ISMS Copilot
Workspaces

How to use project instructions in workspaces

Project instructions let you set persistent context that applies to every conversation in a workspace. Instead of repeating your company background, compliance framework, or preferred output style at the start of each chat, you write it once as project instructions and ISMS Copilot carries that context forward automatically.

What are project instructions?

Every workspace in ISMS Copilot has an optional instructions field -- a free-text area where you describe the context, constraints, and preferences that should guide all AI responses within that workspace. Think of project instructions as a standing briefing note that the AI reads before every conversation.

Key characteristics:

  • Persistent across conversations -- Once set, instructions apply to every new and existing conversation in the workspace. You do not need to re-state them.

  • Workspace-scoped -- Each workspace has its own independent instructions. Changing instructions in one workspace does not affect others.

  • Free-form text -- There is no rigid template. Write in whatever format works for your project -- bullet points, prose, structured blocks, or a combination.

  • Editable at any time -- You can update instructions as your project evolves without losing conversation history.

How the AI uses instructions: Project instructions are injected as context before each AI response. The AI treats them as authoritative background -- it will tailor its answers to match the industry, framework, scope, and preferences you specify. More specific instructions produce more relevant responses.

How to add project instructions

  1. Log in to chat.ismscopilot.com and navigate to the workspace where you want to add instructions.

  2. On the workspace page, locate the Project Instructions card. If no instructions have been set yet, it displays the placeholder text: "Click to add project instructions..."

  3. Click the Project Instructions card. A modal dialog opens with a text editor.

  4. Type or paste your instructions into the text field. There is no strict format -- use whatever structure is clearest for your project.

  5. Click Save to apply. The instructions take effect immediately for all conversations in the workspace.

To edit existing instructions, click the Project Instructions card again. The modal opens with your current text, which you can modify and save.

Start simple, refine later. You do not need perfect instructions on day one. Begin with basic context (company name, framework, scope) and add detail as you discover what makes the AI responses more useful for your specific project.

What to include in your instructions

Effective project instructions give the AI enough context to respond as if it already understands your project. Here are the categories that matter most for compliance work:

Company context

Help the AI calibrate its recommendations to your organisation's reality:

  • Industry and sector (e.g., B2B SaaS, healthcare, financial services, manufacturing)

  • Company size (employee count, number of offices or locations)

  • Existing certifications or compliance posture (e.g., "Currently ISO 27001:2013 certified, transitioning to 2022")

  • Technology environment (cloud-native, on-premises, hybrid)

Project scope

Define what this workspace covers so the AI stays focused:

  • Target framework or standard (ISO 27001:2022, SOC 2 Type II, GDPR, NIS2, etc.)

  • Which controls, clauses, or domains are in scope

  • Project phase (gap analysis, implementation, audit preparation, surveillance audit)

  • Timeline and key milestones

Preferred output format

Tell the AI how you want responses structured:

  • Tone: formal (for client deliverables) or practical (for internal use)

  • Document structure preferences (e.g., "Use numbered sections with clause references")

  • Level of detail: executive summaries vs. step-by-step implementation guidance

  • Whether to include specific clause or control references in responses

Specific requirements

Capture constraints the AI should always respect:

  • National or regional regulations (e.g., UK GDPR, German BDSG, French ANSSI requirements)

  • Client or contractual requirements (e.g., "Client requires all policies follow NIST SP 800-53 mapping")

  • Regulatory body expectations (e.g., FCA, BaFin, HIPAA covered entity rules)

  • Budget or resource constraints that should shape recommendations

Terminology preferences

Ensure consistency across all generated content:

  • Preferred terms (e.g., "Use 'information security policy' not 'cybersecurity policy'")

  • Role titles used in your organisation (e.g., "Our CISO is titled 'Head of Information Security'")

  • Framework-specific language conventions (e.g., "Use ISO 27001 clause numbering, not Annex A control numbering, when referencing requirements")

Example instructions for common scenarios

Below are ready-to-use examples. Copy the one closest to your situation into your workspace and adapt the details.

ISO 27001 implementation project

COMPANY: Meridian Technologies, B2B SaaS, 120 employees,
headquartered in London with a development team in Berlin.
Cloud-native (AWS). No prior ISO certification.

PROJECT: ISO 27001:2022 initial certification.
Scope: All cloud-hosted customer-facing services and supporting
corporate IT. Excludes physical manufacturing.
Target certification audit: Q4 2026.

CURRENT STATE: Gap analysis completed. Major gaps in asset
management (A.5.9), supplier security (A.5.19-A.5.22), and
incident management (A.5.24-A.5.28). Have basic access control
and HR security in place.

PREFERENCES:
- Reference specific ISO 27001:2022 Annex A controls and clauses
- Practical, implementable recommendations (not theoretical)
- Assume limited security team (2 FTEs + part-time CISO)
- Suggest tooling appropriate for a 120-person SaaS company
- Formal tone for policy documents, practical tone for procedures
- Always flag where evidence collection is needed for audit

SOC 2 audit preparation

COMPANY: DataFlow Analytics, US-based SaaS startup, 45 employees.
AWS infrastructure managed via Terraform. Series B funded.

PROJECT: SOC 2 Type II audit preparation.
Trust Services Criteria: Security, Availability, Confidentiality.
Audit firm: [Firm Name]. Observation period: July-December 2026.
Audit scheduled: January 2027.

