries to earlier responses.
Example sequence:
"Create an ISO 27001 Incident Response Policy for a SaaS company"
"Using the policy structure you just created, add a section on SOC 2 CC7.4 incident notification requirements"
"Generate an incident response testing procedure that validates both ISO 27001 A.5.24 and the SOC 2 sections we discussed"
Correct Drift Immediately
If ISMS Copilot strays off-topic or changes tone, redirect with explicit guidance.
Example correction:
That response was too informal for audit documentation. Rewrite in third-person, formal tone with specific references to ISO 27001 Annex A.5.1 requirements.Leverage Workspaces for Consistent Character
Dedicate Workspaces by Role
Create role-specific workspaces to maintain distinct compliance characters.
Example workspace structure:
Workspace: "Internal Audit - Auditor Persona" → Gap analysis, evidence review, testing procedures
Workspace: "Policy Development - Implementer Persona" → Policy drafting, control design, training materials
Workspace: "Executive Reporting" → High-level summaries, board presentations, strategic planning
Each workspace's custom instructions and persona selection reinforce the specific character needed for that workflow.
Upload Reference Policies
Include your existing, approved compliance documents in workspaces to anchor ISMS Copilot's style.
Example:
Upload your organization's current Access Control Policy to the workspace
Prompt: "Review the uploaded Access Control Policy and generate a Data Classification Policy in the same format and tone"
ISMS Copilot will mimic the structure, terminology, and formality of your reference document.
Upload a "style guide" document with examples of approved policy language, section headers, and formatting conventions to standardize outputs.
Monitor for Character Drift
Check for Off-Topic Responses
Watch for signs that ISMS Copilot is deviating from compliance focus:
Generic business advice unrelated to frameworks
Marketing or sales language in policy outputs
Casual tone or first-person perspective in formal documents
References to non-compliance topics (e.g., product development, HR processes)
If drift occurs, reset the conversation or restate your framework context.
Validate Control Mappings
Ensure ISMS Copilot maintains accurate control references:
Verify Annex A control numbers match ISO 27001:2022 (not 2013)
Check SOC 2 Trust Services Criteria align with AICPA's current version
Confirm NIST CSF references use 2.0 framework (if applicable)
Incorrect version references indicate character drift or hallucination.
Test with Known Controls
Periodically validate character consistency by querying familiar controls.
Test prompt:
Explain the requirements for ISO 27001:2022 Annex A.5.1 (Policies for Information Security).Compare the response to your existing knowledge—consistent terminology and structure indicate stable character.
Use Prefill Patterns for Compliance Outputs
Start with Framework Templates
Provide the opening structure for policies or procedures to set the tone.
Example prefill prompt:
Complete this ISO 27001 Incident Response Policy:
1. Purpose
This policy establishes the requirements for identifying, reporting, assessing, and responding to information security incidents in accordance with ISO 27001:2022 Annex A.5.24, A.5.25, and A.5.26.
2. Scope
[Continue from here with sections 3-8: Definitions, Roles & Responsibilities, Incident Classification, Response Procedures, Post-Incident Review, Review Schedule]ISMS Copilot will maintain the formal tone and structure you established.
Anchor with Compliance Phrases
Include standard compliance terminology in your prompt to reinforce character.
Example phrases:
"The organization shall..."
"In accordance with [framework] requirements..."
"Evidence of implementation includes..."
"Non-conformance will be documented and escalated to..."
Prefill patterns are especially effective for long documents—they "lock in" tone and structure early, preventing drift as the conversation progresses.
Align Multi-Framework Queries
Specify Dual Compliance
When working with multiple frameworks, explicitly request alignment.
Example:
Generate an Access Control Policy that satisfies both ISO 27001:2022 Annex A.5.15 and SOC 2 CC6.1-CC6.3. Include a control mapping table showing how each policy section addresses requirements in both frameworks.Prevent Framework Mixing
Avoid vague prompts that could blend incompatible frameworks.
Vague (risky):
What are the password requirements for compliance?Specific (safe):
What are the password complexity and rotation requirements specifically for ISO 27001:2022 Annex A.5.17 and SOC 2 CC6.1? List each framework's requirements separately.Handle Edge Cases with Explicit Boundaries
Adjacent but Out-of-Scope Topics
For borderline queries, frame them within compliance context.
Borderline query:
How do I train employees on phishing?Compliance-framed version:
What are the ISO 27001 Annex A.6.3 (Security Awareness Training) requirements for phishing awareness programs, and how should training effectiveness be measured for audit evidence?Redirect Off-Topic Requests
If you accidentally submit a non-compliance query, acknowledge and reframe.
Example:
User: Write a sales email for our product.
ISMS Copilot: I specialize in information security and compliance frameworks...
User: Apologies—what I meant was: Create a communication template for notifying customers about our ISO 27001 certification achievement, suitable for marketing use.ISMS Copilot's scope refusal system helps maintain character by rejecting off-topic queries. Don't override these refusals—they protect against hallucinations.
Review Outputs for Character Consistency
Spot-Check Generated Policies
Before using AI-generated documentation in production, verify:
Formal, third-person language throughout
Consistent control numbering and framework references
Audit-appropriate terminology (e.g., "shall" not "should" for requirements)
No marketing or casual phrasing
Compare Across Conversations
Check that outputs from different sessions maintain the same character:
Generate an Access Control Policy in one conversation
Generate a Data Classification Policy in a separate conversation (same workspace)
Compare tone, structure, and terminology—they should align closely
Significant deviations indicate inconsistent persona or custom instructions.
Advanced Character Maintenance
Create Persona Templates
Document successful custom instruction sets for reuse:
Example "Auditor Template":
Role: Internal auditor conducting ISO 27001 gap analysis
Tone: Formal, skeptical, evidence-focused
Output format: Bulleted findings with control references
Evidence requirements: Always include sample size and testing procedures
Framework version: ISO 27001:2022 only (not 2013)
Persona: AuditorSave these templates externally (e.g., in a document) and copy-paste into new workspaces as needed.
Use Scenario Libraries
Maintain a library of realistic compliance scenarios for complex queries.
Example scenario for infrastructure controls:
Context: 50-employee SaaS company, AWS cloud infrastructure, no on-premises systems, annual revenue $5M, target frameworks ISO 27001 + SOC 2. Generate controls considering budget constraints and small team size.Reuse these scenarios across different control areas to maintain consistent character.
What ISMS Copilot Does Automatically
Built-in character maintenance features:
Compliance-only training: Specialized on security frameworks, not general knowledge
Scope enforcement: Automatically refuses non-compliance queries
Framework knowledge injection: Detects ISO/SOC2/NIST mentions and injects verified guidance
Persona system: Auditor and Implementer modes with distinct behaviors
Uncertainty disclaimers: Acknowledges gaps rather than fabricating information
ISMS Copilot's specialized training provides strong baseline character consistency. Your custom instructions and prompts fine-tune this behavior to match your specific compliance context.