How to organize compliance projects with workspaces

Workspaces are the primary way to organize your compliance work in ISMS Copilot. By grouping related conversations under a single workspace, you maintain project-specific context, keep your project instructions consistent, and avoid mixing up details across different initiatives. This guide covers practical strategies for structuring workspaces so you can find what you need quickly, whether you manage one framework or dozens of client engagements.

Workspace organization strategies

There is no single correct way to organize workspaces. The right approach depends on your role and how you work. Here are four proven strategies:

By framework

Create one workspace per compliance framework. This is the most common approach for organizations pursuing specific certifications or regulatory compliance.

• ISO 27001 Implementation — all ISMS policies, risk assessments, control implementation, and audit prep

• SOC 2 Type II — trust services criteria mapping, evidence collection, auditor communication

• DORA Compliance — ICT risk management, incident reporting, resilience testing

• NIS2 Implementation — cybersecurity measures, supply chain security, incident notification

This works well because each framework has distinct terminology, control sets, and documentation requirements. Project instructions set once in the workspace persist across every conversation, so the AI always responds within the right compliance context.

By client

Consultants and vCISOs should create one workspace per client. This prevents cross-contamination of client-specific details like organizational context, risk appetite, and system architecture.

• Acme Corp — ISO 27001 gap analysis and implementation for a 200-person SaaS company

• GlobalHealth Ltd — HIPAA + SOC 2 for a healthcare platform

• FinSecure GmbH — DORA compliance for a mid-size financial services firm

Add client-specific project instructions to each workspace (industry, size, maturity level, framework scope, key constraints) so every conversation starts with the right context.

By project phase

For long-running implementations, splitting by phase prevents a single workspace from accumulating hundreds of conversations across months or years.

• ISO 27001 — Gap Analysis

• ISO 27001 — Implementation

• ISO 27001 — Audit Prep

• ISO 27001 — Surveillance Audit 2026

• ISO 27001 — Remediation

This approach is useful when project phases have distinct deliverables and timelines. Each workspace keeps its conversations focused on the current task.

By department or scope

Larger organizations can split workspaces by functional area when compliance responsibilities are distributed.

• IT Security Controls — access control, network security, vulnerability management

• HR Policies & Procedures — onboarding, security awareness training, acceptable use

• Physical Security — facility access, environmental controls, equipment disposal

• Vendor & Supply Chain — third-party risk assessments, supplier agreements

Recommended workspace structures

Here are concrete examples for three common scenarios:

Solo CISO implementing ISO 27001

You are leading your organization through initial ISO 27001 certification. Create 3-4 workspaces organized by project phase:

1. ISO 27001 — Gap Analysis & Scoping — context of organization, scope definition, interested parties, initial gap assessment

2. ISO 27001 — Risk Assessment & Treatment — asset inventory, threat analysis, risk register, Statement of Applicability

3. ISO 27001 — Policy Development — drafting all required policies and procedures, Annex A control documentation

4. ISO 27001 — Audit Preparation — internal audit planning, management review, evidence organization, Stage 1 and Stage 2 prep

Set project instructions in each workspace describing your organization (industry, size, systems in scope) so you do not have to repeat that context in every conversation.

Consultant managing 5 clients

You are a compliance consultant or vCISO with five active client engagements. Create one workspace per client:

1. Acme Corp — ISO 27001 2026

2. BrightPath — SOC 2 Type II

3. DataFlow GmbH — DORA

4. MedConnect — HIPAA

5. RetailOps — NIS2

In each workspace's project instructions, include: client name, industry, company size, framework scope, current maturity level, target dates, and any client-specific preferences (documentation style, risk appetite, terminology). This way, every conversation in the workspace already knows who the client is and what they need.