FOCUS AREAS:
- Evidence collection and organisation for Type II
- Continuous monitoring during observation period
- Change management controls (GitHub + Linear workflow)
- Vendor risk management (we use 30+ SaaS tools)
- Logical access reviews (Okta SSO + AWS IAM)

PREFERENCES:
- Map all recommendations to specific Trust Services Criteria
- Emphasise audit-readiness and evidence quality
- Assume engineering team handles most controls (no dedicated
  security team)
- Concise, actionable outputs -- the team is lean

Multi-framework compliance (ISO 27001 + GDPR)

COMPANY: HealthBridge GmbH, German health-tech company,
200 employees. Processes health data for EU hospitals.
ISO 27001:2022 certified (renewal due 2027). Subject to GDPR
and German BDSG. Appointed DPO in place.

PROJECT: Integrated compliance management -- maintaining ISO 27001
while strengthening GDPR posture ahead of regulatory review.

SCOPE:
- ISO 27001:2022 surveillance audit preparation
- GDPR Article 30 records of processing update
- DPIA for new patient data analytics feature
- Cross-mapping ISO 27001 controls to GDPR requirements

PREFERENCES:
- Always indicate which requirement (ISO clause or GDPR article)
  a recommendation addresses
- Flag where a single control satisfies both frameworks
- Reference German BDSG where it adds requirements beyond GDPR
- Use formal language suitable for regulatory submissions
- Include DPO review checkpoints in all processes

Consultant working for a client

ROLE: External compliance consultant engaged by NovaPay Ltd.
CLIENT: NovaPay Ltd, UK fintech, 80 employees. FCA regulated.
Payment services provider (PSD2 scope).

ENGAGEMENT: ISO 27001:2022 implementation + PCI DSS v4.0 gap
assessment. 6-month engagement, started February 2026.

CLIENT CONTEXT:
- No prior ISO certification. PCI DSS v3.2.1 compliant, needs
  v4.0 transition.
- Small IT team (5 people), outsourced SOC to MSSP.
- Risk-averse culture due to FCA oversight.
- Board requires monthly compliance progress reports.

MY DELIVERABLES:
- Gap analysis report (ISO 27001 + PCI DSS v4.0)
- Risk assessment and treatment plan
- Core ISMS policies (12 documents)
- Board-ready progress reports (monthly)
- Audit readiness assessment

PREFERENCES:
- Client-facing documents: formal, professional tone
- Internal working notes: concise, action-oriented
- Reference both ISO 27001 and PCI DSS requirements where they
  overlap
- Flag FCA-specific expectations where relevant
- Structure policies using client's existing document template
  (numbered sections, version control header, approval block)

Tips for effective instructions

Keep them concise but specific

Instructions do not need to be long -- they need to be specific. A five-line instruction that names your framework, company size, and project phase will outperform a vague paragraph. Avoid generic statements like "help me with compliance" in favour of concrete details like "ISO 27001:2022 gap analysis for a 50-person fintech."

Update as your project evolves

Instructions should reflect your project's current state. When you move from gap analysis to implementation, update the instructions. When you complete a milestone, note it. Outdated instructions can lead to irrelevant recommendations -- for example, the AI suggesting gap analysis activities when you are already in audit preparation.

Be explicit about what you do not want

Negative constraints are just as valuable as positive ones. If your project excludes physical security, say so. If you do not want theoretical explanations, state that you prefer actionable steps only. This prevents the AI from wasting your time on out-of-scope topics.

Use structured formatting

While instructions are free-form, using clear headings or labelled sections (COMPANY, PROJECT, PREFERENCES) makes them easier to scan and update. The AI parses structured text more reliably than a wall of prose.

Review your instructions monthly. Set a recurring reminder to review and update project instructions. As your compliance project progresses, your needs change -- instructions that were perfect during gap analysis may need adjustment during implementation or audit preparation.

Project instructions vs. conversation context

ISMS Copilot offers two ways to provide context to the AI. Understanding when to use each helps you get the best results.

Project instructions Conversation context Scope All conversations in the workspace Single conversation only Persistence Permanent until you edit them Lasts for the conversation session Best for Company context, framework, scope, preferences, role Specific task details, uploaded documents, one-off questions Example "We are a 120-person SaaS company pursuing ISO 27001:2022" "Review this risk assessment spreadsheet I just uploaded" How to set Project Instructions card on workspace page Type directly in the chat message

Use project instructions for:

  • Facts that are true across your entire project (company details, framework, scope, team size)

  • Preferences that should apply to every response (tone, format, terminology)

  • Constraints that never change (regulatory requirements, exclusions, role definitions)

Use conversation context for:

  • Task-specific details (e.g., "Draft a password policy" or "Review this vendor questionnaire")

  • Uploaded files and documents relevant to a particular task

  • One-off questions that do not reflect ongoing project needs

  • Temporary constraints (e.g., "For this document only, use bullet points instead of prose")

They work together. Project instructions and conversation context are not mutually exclusive. The AI combines both -- your workspace instructions provide the standing context, and your chat messages add task-specific detail. You get the best results when instructions handle the "who, what, and how" while conversations handle the "do this specific thing now."

Getting started

Open your workspace at chat.ismscopilot.com, click the Project Instructions card, and add your first set of instructions. Start with the basics -- your company name, the compliance framework you are working with, and your current project phase. You can always refine them later as you see how the AI responds.

For more on organising your compliance work with workspaces, see Managing workspaces.

Was this helpful?