ISMS Copilot
Prompt engineering

Upload Files for Context and Analysis

Why Upload Files?

Compliance work centers on documents: existing policies, audit reports, risk assessments, vendor contracts, and asset inventories. Describing these in text wastes time and introduces errors. Uploading files directly gives ISMS Copilot precise context for gap analysis, improvement recommendations, and compliance mapping.

File analysis transforms vague questions like "Is our policy good enough?" into specific, actionable feedback: "Your access control policy addresses SOC 2 CC6.1 and CC6.2 but is missing CC6.3 requirements for privileged access monitoring. Add sections for..."

Supported File Types and Limits

ISMS Copilot accepts:

  • PDF – Policies, audit reports, certifications, vendor assessments

  • DOCX – Policy drafts, procedures, documentation templates

  • XLS/XLSX – Risk registers, asset inventories, control matrices, evidence logs

File size: Up to 10MB per file

Length: Documents up to 20+ pages process effectively; longer documents may need chunking

Upload location: Attach files via the paperclip icon in the query input area

Uploaded files are processed with the same privacy standards as text queries: end-to-end encryption, EU (Frankfurt) storage, and never used for AI training. However, avoid uploading files containing actual passwords, API keys, or personally identifiable information (PII) unless necessary.

Common File Upload Scenarios

1. Gap Analysis

Upload existing policies or documentation for compliance assessment.

Example query with upload: "Review this access control policy [attach PDF] against SOC 2 CC6.1-6.3 requirements. Identify missing controls, outdated language, and evidence gaps for a Type II audit."

ISMS Copilot response: Specific sections needing updates, missing controls (e.g., privileged access monitoring for CC6.3), recommended additions, and evidence requirements.

Audit report example: "Analyze findings from our last ISO 27001 surveillance audit [attach PDF]. Prioritize remediation by severity and create an action plan with timelines."

2. Policy Improvement

Enhance existing documentation to meet new standards or frameworks.

Example query: "Update this information security policy [attach DOCX] from ISO 27001:2013 to 2022 requirements. Highlight sections that need revision and suggest new language for changed controls."

ISMS Copilot response: Side-by-side comparison of old vs. new requirements, revised policy sections, new controls to add (e.g., A.5.7 threat intelligence, A.8.23 web filtering).

3. Risk Assessment Review

Validate risk methodology and scoring against framework requirements.

Example query: "Review this risk register [attach XLSX] against ISO 27001 A.5.7 requirements. Are threat sources comprehensive? Is our 1-5 scoring appropriate? What risks are we missing for a cloud-first SaaS platform?"

ISMS Copilot response: Assessment of methodology, suggested additional threat categories (e.g., supply chain, insider threats), missing asset-risk pairings, scoring calibration feedback.

4. Vendor Assessment

Evaluate third-party certifications and contracts for compliance.

Example query: "Analyze this vendor's SOC 2 report [attach PDF] for our third-party risk assessment. Does it cover the services we use (data storage and processing)? Are there relevant exceptions or qualifications? Does it satisfy our SOC 2 CC9.2 requirements?"

ISMS Copilot response: Service scope coverage, notable exceptions, control gaps, recommendations for vendor questionnaire follow-up.

5. Evidence Mapping

Connect existing artifacts to audit requirements.

Example query: "Map this security awareness training log [attach XLSX] to ISO 27001 A.6.3 evidence requirements. What additional evidence do we need for certification audit?"

ISMS Copilot response: Current evidence coverage, missing elements (e.g., completion tracking, test scores, role-specific training), recommended log enhancements.

6. Control Implementation Verification

Validate technical configurations against control requirements.

Example query: "Review this AWS CloudTrail configuration documentation [attach PDF] against ISO 27001 A.8.15 (logging and monitoring) requirements. Is retention sufficient? Are critical events covered?"

ISMS Copilot response: Configuration adequacy assessment, missing log sources (e.g., application logs, database access), retention period recommendations, alerting gaps.

