ISMS Copilot
Prompt engineering

Be Clear and Specific

Why Specificity Matters

In compliance work, precision determines whether you get actionable guidance or generic advice. ISMS Copilot's specialized training across ISO 27001, SOC 2, NIST, GDPR, and other frameworks requires clear references to surface the right controls, evidence requirements, and implementation steps.

Vague queries like "How do I secure data?" could apply to hundreds of controls across dozens of frameworks. Specific queries targeting exact standards save time and reduce errors in high-stakes audits.

Key Elements of Specific Prompts

1. Framework and Version

Always specify the exact standard and version you're working with.

❌ Vague: "What are the access control requirements?"

✅ Specific: "What are the access control requirements for ISO 27001:2022 Annex A.5.15?"

Referencing versions ensures you get current guidance aligned with your audit scope.

2. Control or Requirement Numbers

Cite exact control identifiers when possible.

❌ Vague: "Tell me about SOC 2 logical access"

✅ Specific: "What evidence do I need for SOC 2 CC6.1 (logical and physical access controls)?"

Control numbers unlock detailed implementation guidance and audit evidence lists.

3. Organizational Context

Include company size, industry, and relevant technologies.

❌ Generic: "How do I implement multi-factor authentication?"

✅ Contextualized: "How do I implement MFA for ISO 27001 A.5.17 in a 40-person healthcare startup using Google Workspace and AWS?"

Context produces recommendations that fit your actual environment, not theoretical ideals.

4. Desired Outcome

State what you need—policy draft, evidence list, implementation steps, gap analysis.

❌ Unclear: "Help with incident management"

✅ Clear: "Generate an incident response procedure for ISO 27001 A.5.24 covering detection, response, and reporting for a SaaS platform"

Examples by Framework

ISO 27001

Vague: "What about encryption?"

Specific: "How do I implement cryptographic controls for ISO 27001:2022 A.8.24 to protect customer data at rest in PostgreSQL and in transit via APIs?"

SOC 2

Vague: "SOC 2 change management?"

Specific: "What change management processes satisfy SOC 2 CC8.1 for a development team using GitHub, Jira, and AWS CodePipeline?"

NIST CSF

Vague: "Supply chain security tips"

Specific: "What vendor risk assessment procedures align with NIST CSF ID.SC-2 for a fintech company evaluating SaaS vendors handling PII?"

GDPR

Vague: "GDPR data protection"

Specific: "What technical measures satisfy GDPR Article 32 for a marketing platform processing EU customer data with Salesforce and Mailchimp?"

Specificity in Complex Scenarios

Gap Analysis

When uploading files or describing current state, provide details:

Example: "Review our attached access control policy against SOC 2 CC6.1-6.3. We're a 60-person company using Okta for SSO, AWS IAM, and GitHub. Identify missing controls for Type II audit."

Risk Assessments

Specify scope, assets, and threat model:

Example: "Create a risk assessment template for ISO 27001 A.5.7 covering cloud infrastructure (AWS), customer database (RDS), and internal tools (Google Workspace) for a Series A SaaS startup"

Multi-Framework Alignment

Name all applicable standards:

Example: "How do I create a single access review process that satisfies both ISO 27001:2022 A.5.18 and SOC 2 CC6.1 for quarterly audits?"

If you're unsure of exact control numbers, start broad ("What are the ISO 27001 access controls?"), then drill down with specific follow-ups ("Expand on A.5.15 for our AWS environment").

Common Mistakes

  • Omitting versions – ISO 27001:2013 vs. 2022 have different controls; specify to avoid outdated guidance

  • Using jargon without context – "Our RBAC needs help" doesn't indicate framework, tool, or problem

  • Asking multiple unrelated questions – "Tell me about A.5.1, A.8.1, and A.12.1" dilutes focus; separate queries work better

  • Assuming ISMS Copilot knows your setup – It doesn't have prior knowledge of your organization; always provide context

Testing Your Specificity

Before sending a query, ask yourself:

  1. Did I name the framework and version?

  2. Did I include control/requirement numbers?

  3. Did I describe my organization's context?

  4. Is my desired output clear?

If any answer is "no," refine your prompt.

Specific prompts often get complete, actionable answers in one response. Vague prompts require 3-5 back-and-forth clarifications, wasting your message quota and time.

Next Steps

Apply specificity to your next query. Notice how detailed context produces tailored, audit-ready guidance versus generic best practices.

Back to Prompt Engineering Overview

Was this helpful?