ISO 27001 Copilot

Our ISO 27001 Copilot is an AI chatbot designed to help you in your ISO 27001 implementation efforts. A “ChatGPT for ISO 27001”, provided by ISO 27001 professionals. We trained it to be an effective and helpful consulting assistant, based on actual knowledge of how to implement ISO 27001. This knowledge make it a better assistant than ChatGPT, whether you want to get ISO 27001 or maintain it for your company.

Who is the ISO 27001 Copilot for?

The ISO 27001 Copilot is for anybody that needs help with ISO 27001. Lead implementers, auditors, consultants, CTOs, GRC professionals. Focused on ISO 27001, it will understand the exact issue you’re facing and do its best to suggest you an appropriate solution.

What are the ISO 27001 Copilot use cases?

Anything you need help with. Methodological guidance, assessing a risk, defining a risk treatment plan, understanding deeply a control, justifying a risk acceptance. It’s your ISO 27001 assistant, whether you want to prepare ISO 27001, or maintain your ISMS after the certification.

How should you talk to the ISO 27001 Copilot?

As you would with a human being. Just be very specific on what you need, and it will most likely answer your request satisfactorily. People tend to use the least number of words possible when talking to AI assistants. That’s fine as long as your request is clear. “Help me evaluating the following risk”, “What policies are mandatory”, etc.

Is the ISO 27001 Copilot better than ChatGPT?

ChatGPT is surely a great tool (we love it, when used securely). And actually, there’s a basic version of the ISO 27001 Copilot you can access in ChatGPT. The thing is that ChatGPT is such a general tool that it can’t know deeply about actually implementing ISO 27001. That’s just not its job.

Comparatively, the ISO 27001 Copilot we offer has been trained with actual ISO 27001 implementation knowledge, making it more specific, helpful, and less likely to make mistakes. The ISO 27001 Copilot answers more concisely, and behaves more like a consultant would do, trying to look for practical solutions that exactly solve your issue.

Professional and Secure

Your trust is our priority. In short, your inputs are not used to train the model. Powered by Chatbase.co’s robust and secure infrastructure, we ensure the highest standards of data protection and privacy are maintained, keeping your data confidential and secure throughout your interaction with the Copilot. See our AI trust center below.

What are the limitations of ISO 27001 Copilot?

While the ISO 27001 Copilot is performant and helpful, there are currently limits to be aware of:

  • Accuracy: It strives for perfection but can make mistakes. The ISO 27001 has been trained on the necessary knowledge, including real use cases of ISO 27001 implementation, but it can still lack the nuanced judgment of a human expert. Despite training efforts, it can sometimes provide incorrect control references.
  • Supplemental Tool: We believe it’s still good to have ISO 27001 knowledge when using the ISO 27001 Copilot. But it would be the same when you work with a consultant. Mistakes can occur, so becoming familiar with the ISO 27001 standard is still recommended. Our assistant designed to enhance, not replace, the insight of information security professionals.
  • Your context is king: You know your context better than anyone else. Unless you share thoroughly your context with the copilot, remember that recommendations require thoughtful application within your organization’s context.
  • Not an Audit Alternative: This is a supporting tool, not a substitute for formal compliance audits. Pretty obvious, but better to be said.
  • Evolving Expertise: the assistant is trained with latest ISO 27001-related knowledge, but there are other things it might not know, since it doesn’t access internet. Just be aware of it.

Disclaimer: using the ISO 27001 Copilot for certification preparation does not guarantee at all getting the ISO 27001 certification for an organization.

Terms and conditions

Utilizing the ISO 27001 Copilot signifies acceptance of key terms: it’s a beta service with potential for change and error. Data management is through Chatbase.co, so their policies apply. If you are a consultant, ensure client consent for data use. Our ISO 27001 assistant aims for accuracy but can make mistakes, so verify for peace of mind. Expect updates, including potential changes in service features and pricing. Joining beta without paying does not guarantee continuous free access. Only the pre-launch lifetime deal guarantees a lifetime access to the ISO 27001 Copilot. Only the Pro plan of ISMS Policy generator guarantees a continuous access to the ISO 27001 Copilot, as long as the user pays for it, of course. Discover the longer version of our terms of service.

