ISMS Copilot
Legal

Intellectual Property Compliance

ISMS Copilot maintains strict intellectual property compliance policies to ensure all content respects the rights of standards organizations and third-party content owners.

All standards referenced in the platform are acquired through authorized distribution channels. We do not use unauthorized copies of any copyrighted material.

Canonical summary on the Trust Center: a concise authoritative summary of these IP compliance commitments — including third-party content acknowledgements — is published at trust.ismscopilot.com/ip-compliance. This help article remains the longer operational version.

Content Sourcing Standards

All standards and frameworks referenced by ISMS Copilot are acquired legitimately:

  • ISO standards (27001, 42001, 27701) — purchased through authorized national standards bodies

  • SOC 2 Trust Service Criteria — acquired from AICPA

  • PCI DSS — obtained from PCI Security Standards Council

  • EU regulations (GDPR, NIS 2, DORA, AI Act) — public law, freely referenced

We maintain proof of purchase for all copyrighted standards and acquire updated editions as they are published.

How We Protect IP Rights

Framework Knowledge Tables

Our framework reference tables contain only:

  • Control IDs (e.g., ISO 27001 A.5.1, SOC 2 CC6.1)

  • Concise control titles

We do not reproduce full control text, normative requirements, or copyrighted implementation guidance. Control identifiers and short titles are factual elements not subject to substantial copyright protection and are used solely for navigational and reference purposes, consistent with industry practice in compliance tools. These references are supported by our legitimately purchased copies of the standards and do not substitute for official publications.

Users conducting certification or audit work must obtain official copies of applicable standards from the relevant standards body. ISMS Copilot provides implementation guidance only and does not replace authoritative standard texts.

AI-Generated Content Guardrails

All AI system prompts include IP protection rules:

  • No verbatim quotation — AI cannot quote excerpts from ISO or copyrighted standards

  • No close paraphrasing — Content must not closely reproduce copyrighted expression

  • Attribution required — Responses mention the organization that developed referenced standards

  • Original guidance only — Focus on actionable advice specific to user context

Our AI providers (Anthropic, OpenAI) offer copyright indemnification to qualifying enterprise and API customers for certain claims related to model-generated outputs, subject to their respective commercial terms, conditions, and exclusions. These protections apply only to content generated by the models themselves. All content we inject into AI context — including framework tables and knowledge base material — is independently verified for IP compliance and does not rely on provider indemnification.

Knowledge Base Management

Our RAG knowledge base contains only original consulting knowledge created by the Better ISMS team. We conduct annual audits to verify:

  • No copyrighted standard text (ISO, AICPA, etc.)

  • All content is original or lawfully licensed

  • No scraped content from unauthorized sources

Most recent audit: February 2026 — Result: Compliant.

Third-Party Content Under Permissive Licenses

Some platform content is openly licensed and is incorporated under the terms of its source license. Adapted versions retain the original license and attribution.

SOC 2 Report Review skill (Creative Commons)

The built-in SOC 2 Report Review skill in the chat product adapts the SOC 2 Reliability Rubric maintained by the SOC 2 Quality Guild (s2guild.org), originally licensed under Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0), © 2026 SOC 2 Quality Guild. In accordance with the share-alike obligation in CC BY-SA 4.0 §3(b)(1), this adaptation is also licensed under CC BY-SA 4.0.

The 11-signal taxonomy and the Structure / Substance / Source pillar grouping are taken from the Guild rubric. The chat workflow, the Pass / Flag / Skip verdict scheme, and the summary scorecard format are this project's adaptation. The same rubric is also the basis of the public ISMS Copilot tool at ismscopilot.com/resources/soc2-red-flags-checker.

Open-Source Dependencies

The ISMS Copilot software incorporates third-party open-source software through the dependency manifests of its repositories. Common licenses across these dependencies include MIT, Apache-2.0, ISC, BSD-2-Clause, BSD-3-Clause, and MPL-2.0. A full register of these dependencies, alongside the Creative Commons-licensed components above, is maintained internally and available on request — contact [email protected]. The Trust Center publishes the consumer-facing summary.

What This Means for You

ISMS Copilot provides implementation guidance based on legitimately purchased standards and original consulting expertise. We do not reproduce or substitute for official standards.

When using the platform:

  • You receive actionable advice grounded in real-world consulting experience

  • Responses reference standards appropriately with attribution

  • You still need access to official standards for certification/audit work

ISMS Copilot accelerates compliance workflows but does not replace the authoritative standard texts required for formal certification or audit processes.

Compliance Mapping

These IP policies support:

  • ISO 27001:2022 A.5.32 — Intellectual property rights

  • SOC 2 CC3.1 — Risk assessment and management

If you have questions about how specific content is sourced or licensed, contact [email protected].

Was this helpful?