7. Template Evaluation

Assess whether templates meet framework standards.

Example query: "Evaluate this incident response template [attach DOCX] for SOC 2 CC7.3-7.5 compliance. Does it include all required elements (detection, response, communication, post-incident review)? What's missing?"

8. Multi-Document Comparison

Analyze multiple files for consistency or coverage.

Example query: "Compare our access control policy [attach DOCX] with our actual access review log [attach XLSX]. Are we following our documented procedures? Where do practice and policy diverge?"

Attach files at the start of conversations to establish context for all follow-up queries. ISMS Copilot remembers uploaded documents within the workspace conversation.

Effective File Upload Queries

Specify What to Analyze

Don't just upload and say "Review this." Provide direction:

  • ❌ "What do you think of this?" [attach policy]

  • ✅ "Review this data classification policy against ISO 27001 A.5.12 requirements. Check for completeness, appropriate sensitivity levels, and handling procedures."

State Your Framework and Scope

Files lack inherent context about which standard applies:

  • ❌ "Is this policy compliant?" [attach access control policy]

  • ✅ "Assess this access control policy against SOC 2 CC6.1-6.3 for our upcoming Type II audit. Focus on user provisioning, reviews, and privileged access."

Indicate Desired Output

Specify what you need back:

  • "Create a gap summary table with columns: Requirement, Current State, Gap (Y/N), Recommendation"

  • "Provide a marked-up version with suggested edits inline"

  • "List top 5 priority improvements ranked by audit risk"

  • "Generate a compliance checklist showing which controls are addressed vs. missing"

Provide Organizational Context

Files don't reveal your company size, tech stack, or constraints:

Example: "Review this business continuity plan [attach PDF] against ISO 27001 A.5.29 for a 60-person SaaS company with AWS infrastructure and 99.9% uptime SLA. Are RTOs and RPOs appropriate? Is our backup strategy sufficient?"

Multi-File Analysis

Upload multiple related files for comprehensive review:

Example query: "Review these three policies [attach: InfoSec Policy.pdf, Access Control Policy.pdf, Incident Response Policy.pdf] for consistency and completeness against ISO 27001:2022 Annex A.5 organizational controls. Identify contradictions, gaps, and redundancies."

Cross-reference example: "Compare our documented change management procedure [attach DOCX] with actual Jira change logs [attach XLSX]. Are we following our process? Where do deviations occur?"

While you can upload multiple files per query, analyzing 2-3 related documents works best. More than that may dilute focus—consider sequential queries for large document sets.

File Upload Best Practices

Before Uploading

  1. Remove sensitive data: Redact actual customer names, credentials, PII if not essential to analysis

  2. Check file size: Ensure under 10MB; compress or split large files if needed

  3. Use clear filenames: "Access_Control_Policy_v2.pdf" beats "Document1.pdf"

  4. Verify file type: Convert unsupported formats (e.g., .pages to .docx)

In Your Query

  1. Reference the upload: "Review the attached risk register..." clarifies which document if multiple files exist in conversation

  2. Explain the file's purpose: "This is our current-state policy needing update to 2022 standard"

  3. Set expectations: "Focus on gaps, not formatting issues" or "Prioritize high-risk findings"

After Upload

  1. Iterate based on findings: "Expand on the CC6.3 gap you identified—what specific controls are missing?"

  2. Request revisions: "Rewrite the access review section to address those gaps"

  3. Generate related content: "Create an evidence checklist for the controls this policy addresses"

Troubleshooting File Uploads

Upload Fails or Times Out

  • Check file size (must be under 10MB)

  • Verify file type (PDF, DOCX, XLS/XLSX only)

  • Try splitting large files into sections

  • Ensure stable internet connection

Analysis Misses Key Points

  • Provide more specific query direction ("Focus on Section 3.2 regarding privileged access")

  • Upload higher-quality source (e.g., original DOCX vs. scanned PDF)