Security and Privacy

We’re aware that with AI assistants, security and privacy are a concern. This is why we chose safe AI providers, established the necessary controls, and continue to talk with our early users, understand their security considerations, and progressively compiling the below FAQ on AI security and privacy, guided by expert online advice from Stackware on managing AI risks.

Additionally to the below AI Trust Center, please refer to Chatbase’s Trust Center, Chatbase’s privacy policy and Cookie Notice, as they’re our third party provider used for this service.

Join Beta

Embrace the future of ISO 27001 compliance with the ISO 27001 Copilot. Your feedback and experiences will be instrumental in refining this innovative tool, making ISO 27001 compliance more accessible and manageable.

ISO 27001 Copilot Trust Center

Note: This Trust Center is dedicated to the ISO 27001 Copilot assistant (the data entered into it). By extension, it also covers the ISO 27001 Risk Assessment Assistant, as it shares the same characteristics. It doesn’t cover the ISMS Policy Generator, as the latter benefits from its own Trust Center. We believe security and data protection measures should be documented per product, as they’re different systems, and using a unique set of providers.

For the context, most of the ISO 27001 security and privacy measures documented here focus on Chatbase’s controls, as they’re the main provider involved in delivering this service. We’re aware of our own security and data protection responsibility as data controller, and platform hosting the AI system. These controls (including penetration testing) will also be documented.

Table Of Contents

Short version

Why the ISO 27001 Copilot isn’t trained on your data

The ISO 27001 Copilot isn’t trained on your data. Why? Two reasons:

1) The ISO 27001 Copilot relies on the OpenAI API, which does not use chat inputs and outputs to train its models.

2) We are not reliant on user inputs to train the assistant. The assistant has been taught a reliable ISO 27001 implementation methodology, and thoroughly tested by dedicated testers to provide good answers. Therefore, it doesn’t need user inputs for training.

3) We only take what you give us. The ISO 27001 Copilot doesn’t request access to any of your systems. It’s not “hungry” for your data.

Data Privacy and Security

You should still be careful with sharing sensitive information, as this data would be stored in OpenAI systems for 30 days and in Chatbase systems as long as we use Chatbase as a third party provider for the ISO 27001 Copilot.

Our recommendation is to anonymize and minimize the data you’re sharing. Most times, you don’t need to give information identifying the company to get relevant assistance. Follow our guidelines on interacting securely with AI chatbots if you need more guidance.

On our side, we ensure your security with information security controls focused on the specific vulnerabilities our AI systems are exposed to. Our AI systems are tested against the Artificial Intelligence Risk Scoring System (AIRSS). If you need more details about the scope of our penetration tests, please write to us.

Beyond the AI systems, our SaaS hosting the AI systems also benefits from robust controls to protect your data.

Third Party Provider

Chatbase is a secure platform with a security and privacy focus, and that’s why we chose them to deliver the service offered by the ISO 27001 Copilot.

Service Monitoring and Abuse Detection

We may read your inputs and assistant outputs, only for service monitoring and abuse detection.

If admins observe the model responded in a wrong or misleading way, they will manually teach the model to do better next time. This manual improvement process guarantees that data about your company won’t be given to the model.

Your data is not used for any other purpose, and if accessed, it is accessed in secure way, following strict access controls measures.

Data Storage and Processing

Where is user data entered into the ISO 27001 Copilot (chatbot) stored?

It’s stored on Chatbase.co systems, not on ours (ISMS Policy Generator Platform).

Even though we don’t host or store the data, Chatbase grants us an ability to monitor conversations (see inputs and outputs).

All data is stored in the United States.

At the moment, there’s no EU storage option.

Chatbase has a fully documented Trust Center, detailing how they implemented infrastructure, organizational, and product security measures, including the deployment of vulnerability management and system monitoring, especially important for AI systems.

Are there options for Private Storage to allow users to store data on their servers or in a specific region to meet compliance requirements?

No, current use of the service implies acceptance with the data being stored within Chatbase systems in the US.

Data Collection and Usage

What types of data is collected and stored when using the ISO 27001 Copilot?

User content collected and stored by Chatbase depends on what the users sends to the chatbot. We’ve included several reminders to make sure users of the ISO 27001 Copilot minimize information they send to the chatbot.

