ISO 27001 Copilot

Our AI-Assisted ISO 27001 Copilot is designed to streamline and guide your ISO 27001 compliance efforts. This tool offers a user-friendly experience guiding you through the ISO 27001 preparation and certification process, ensuring a tailored approach to your specific requirements.

How it works

  • Step-by-Step Guidance: The AI Copilot engages you in structured dialogue, helping identify information security assets, potential threats, vulnerabilities, and suggesting appropriate controls.
  • Expertise on Demand: Harness ISO 27001 standards’ expertise built into the AI to cover ISO 27001 guidance comprehensively.
  • Instant Feedback: Receive immediate recommendations to bolster your information security posture.

Professional and Secure

Your trust is our priority. Powered by’s robust and secure infrastructure, we ensure the highest standards of data protection and privacy are maintained, keeping your data confidential and secure throughout your interaction with the Copilot.


Our Copilot utilizes GPT-4’s vast knowledge, enhanced with ISO 27001-specific training and instructions, to offer:

  • Contextual Guidance: Understands the nuances of your queries to provide tailored advice.
  • Informed Insights: Draws upon ISO 27001 knowledge to help with most aspects of the standard implementation.
  • Adaptive Learning: Fine-tunes its advice as it learns more about your organization’s unique context.
  • Compliance Focus: Aids in aligning with ISO 27001 standards, supporting your compliance journey.


While the ISO 27001 Copilot is a valuable ally in navigating ISO 27001, it’s vital to acknowledge its boundaries:

  • Accuracy: It strives for perfection but can make mistakes, lacking the nuanced judgment of a human expert. The free version is on a less performant model than the most advanced version. Despite training efforts, it can sometimes provide incorrect control references.
  • Supplemental Tool: It’s designed to enhance, not replace, the insight of information security professionals.
  • Interpretive Insight: Recommendations require thoughtful application within your organization’s context.
  • Not an Audit Alternative: This is a supporting tool, not a substitute for formal compliance audits.
  • Evolving Expertise: Regular updates aim to reflect the latest in information security, though real-time completeness can’t be guaranteed.

Disclaimer: using the ISO 27001 Copilot for certification preparation does not guarantee at all getting the ISO 27001 certification for an organization.

Terms and conditions

Utilizing the ISO 27001 Copilot signifies acceptance of key terms: it’s a beta service with potential for change and error. Data management is through, so their policies apply. If you are a consultant, ensure client consent for data use. Our ISO 27001 assistant aims for accuracy but can make mistakes, so verify for peace of mind. Expect updates, including potential changes in service features and pricing. Joining beta without paying does not guarantee continuous free access. Only the pre-launch lifetime deal guarantees a lifetime access to the ISO 27001 Copilot. Only the Pro plan of ISMS Policy generator guarantees a continuous access to the ISO 27001 Copilot, as long as the user pays for it, of course. Discover the longer version of our terms of service.

Security and Privacy

We’re aware that with AI assistants, security and privacy are a concern. This is why we’re currently in close beta: to talk to early users, understand their security considerations, and progressively compiling FAQs on AI security and privacy, guided by expert online advice from Stackware on managing AI risks, to address your concerns thoroughly.

In the meantime, please refer to Chatbase’s Trust Center, Chatbase’s privacy policy and Cookie Notice, as they’re our third party provider used for this service.

Join Beta

Embrace the future of ISO 27001 compliance with the ISO 27001 Copilot. Your feedback and experiences will be instrumental in refining this innovative tool, making ISO 27001 compliance more accessible and manageable.

ISO 27001 Copilot Trust Center

Note: This Trust Center is dedicated to the ISO 27001 Copilot assistant (the data entered into it). By extension, it also covers the ISO 27001 Risk Assessment Assistant, as it shares the same characteristics. It doesn’t cover the ISMS Policy Generator, as the latter benefits from its own Trust Center. We believe security and data protection measures should be documented per product, as they’re different systems, and using a unique set of providers. This Trust Center doesn’t cover the demo either (publicly accessible through, as the demo environment shouldn’t be used for sharing sensitive information.

For the context, most of the ISO 27001 security and privacy measures documented here focus on Chatbase’s controls, as they’re the main provider involved in delivering this service. We’re aware of our own security and data protection responsibility as data controller, and platform hosting the AI system. These controls will also be documented.

Table Of Contents

Short version

The ISO 27001 Copilot isn’t trained on your data. Indeed, the OpenAI API does not use chat inputs and outputs to traing their models.