Organization doing ISO 27001 + SOC 2

Your company is pursuing both certifications simultaneously. Create one workspace per framework:

1. ISO 27001 Implementation — ISMS scope, Annex A controls, risk assessment, internal audits

2. SOC 2 Type II Program — trust services criteria, evidence collection, observation period, auditor prep

If there is significant overlap work (shared policies, integrated control mapping), consider adding a third workspace:

1. Cross-Framework Controls — control mapping between ISO 27001 and SOC 2, shared policy harmonization, integrated risk management

Naming conventions

Clear, consistent names save time when you have many workspaces. Pick a pattern and stick with it.

Practical naming patterns:

• Framework first: "ISO 27001 — Implementation 2026", "SOC 2 — Audit Prep Q3"

• Client first: "Acme Corp — ISO 27001", "BrightPath — SOC 2 Type II"

• Phase first: "Gap Analysis — ISO 27001", "Remediation — SOC 2 Findings"

• Department first: "IT Security — Access Controls", "HR — Security Awareness"

Tips:

• Include the year or quarter if you expect to create new workspaces for the same topic annually (e.g., "ISO 27001 Surveillance Audit 2026")

• Keep names short enough to read at a glance in the sidebar — aim for under 40 characters

• Avoid generic names like "Project 1" or "Workspace" — your future self will not remember what they contain

• If you manage clients, lead with the client name so workspaces sort alphabetically by client

Managing many workspaces

The sidebar shows your 3 most recently used workspaces for quick access. When you have more than a handful, here is how to stay organized:

• Sidebar (3 most recent): Your active workspaces naturally rise to the top as you use them. If you are actively working on 2-3 projects, the sidebar will show exactly what you need.

• Workspaces page (full grid): Click "View all workspaces" in the sidebar to open the workspaces page, which displays all your workspaces in a card grid layout. Use this when switching to a workspace you have not touched in a few days.

If you have 10 or more workspaces, consistent naming conventions become essential. When you scan the workspaces page, you need to identify the right workspace in seconds. Group related workspaces by using the same prefix (all client workspaces start with the client name, all framework workspaces start with the framework abbreviation).

Moving between workspaces

Switching workspaces is straightforward:

1. Click a workspace name in the sidebar to switch to it, or open the workspaces page and click the workspace card

2. The workspace name appears at the top of the chat area, confirming your active context

3. Start a new conversation or continue a recent one — the workspace page shows up to 10 recent conversations for that workspace

Conversations stay linked to the workspace where they were started. If you start a conversation while working in the "SOC 2 Audit Prep" workspace, that conversation remains associated with it even after you switch to a different workspace. You can always find it by returning to the original workspace.

When to create a new workspace vs. start a new conversation

This is one of the most common questions. Use this decision guide:

Create a new workspace when:

• You are starting work on a different compliance framework, client, or major project phase

• You need different project instructions (different organizational context, different framework focus)

• You want a clean separation of conversation history for organizational or confidentiality reasons

• Your current workspace has accumulated so many conversations that it is hard to find things

Start a new conversation (within the same workspace) when:

• You are switching topics within the same project (e.g., moving from risk assessment to policy drafting within your ISO 27001 workspace)

• Your current conversation has grown long and you want a fresh context window

• You are starting a new deliverable but it belongs to the same project

• You want to explore a different approach to the same compliance question

The key distinction: workspaces separate projects; conversations separate topics within a project. Project instructions apply at the workspace level and carry across all conversations in that workspace, so you do not lose organizational context when starting a new conversation.

Workspace cleanup

Over time, completed projects and inactive workspaces accumulate. Periodic cleanup keeps your workspace list manageable.

When to delete a workspace:

• The project is fully complete (certification achieved, audit passed, client engagement ended)

• You have exported or saved any conversations you need to keep

• The workspace was created by mistake or for a project that never started

When to keep a workspace:

• You may need to reference past conversations (surveillance audits, annual reviews, client re-engagement)

• The project is paused but not permanently finished

• The workspace contains project instructions you spent time refining — these are valuable if the project resumes

A good cadence is to review your workspaces quarterly. Archive what is finished (by renaming or deleting), update project instructions on active workspaces if your project context has changed, and create new workspaces for upcoming initiatives. This keeps your workspace list tight and your sidebar showing only what matters right now.