ISMS Copilot
Build ISMS with Copilot

Build ISMS with Copilot: A Starter Workflow

This guide walks you through building an ISMS from scratch using ISMS Copilot, from workspace setup to generating your core document set. Follow this workflow to create a structured, audit-ready foundation for your ISO 27001 implementation.

What you'll accomplish

By the end of this workflow, you'll have:

  • A dedicated workspace for your ISMS project

  • Project instructions tailored to your organization

  • Core ISMS documents: policies, risk assessment, and Statement of Applicability

  • A clear path to validate and iterate on AI-generated outputs

Prerequisites

Before starting, gather:

  • Your framework choice (ISO 27001:2022 is the default for new ISMS builds)

  • Basic organizational context: industry, company size, systems in scope

  • Any existing security documentation (policies, procedures, diagrams) for upload

ISMS Copilot supports ISO 27001:2022, ISO 42001:2023, SOC 2, GDPR, HIPAA, DORA, NIS2, and more. This workflow focuses on ISO 27001 as the most common starting point, but the same approach applies to other frameworks.

Step 1: Create a dedicated workspace

Your ISMS project needs its own workspace to keep conversations, context, and generated documents organized in one place.

  1. Navigate to the Workspaces section in the sidebar

  2. Click Add workspace or the + button

  3. Name your workspace descriptively: ISO 27001 Implementation or [Company Name] — ISO 27001

  4. Click Create Workspace

For detailed workspace setup instructions, see How to create and set up your first workspace.

Step 2: Add project instructions

Project instructions give the AI persistent context about your organization. This means you don't repeat the same background details in every conversation.

To add project instructions:

  1. Open your workspace and click Edit on the workspace card

  2. Find the Project Instructions text field

  3. Enter your organizational context

  4. Click Save Changes

What to include

Effective project instructions cover:

  • Industry and company size — e.g., "B2B SaaS, 50 employees, cloud-native on AWS"

  • Framework scope — e.g., "ISO 27001:2022, full ISMS certification"

  • Current maturity — e.g., "No existing ISMS, starting from scratch"

  • Key systems — e.g., "GitHub, Google Workspace, AWS, Stripe"

  • Output preferences — e.g., "Formal language suitable for audit documentation"

Example project instructions

Industry: B2B SaaS (healthcare sector)
Framework: ISO 27001:2022
Scope: Full ISMS implementation
Team: 45 employees, 3-person security team
Systems: GitHub, AWS, Google Workspace, Stripe
Current state: No existing ISMS, starting fresh
Output style: Formal, audit-ready documents

Avoid including sensitive data in project instructions: real client names, employee emails, specific budget figures, or details about security incidents. Use generic descriptions instead.

Step 3: Choose a persona

Each workspace can have a default persona that shapes AI responses. For building an ISMS, choose the persona that matches your role:

  • Implementer — Best for building an ISMS from scratch. Responses focus on actionable steps, policy templates, and control implementation guidance.

  • Consultant — Best if you're advising an organization. Responses include strategic recommendations and client-facing deliverables.

  • Default — General-purpose guidance for mixed tasks.

To set a persona:

  1. Open workspace settings (click Edit on the workspace card)

  2. Select your persona from the Default Persona dropdown

  3. Click Save Changes

Step 4: Generate your core ISMS documents

With your workspace configured, start generating documents. Begin with foundational ISMS artifacts and build out from there.

  1. Gap analysis — Understand what you have vs. what ISO 27001 requires

  2. Risk assessment — Identify assets, threats, and treatment plans

  3. Statement of Applicability — Document which Annex A controls apply

  4. Core policies — Information security policy, access control policy, acceptable use policy

  5. Supporting procedures — Incident management, change management, backup procedures

Example prompts

Start with these prompts inside your workspace:

Create a gap analysis table for ISO 27001:2022 Annex A controls.
Include columns: control ID, requirement, current status, gap description, priority.
Generate an information security policy for a SaaS company.
Reference ISO 27001 clauses 5.1-5.2 and include version control headers.
Create a risk assessment template with asset inventory, threat analysis,
and risk treatment plan. Format as a structured table.

Use Think mode for extended document generation sessions. Think mode supports indefinite conversations through automatic compaction, allowing you to generate multiple policies without interruption. See Generating Multiple Documents Efficiently for details.

Step 5: Access your generated documents

Documents generated within a workspace are saved to that workspace's file area. To find them:

  1. Navigate to your workspace

  2. Scroll to the Generated Files section

  3. Click any file to preview or download

For detailed file management, see Access workspace generated files.

Only documents generated within that specific workspace appear in its file area. Documents created outside a workspace are not automatically linked.

Step 6: Validate AI outputs before adoption

AI-generated documents accelerate your work, but they require validation before you treat them as final artifacts. ISMS Copilot reduces hallucination risk through framework knowledge injection, but you should still verify critical outputs.

Quick validation checklist

  • Spot-check control numbers against the official ISO 27001:2022 standard

  • Verify the AI used the current framework version (2022, not 2013)

  • Check that implementation guidance matches your actual tech stack

  • Confirm evidence requirements are achievable for your organization size

  • Ask follow-up questions to test depth: "Why is this control required?"

For comprehensive verification steps, see How to Verify AI-Generated Compliance Checklists for ISO 27001 and SOC 2.

Red flags to watch for

  • Control IDs that don't follow ISO 27001 Annex A numbering (A.5.1 through A.8.34)

  • Generic placeholders like "YourCompany" that weren't customized

  • Implementation steps that assume enterprise resources you don't have

  • Missing evidence requirements for controls that require verification

Step 7: Iterate and expand

Building an ISMS is iterative. After your core documents:

  • Refine based on gaps — Your gap analysis highlights what's missing. Generate policies for high-priority gaps first.

  • Upload existing documents — If you have security policies or procedures, upload them for gap analysis and alignment checking.

  • Create control documentation — For each Annex A control in your Statement of Applicability, generate implementation evidence templates.

  • Prepare for audit — Generate internal audit checklists and management review templates as you approach certification.

For workspace organization strategies as your ISMS grows, see How to organize compliance projects with workspaces.

Starter workflow checklist

Use this checklist to track your progress through the ISMS build:

  • Create a dedicated workspace for your ISMS project

  • Add project instructions with organizational context

  • Set the Implementer persona for actionable guidance

  • Generate gap analysis to identify missing controls

  • Create risk assessment with asset inventory and treatment plan

  • Generate Statement of Applicability for applicable controls

  • Draft core policies (information security, access control, acceptable use)

  • Validate outputs against official framework requirements

  • Expand into control-specific procedures and evidence templates

What's next

Was this helpful?