You should still be careful with sharing sensitive information, as this data would be stored in OpenAI systems for 30 days and in Chatbase systems as long as we use Chatbase as a third party provider for the ISO 27001 Copilot.

Chatbase is a secure platform with a security and privacy focus, and that’s why we chose them to deliver the service offered by the ISO 27001 Copilot.

We may read your inputs and assistant outputs, only for service monitoring and abuse detection. Your data is not used for any other purpose, and is always accessed in secure way, following strict access controls measures.

Data Storage and Processing

Where is user data entered into the ISO 27001 Copilot (chatbot) stored?

It’s stored on systems, not on ours (ISMS Policy Generator Platform).

Even though we don’t host or store the data, Chatbase grants us an ability to monitor conversations (see inputs and outputs).

All data is stored in the United States.

At the moment, there’s no EU storage option.

Chatbase has a fully documented Trust Center, detailing how they implemented infrastructure, organizational, and product security measures, including the deployment of vulnerability management and system monitoring, especially important for AI systems.

Are there options for Private Storage to allow users to store data on their servers or in a specific region to meet compliance requirements?

No, current use of the service implies acceptance with the data being stored within Chatbase systems in the US.

Data Collection and Usage

What types of data is collected and stored when using the ISO 27001 Copilot?

User content collected and stored by Chatbase depends on what the users sends to the chatbot. We’ve included several reminders to make sure users of the ISO 27001 Copilot minimize information they send to the chatbot.

This these data minimization reminders include: an on-page reminder when using the chatbot, but also instructions built in the ISO 27001 Copilot, that will discourage the user from sharing information identifying the company or that might be compromising the company’s information classification.

Regarding meta data: cookies are used for user authentication within the chatbot, so that the user can retrieve information from their previous session, as they use the ISO 27001 Copilot over time. For the context, access to the chatbot is protected by authentication in our application.

How is this data encrypted and protected during transit and at rest?

Yes, database is encrypted at rest and in transit. Refer to Chatbase’s trust center for more details.

Data Ownership and Rights

Who holds the rights to the data entered into the ISO 27001 Copilot?

You own your data. Chatbase is only the custodian. How we define user content:

“User Content” is defined as any content, information, and materials that may be textual, audio, or visual
that you provide, submit, upload, publish, or make otherwise available to the ISO 27001 Copilot.

You are the only one who is in charge of User Content. You agree that you are the only one responsible
for the User Content you send, transmit, display, or upload while using the Services.

You are also responsible for following all laws that apply to the User Content, including, but not limited to, any laws
that require you to get permission from a third party to use the User Content and to give proper notices
of third-party rights.

You promise and guarantee that you have the right to upload the User Content to
the Services and that doing so does not violate or infringe on the rights of any third party.

Under no circumstances will the ISO 27001 Copilot be responsible for (a) User Content that is sent or viewed while using the
Services, (b) errors or omissions in the User Content, or (c) any loss or damage of any kind caused by the authorised use of, access to, or denial of access to User Content. ISO 27001 Copilot isn’t responsible for any User Content, but it has the right to delete any User Content at any time without notice if it breaks any of the rules in this agreement or the law. You keep the right to copy User Content and any other rights you already have.

What are the procedures for users to request data purging and deletion?

You must contact us, and we’ll request Chatbase the removal of your data.

Data Access and Privacy

Under what circumstances is user data accessed?

Our company does not store user content by default (it is stored in Chatbase database, not ours).

However, Chatbase grants us access to it for monitoring purpose.

Following a strict application of the least privilege principle, admins may read your inputs and assistant outputs for service monitoring and abuse detection.

This monitoring purpose is only done with the intent of

1) identifying potential vulnerabilities in the chatbot usage.

2) identifying areas where the chatbot might need further training to deliver an improved performance.

Regarding Chatbase, they do not access your data unless required for support requested by us. Chatbase does not sell your information to anyone.

Is Chatbase GDPR compliant?

Chatbase documents being GDPR compliant, plans to achieve SOC 2 Type 2 certification. Chatbase established formal retention and disposal procedures of chatbot data. A data classification policy has been established to ensure that confidential data is properly secured and restricted to authorized personnel.

Use of Data for AI Training

Does Chatbase use the data entered into the ISO 27001 Copilot to train AI models?

No. Your company data is not used for training purpose. Chatbase uses the OpenAI API (certified SOC 2 Type 2), which ensures that your data is not used for training purposes.

OpenAI made it clear that API data inputs and outputs are not used for training models. It applies to the ISO 27001 Copilot.