This these data minimization reminders include: an on-page reminder when using the chatbot, but also instructions built in the ISO 27001 Copilot, that will discourage the user from sharing information identifying the company or that might be compromising the company’s information classification.

Regarding meta data: cookies are used for user authentication within the chatbot, so that the user can retrieve information from their previous session, as they use the ISO 27001 Copilot over time. For the context, access to the chatbot is protected by authentication in our application.

How is this data encrypted and protected during transit and at rest?

Yes, database is encrypted at rest and in transit. Refer to Chatbase’s trust center for more details.

Data Ownership and Rights

Who holds the rights to the data entered into the ISO 27001 Copilot?

You own your data. Chatbase is only the custodian. How we define user content:

“User Content” is defined as any content, information, and materials that may be textual, audio, or visual
that you provide, submit, upload, publish, or make otherwise available to the ISO 27001 Copilot.

You are the only one who is in charge of User Content. You agree that you are the only one responsible
for the User Content you send, transmit, display, or upload while using the Services.

You are also responsible for following all laws that apply to the User Content, including, but not limited to, any laws
that require you to get permission from a third party to use the User Content and to give proper notices
of third-party rights.

You promise and guarantee that you have the right to upload the User Content to
the Services and that doing so does not violate or infringe on the rights of any third party.

Under no circumstances will the ISO 27001 Copilot be responsible for (a) User Content that is sent or viewed while using the
Services, (b) errors or omissions in the User Content, or (c) any loss or damage of any kind caused by the authorised use of, access to, or denial of access to User Content. ISO 27001 Copilot isn’t responsible for any User Content, but it has the right to delete any User Content at any time without notice if it breaks any of the rules in this agreement or the law. You keep the right to copy User Content and any other rights you already have.

What are the procedures for users to request data purging and deletion?

You must contact us, and we’ll request Chatbase the removal of your data.

Data Access and Privacy

Under what circumstances is user data accessed?

Our company does not store user content by default (it is stored in Chatbase database, not ours).

However, Chatbase grants us access to it for monitoring purpose.

Following a strict application of the least privilege principle, admins may read your inputs and assistant outputs for service monitoring and abuse detection.

This monitoring purpose is only done with the intent of

1) identifying potential vulnerabilities in the chatbot usage.

2) identifying areas where the chatbot might need further training to deliver an improved performance.

Regarding Chatbase, they do not access your data unless required for support requested by us. Chatbase does not sell your information to anyone.

Is Chatbase GDPR compliant?

Chatbase documents being GDPR compliant, plans to achieve SOC 2 Type 2 certification. Chatbase established formal retention and disposal procedures of chatbot data. A data classification policy has been established to ensure that confidential data is properly secured and restricted to authorized personnel.

Use of Data for AI Training

Does Chatbase use the data entered into the ISO 27001 Copilot to train AI models?

No. Your company data is not used for training purpose. Chatbase uses the OpenAI API (certified SOC 2 Type 2), which ensures that your data is not used for training purposes.

OpenAI made it clear that API data inputs and outputs are not used for training models. It applies to the ISO 27001 Copilot.

Sub-processors and Third Parties

Does Chatbase use any sub-processors or third parties in providing the ISO 27001 Copilot assistant service?

When you use the ISO 27001 copilot, your data is managed by Chatbase.co’s chosen partners for various specialized tasks.

Your data is primarily handled by systems that use encryption and strict access protocols, meaning that under normal operations, these subprocessors do not have direct access to your data.

Pinecone would manage data in a way that supports AI operations without exposing it.

Supabase stores the data securely, while Vanta monitors security without directly viewing the data.

Vercel and Segment, instrumental in application deployment and analytics, respectively, also utilize your data in a way that doesn’t typically involve direct access.

These measures are in place to ensure that your data is used responsibly and remains confidential.

Where can users find details about these third parties?

You can at all time see Chatbase subprocessors on Chatbase’s trust center.

Compliance and Certifications

What measures does Chatbase take to ensure compliance with GDPR, HIPAA, or other data protection and security regulations?

Data retention procedures and data classification policies are established. More on Chatbase’s trust center.