  • Break multi-topic documents into separate uploads with focused queries

Response References Wrong Framework

  • Explicitly state framework in query: "Review against ISO 27001:2022, not SOC 2"

  • Check workspace custom instructions for conflicting context

File Processing Takes Too Long

  • Large files (15+ pages) may take 30-60 seconds to process

  • Complex spreadsheets with many tabs may delay response

  • Scanned PDFs (images) process slower than text-based PDFs

Privacy and Security Considerations

ISMS Copilot's file handling adheres to strict privacy standards:

  • Encryption: Files encrypted in transit and at rest

  • Data residency: Stored in EU (Frankfurt) data centers

  • No AI training: Uploaded content never used to train models

  • Access controls: Files visible only within your workspace

  • Retention: Files stored for conversation duration; delete workspace to remove

When to use PII reduction: Enable the PII reduction toggle if files contain examples with real names, emails, or identifiers that aren't essential to analysis.

For files containing highly sensitive data (M&A contracts, executive compensation, actual incident forensics with PII), consider uploading redacted versions or using placeholder text in queries instead of full documents.

Combining File Uploads with Other Techniques

Files + Custom Instructions

Set workspace context, then upload files—context applies automatically:

Instruction: "Financial services firm, 200 employees, implementing ISO 27001:2022"

Upload + Query: "Review attached access control policy against A.5.15-5.18" (no need to repeat industry/size)

Files + Personas

Switch personas for different analysis angles:

  1. Auditor persona: "Review this policy [attach] for SOC 2 audit readiness—what evidence gaps exist?"

  2. Implementer persona: "Based on that policy, give step-by-step implementation tasks for our DevOps team"

Files + Iterative Refinement

Upload once, refine through conversation:

  1. Upload: Attach current risk register

  2. Turn 1: "Review against ISO 27001 A.5.7—what's missing?"

  3. Turn 2: "Add the missing cloud infrastructure risks you identified"

  4. Turn 3: "Update risk scores using the 5x5 matrix you suggested"

  5. Turn 4: "Generate risk treatment plans for risks scored 15 or higher"

Example Workflows

Workflow 1: Policy Modernization

  1. Upload outdated policy (ISO 27001:2013-era access control policy)

  2. Query: "Compare this policy to ISO 27001:2022 A.5.15-5.18 requirements. What changed?"

  3. Follow-up: "Rewrite Section 4 (Access Reviews) to meet new A.5.18 requirements"

  4. Follow-up: "Add new Section 5 for Privileged Access (A.5.17) with our AWS and GitHub admin roles"

  5. Final: "Generate an approval memo for the CTO explaining changes and compliance benefits"

Workflow 2: Audit Preparation

  1. Upload 3 files: Access control policy, access review log (XLSX), Okta config doc

  2. Query: "Assess SOC 2 CC6.1 readiness using these documents. What evidence is strong? What's missing?"

  3. Follow-up: "Create a remediation plan for the missing evidence with 60-day timeline"

  4. Follow-up: "Draft updated access review procedure incorporating your recommendations"

  5. Final: "Generate an auditor briefing document summarizing our CC6.1 controls and evidence"

Workflow 3: Vendor Risk Assessment

  1. Upload vendor SOC 2 report + vendor contract

  2. Query: "Evaluate this vendor's SOC 2 report for our CC9.2 requirements. Does it cover data processing services in scope for our contract?"

  3. Follow-up: "What questions should we ask in a vendor questionnaire to address the gaps you found?"

  4. Follow-up: "Draft a vendor risk assessment summary for our compliance committee"

File uploads are most powerful when combined with specific queries and iterative refinement. Upload, analyze, improve, verify—all in one workspace conversation.

Next Steps

Identify an existing policy, report, or assessment that needs review. Upload it with a specific gap analysis or improvement query and experience how file context accelerates compliance work.

Back to Prompt Engineering Overview

Was this helpful?