ISMS Copilot
Prompt engineering

Break Down Complex Requests

Why Break Down Complex Queries?

Compliance projects involve layered tasks—policies require risk assessments, implementations need vendor evaluations, audits demand evidence across dozens of controls. Asking ISMS Copilot to "prepare for SOC 2 audit" in one query produces surface-level guidance across too many topics.

Sequential, focused queries yield deeper, more actionable responses. Each step builds on the previous one, letting you refine direction and catch issues early rather than discovering gaps after generating 50 pages of generic documentation.

Benefits of Sequential Queries

  • Higher quality per topic – Focused prompts get detailed, audit-ready outputs instead of abbreviated summaries

  • Easier verification – Review one control or policy at a time against standards, not entire frameworks

  • Adaptable direction – Adjust follow-ups based on intermediate findings without wasted effort

  • Better use of message quota – Free tier limits encourage efficiency; targeted queries maximize value per message

  • Context preservation – Workspaces maintain conversation history, so later queries reference earlier outputs

How to Decompose Complex Requests

1. Start with Scoping

First query: Understand the full landscape before diving into specifics.

Example complex goal: "Implement ISO 27001 for our startup"

Scoping query: "What are the key phases and controls for ISO 27001:2022 implementation in a 40-person SaaS company with a 9-month timeline?"

Result: High-level roadmap, priority controls, resource estimates. Use this to structure subsequent queries.

2. Address One Domain at a Time

Move through framework domains or Trust Services Criteria sequentially.

Example sequence for SOC 2:

  1. "What SOC 2 CC6 (logical access) controls apply to a SaaS platform using Okta and AWS?"

  2. "Generate a user access review procedure for CC6.1 with quarterly manager reviews"

  3. "What evidence demonstrates CC6.2 (authentication) compliance with MFA via Okta?"

  4. "Draft a password policy covering CC6.1 requirements for our team"

Each query produces complete, implementable output for that control before moving on.

3. Layer from High-Level to Detailed

Start broad, then drill into specifics based on initial responses.

Sequence:

  1. "What are ISO 27001 Annex A.5 organizational controls?" (overview)

  2. "Expand on A.5.1 (information security policies) requirements" (focused)

  3. "Draft an information security policy addressing A.5.1 for a healthcare SaaS with HIPAA requirements" (implementation)

  4. "What evidence do auditors expect for A.5.1 policy approval and communication?" (audit prep)

Each step deepens understanding before committing to documentation.

4. Separate Generation from Review

Don't ask for document creation and gap analysis simultaneously.

❌ Overloaded query: "Create a risk assessment for ISO 27001 and tell me what's missing from our current approach"

✅ Sequential approach:

  1. "Review our current risk assessment process [attach file] against ISO 27001 A.5.7 and identify gaps"

  2. "Create a risk assessment template addressing the identified gaps for our AWS environment"

This ensures gap analysis informs template design, not vice versa.

5. Tackle Dependencies in Order

Some compliance tasks require prerequisite outputs.

Example dependency chain:

  1. "What assets should we include in an ISO 27001 asset inventory for a SaaS platform?" (foundation)

  2. "Create an asset classification scheme for customer data, internal systems, and code repositories" (structure)

  3. "Generate a risk assessment template using the asset inventory and classifications" (builds on 1-2)

  4. "Draft risk treatment plans for high-priority risks from the assessment" (builds on 3)

Each output feeds the next, creating coherent documentation.

Use Workspaces to maintain context across multi-step workflows. ISMS Copilot remembers previous conversation turns, so later queries can reference "the risk assessment from earlier" or "the policy we just created."

Examples by Scenario

Scenario 1: First SOC 2 Audit

Complex request: "Help me prepare for SOC 2 Type I audit in 6 months"

Broken down:

  1. "What are the SOC 2 Trust Services Criteria for Security and Availability, and which apply to a B2B SaaS platform?"

  2. "Create a SOC 2 readiness checklist for a 50-person company with 6 months until audit"

  3. "Generate an information security policy covering CC1.1-1.5 (governance and risk)"

  4. "What vendor risk assessment process satisfies CC9.2 for our SaaS dependencies (AWS, Stripe, SendGrid)?"