Can users access compliance reports or certifications after signing a non-disclosure agreement (NDA)?

Anybody can ask further information security management documentation through requesting access to Chatbase’s trust center. We don’t guarantee access will be granted.

Data Protection Measures

What are the specific security measures and policies Chatbase.co has in place to safeguard user data?

Security measures established by Chatbase involve infrastructure security measures (database authentication, encryption keys access restriction, least privilege principle for database access, intrusion detection systems), organizational security measures (MFA, passoword policies, antivirus on laptops, mobile device management), product security measures (data encryption in transit and at rest, control-self assessments, vulnerability management).

Is there a bug bounty program or a data breach response plan?

Chatbase logs security and privacy incidents. They track, resolve, and communicate incidents to affected parties. They’ve security incident response plans in place. Incident response plans are tested at least annually.

Data Retention Policy

What is Chatbase’s data retention policy for the data entered into the ISO 27001 Copilot assistant?

Currently, Chatbase retains the data as long as they’re our third party provider. If you would like your data to be removed before, please contact us detailing the nature of your request, and we’ll send a deletion request to Chatbase.

Remember that you’re not supposed to provide personal data or details allowing the identification of your company or your client’s company, if you’re a consultant acting on their behalf.

How can users manage their data retention preferences, and how is data purged from Chatbase systems?

No. This is something we aim for. We’ll do what it takes, but for now it is not offered, hence our insistence on data minimization and anonymization.

Yes. There’s a popup showing up the first time users interact with the ISO 27001 Copilot. It explicitly displays the use of Chatbase as an AI system provider. It invites the user to read our security and data protection measures. It discourages them from sharing sensitive information or revealing details allowing the identification of a company or individuals, if not necessary.

Consent is a checkbox that user must click to access the service. They can’t escape it. Once the check is checked, this consent information is recorded in our database.

As stated in our terms of service, users are responsible for making sure they’ve the right to use this service on behalf of their company or clients.

Operational Security

How do you know the ISO 27001 Copilot won’t produce harmful content?

We conducted a penetration test on our systems to understand what vulnerabilities the ISO 27001 Copilot is exposed to. While we can never be 100% sure of the behaviour of a chatbot, we implemented safeguards that prevent against misuse.

How is the Chatbot protected against vulnerabilities affecting AI systems?

Chatbase established a vulnerability management programme. On top of it, we plan to have at least annual threat analysis exercises focused on testing how the ISO 27001 Copilot responds to attempts at finding and exploiting vulnerabilities specific to AI chatbots.

For security reasons, we can’t detail publicly details of our threat analysis programme. We can just mention its comprehensive aspect, covering relevant attack vectors, such as Prompt injection, Sponge attacks, Inference attacks, Sensitive data generation, Data poisoning.

How do you prevent the Chatbot being embedded in other systems my malicious actors?

We’ve restricted the domains that can embed the ISO 27001 Copilot on their website. Only us can.

How do you protect the infrastructure hosting the AI system?

The infrastructure hosting the ISO 27001 Copilot, i.e. the ISMS Copilot SaaS platform, is monitored by a Security Operations Center.

Business Continuity

How do you ensure the continuity of the service provided by the ISO 27001 Copilot?

We’ve made secured backups the instructions and training resources, so that, if we would lose access to Chatbase, we would be able to retrain another chatbot and make it available within a couple of days. Alternative providers have been identified, and we’re working on an option to self-host the ISO 27001 Copilot.

AI Management Systems

How do you make sure the AI management measures you implement and document are relevant?

We’re doing our best to stay on top on secure AI deployment practices. We use an internal AI assistant, the Secure AI deployment copilot, to help us conducting the required verifications along the deployment of AI systems.

We’re active readers of Stackaware resources to stay educated on secure deployment of AI.

We’re in the process attending an ISO 42001 course and conducting an impact assessment of the AI EU act.

We engage weekly with Generative AI security professionals, from data protection to security researchers looking for vulnerabilities in AI assistants. Relevant findings are analyzed for potential implementation of additional controls, when possible.

Going further

We hope we’ve answered most of your data security and privacy concerns regarding the ISO 27001 Copilot.

If you can’t find your question here or need further clarification, simply use the contact form.