Provide Organizational Context
Why Context Matters
Generic compliance advice rarely survives real-world implementation. A 10-person startup and a 500-person enterprise have vastly different resources, risks, and audit scopes—even when pursuing the same ISO 27001 or SOC 2 certification.
ISMS Copilot tailors recommendations when you provide organizational context. This transforms theoretical controls into practical steps aligned with your industry, technology stack, team size, and maturity level.
Essential Context Elements
1. Company Size and Structure
Employee count and organizational structure influence control complexity and resource allocation.
Example: "We're a 25-person startup with a 5-person engineering team, no dedicated security staff, and a lean budget."
Why it matters: Small teams need streamlined, automated controls rather than enterprise-scale processes. ISMS Copilot recommends SaaS tools over custom solutions and combined roles over specialized positions.
2. Industry and Regulatory Environment
Your sector determines applicable regulations and risk priorities.
Examples:
"Healthcare SaaS processing PHI under HIPAA"
"Fintech handling payment data, subject to PCI DSS and GDPR"
"B2B SaaS selling to enterprise customers requiring SOC 2"
Why it matters: Healthcare prioritizes patient data confidentiality; fintech emphasizes transaction integrity; B2B SaaS focuses on customer data isolation. Controls and evidence shift accordingly.
3. Technology Stack
List your core infrastructure, applications, and security tools.
Example: "We use AWS (EC2, RDS, S3), GitHub for code, Google Workspace for collaboration, Okta for SSO, and Datadog for monitoring."
Why it matters: Tool-specific guidance beats generic recommendations. Instead of "implement logging," you get "configure AWS CloudTrail with S3 retention and Datadog alerting for ISO 27001 A.8.15."
4. Current Maturity and Goals
Describe where you are and where you're headed.
Examples:
"Starting ISO 27001 implementation from scratch, audit in 12 months"
"Maintaining SOC 2 Type II, third annual audit in 6 months"
"Expanding from ISO 27001 to add SOC 2 for US customers"
Why it matters: First-time implementations need foundational controls and quick wins. Mature programs require optimization and evidence refinement. Multi-framework scenarios benefit from control mapping to reduce duplication.
5. Specific Challenges or Constraints
Mention limitations, past audit findings, or unique situations.
Examples:
"Previous auditor flagged weak password policies and lack of MFA"
"Remote-first team across 15 countries, no physical office"
"Legacy monolith being migrated to microservices on Kubernetes"
"Budget constraint: $10k total for compliance tooling"
Why it matters: Constraints shape feasible solutions. Remote-first changes physical security controls; budget limits affect tool choices; audit findings prioritize remediation.
Context in Action: Before and After
Example 1: Access Control Policy
❌ Without context: "Generate an access control policy for SOC 2"
Result: Generic policy template requiring significant customization for roles, tools, and processes.
✅ With context: "Generate an access control policy for SOC 2 CC6 for a 50-person SaaS company using Okta SSO, GitHub, AWS, and Salesforce. Include quarterly access reviews by managers and role-based access for engineering, sales, and support teams."
Result: Policy draft with named tools, specific roles, defined review frequency, and audit-ready procedures.
Example 2: Risk Assessment
❌ Without context: "How do I do a risk assessment for ISO 27001?"
Result: General methodology overview without asset specifics or prioritization.
✅ With context: "Create a risk assessment template for ISO 27001 A.5.7 for a healthcare SaaS with 100k patient records in AWS RDS, using Stripe for payments and Intercom for support. Prioritize HIPAA-relevant threats."
Result: Template identifying critical assets (patient DB, payment processor), relevant threats (data breach, ransomware), and healthcare-specific controls.
Example 3: Implementation Roadmap
❌ Without context: "Give me a SOC 2 implementation plan"
Result: High-level phases without timeline or resource alignment.
✅ With context: "Create a 9-month SOC 2 Type I implementation roadmap for a 30-person startup with one part-time security lead, targeting Trust Services Criteria for Security and Availability. We use Google Workspace, GitHub, AWS, and have basic MFA but no formal policies."
Result: Phased plan with quick wins (formalizing existing MFA), resource-appropriate milestones, and tool-specific tasks aligned to timeline and team capacity.
Use Custom Instructions in Workspaces to set context once for all queries in a project. This avoids repeating "We're a 50-person healthcare SaaS using AWS..." in every message.
Organizing Context with Workspaces
For client work or multi-project scenarios, create separate workspaces with custom instructions containing:
Client name and industry
Company size and structure
Technology stack
Frameworks and audit timelines
Specific priorities or constraints
Example instruction:
"Client: Acme Corp, 120-person fintech, EU-based. Tech: Azure, GitHub, Salesforce, Okta. Implementing ISO 27001:2022 and preparing for GDPR audit. Priority: quick wins for certification in 6 months, emphasis on data residency and encryption. Budget: $25k for tooling."
All queries in that workspace automatically apply this context without repetition.
Context for Different Query Types
Policy Generation
Provide: roles, tools, review frequencies, approval workflows
Example: "Draft an incident response policy for ISO 27001 A.5.24. Roles: Security Lead (Jane), CTO (approval), Engineering team (response). Tools: PagerDuty for alerting, Jira for tracking, Slack for comms. Post-incident reviews within 48 hours."
Gap Analysis
Provide: current state, target framework, known weaknesses
Example: "Analyze our current security posture against SOC 2 CC6-CC8. We have MFA via Okta, quarterly access reviews, GitHub branch protection, and AWS CloudTrail. Missing: formal change management docs, vendor risk assessments, and DRP testing."
Evidence Preparation
Provide: audit scope, evidence collection capabilities, tools with logging
Example: "What evidence do I need for ISO 27001 A.8.15 (logging and monitoring)? We have AWS CloudTrail, Datadog APM, and Okta system logs. Audit scope: AWS production environment and corporate SSO."
Implementation Guidance
Provide: team skills, timeline, existing tools
Example: "How do I implement encryption at rest for ISO 27001 A.8.24? Our DevOps engineer has AWS experience, we use RDS PostgreSQL and S3 for file storage, and need implementation complete in 4 weeks."
Avoid including actual sensitive data (customer names, real passwords, PII) in queries. Use placeholders like "[customer database]" or "[payment processor]" and enable PII reduction if discussing data handling scenarios.
When to Update Context
Refresh context when your organization changes:
Significant headcount growth or reduction
New technology adoption (e.g., migrating to Kubernetes)
Regulatory changes (e.g., new GDPR requirements)
Post-audit findings requiring remediation
Shifting from implementation to maintenance phase
Update workspace custom instructions rather than editing past queries.
Testing Your Context
Before sending a query, verify you've included:
Company size and team structure
Industry and relevant regulations
Key technologies and tools
Current state and goals
Any constraints or priorities
If a category applies to your query, include it.
Well-contextualized queries produce audit-ready outputs on the first try. Generic queries require multiple rounds of refinement, consuming message quota and time.
Next Steps
Add organizational context to your next query. Compare the quality and specificity of the response to previous generic attempts.