Sub-processors and Third Parties

Does Chatbase use any sub-processors or third parties in providing the ISO 27001 Copilot assistant service?

When you use the ISO 27001 copilot, your data is managed by’s chosen partners for various specialized tasks.

Your data is primarily handled by systems that use encryption and strict access protocols, meaning that under normal operations, these subprocessors do not have direct access to your data.

Pinecone would manage data in a way that supports AI operations without exposing it.

Supabase stores the data securely, while Vanta monitors security without directly viewing the data.

Vercel and Segment, instrumental in application deployment and analytics, respectively, also utilize your data in a way that doesn’t typically involve direct access.

These measures are in place to ensure that your data is used responsibly and remains confidential.

Where can users find details about these third parties?

You can at all time see Chatbase subprocessors on Chatbase’s trust center.

Compliance and Certifications

What measures does Chatbase take to ensure compliance with GDPR, HIPAA, or other data protection and security regulations?

Data retention procedures and data classification policies are established. More on Chatbase’s trust center.

Can users access compliance reports or certifications after signing a non-disclosure agreement (NDA)?

Anybody can ask further information security management documentation through requesting access to Chatbase’s trust center. We don’t guarantee access will be granted.

Data Protection Measures

What are the specific security measures and policies has in place to safeguard user data?

Security measures established by Chatbase involve infrastructure security measures (database authentication, encryption keys access restriction, least privilege principle for database access, intrusion detection systems), organizational security measures (MFA, passoword policies, antivirus on laptops, mobile device management), product security measures (data encryption in transit and at rest, control-self assessments, vulnerability management).

Is there a bug bounty program or a data breach response plan?

Chatbase logs security and privacy incidents. They track, resolve, and communicate incidents to affected parties. They’ve security incident response plans in place. Incident response plans are tested at least annually.

Data Retention Policy

What is Chatbase’s data retention policy for the data entered into the ISO 27001 Copilot assistant?

Currently, Chatbase retains the data as long as they’re our third party provider. If you would like your data to be removed before, please contact us detailing the nature of your request, and we’ll send a deletion request to Chatbase.

Remember that you’re not supposed to provide personal data or details allowing the identification of your company or your client’s company, if you’re a consultant acting on their behalf.

How can users manage their data retention preferences, and how is data purged from Chatbase systems?

No. This is something we aim for. We’ll do what it takes, but for now it is not offered, hence our insistence on data minimization and anonymization.

Yes. There’s a popup showing up the first time users interact with the ISO 27001 Copilot. It explicitly displays the use of Chatbase as an AI system provider. It invites the user to read our security and data protection measures. It discourages them from sharing sensitive information or revealing details allowing the identification of a company or individuals, if not necessary.

Consent is a checkbox that user must click to access the service. They can’t escape it. Once the check is checked, this consent information is recorded in our database.

As stated in our terms of service, users are responsible for making sure they’ve the right to use this service on behalf of their company or clients.

Operational Security

How is the Chatbot protected against vulnerabilities affecting AI assistants?

Chatbase established a vulnerability management programme. On top of it, we plan to have at least annual threat analysis exercises focused on testing how the ISO 27001 Copilot responds to attempts at finding and exploiting vulnerabilities specific to AI chatbots. For security reasons, we can’t detail publicly details of our threat analysis programme.

How do you prevent the Chatbot being embedded in other systems my malicious actors?

We’ve restricted the domains that can embed the ISO 27001 Copilot on their website. Only us can.

Business Continuity

How do you ensure the continuity of the service provided by the ISO 27001 Copilot?

We’ve made secured backups the instructions and training resources, so that, if we would lose access to Chatbase, we would be able to retrain another chatbot and make it available within a couple of days. Alternative providers have been identified, and we’re working on an option to self-host the ISO 27001 Copilot.

AI Management Systems

How do you make sure the AI management measures you implement and document are relevant?

We’re doing our best to stay on top on secure AI deployment practices. We use an internal AI assistant, the Secure AI deployment copilot, to help us conducting the required verifications along the deployment of AI systems.

We’re active readers of Stackaware resources to stay educated on secure deployment of AI.

We’re in the process attending an ISO 42001 course and conducting an impact assessment of the AI EU act.

We engage weekly with Generative AI security professionals, from data protection to security researchers looking for vulnerabilities in AI assistants. Relevant findings are analyzed for potential implementation of additional controls, when possible.

Going further

We hope we’ve answered most of your data security and privacy concerns regarding the ISO 27001 Copilot.

If you can’t find your question here or need further clarification, simply use the contact form.