  5. "Draft an incident response plan for CC7.3 with roles, escalation, and communication procedures"

  6. "What evidence collection should we start now for CC6.1 (access reviews) given quarterly review cycles?"

Six focused queries beat one overwhelming request.

Scenario 2: ISO 27001 Gap Remediation

Complex request: "Fix our ISO 27001 audit findings across access control, change management, and logging"

Broken down:

  1. "Our auditor flagged inadequate access reviews for ISO 27001 A.5.18. Design a quarterly access review process for Okta, AWS IAM, and GitHub"

  2. "Create a change management procedure for A.8.32 covering our GitHub + AWS CodePipeline CI/CD workflow with approval gates"

  3. "What logging configuration satisfies ISO 27001 A.8.15 for AWS CloudTrail, application logs in Datadog, and Okta system logs?"

  4. "Generate evidence collection procedures for the new access review, change management, and logging controls"

Addresses each finding thoroughly with implementation details.

Scenario 3: Multi-Framework Alignment

Complex request: "Map ISO 27001 and SOC 2 controls to reduce duplication"

Broken down:

  1. "What SOC 2 controls overlap with ISO 27001:2022 Annex A.5 (organizational controls)?"

  2. "Create a single access control policy satisfying both ISO 27001 A.5.15-5.18 and SOC 2 CC6.1-6.3"

  3. "How can one incident response procedure cover ISO 27001 A.5.24 and SOC 2 CC7.3-7.5 requirements?"

  4. "Design a unified evidence collection process for overlapping controls in both frameworks"

Identifies synergies before creating shared documentation.

Scenario 4: Document Review and Improvement

Complex request: "Review all our policies and update them for the new ISO 27001:2022 standard"

Broken down:

  1. "What changed between ISO 27001:2013 and 2022 that affects existing policies?" (understanding)

  2. "Review our information security policy [attach] against ISO 27001:2022 A.5.1 and suggest updates" (one policy)

  3. "Review our access control policy [attach] against new controls A.5.15-5.18 and identify gaps" (next policy)

  4. "Update our risk assessment methodology to include new A.5.7 requirements for cloud assets" (specific update)

Systematic review beats trying to update everything simultaneously.

Recognizing When to Break Down

Your query is too complex if it:

  • Requests outputs across 5+ controls or domains

  • Asks for both strategic guidance and implementation details

  • Combines generation, review, and gap analysis

  • Covers multiple frameworks without specifying priority

  • Includes "and" or "also" more than twice

Complex queries often produce superficial outputs that require extensive follow-up anyway. Starting with focused queries saves time and improves first-draft quality.

Maintaining Context Across Queries

Within a workspace conversation, ISMS Copilot remembers previous exchanges. Use references like:

  • "Expand on the access review process from the previous response"

  • "Apply the risk methodology we discussed to database encryption"

  • "Update the policy draft to include the evidence requirements you just listed"

This builds cohesive documentation incrementally without losing thread.

When Complexity is Appropriate

Some queries benefit from bundling related elements:

  • Single control implementation – "Implement ISO 27001 A.8.24 (cryptography) covering encryption at rest, in transit, and key management for our AWS environment" (one domain, related aspects)

  • Comparative analysis – "Compare ISO 27001, SOC 2, and NIST CSF access control requirements for our SaaS platform" (intentional cross-framework view)

  • Integrated procedures – "Create a combined onboarding/offboarding procedure addressing ISO 27001 A.5.17 and SOC 2 CC6.1 with role provisioning in Okta, AWS, GitHub, and Salesforce" (naturally integrated workflow)

The key: related elements with natural connections versus unrelated tasks forced together.

Measuring Success

Effective decomposition produces:

  • Responses you can implement immediately without major edits

  • Clear understanding of each component before moving on

  • Reusable outputs (policies, templates, procedures) without gaps

  • Efficient use of message quota (quality over quantity)

If you're re-querying the same topic three times, your initial query was likely too broad or vague.

Think of ISMS Copilot conversations like pair programming: iterative, focused exchanges produce better code than trying to architect an entire system in one request. The same applies to compliance documentation.

Next Steps

Take your next complex compliance task and outline 3-5 sequential queries to address it. Notice how each focused step produces higher-quality, more actionable guidance.

Back to Prompt Engineering Overview

Was this helpful?