Overview
You'll find proven prompts to prepare for ISO 27001 certification and surveillance audits using ISMS Copilot, from conducting gap analyses and evidence collection to generating audit-ready documentation and handling auditor questions confidently.
Who this is for
These prompts are designed for:
Organizations preparing for their first ISO 27001 certification audit
Security teams conducting pre-audit readiness assessments
Compliance managers preparing for surveillance or recertification audits
Consultants supporting clients through the audit process
Before you begin
Audit preparation is most effective when you maintain all your ISO 27001 documentation in a dedicated workspace. Upload your policies, procedures, risk assessment, and SoA to provide context for gap analysis and readiness checks.
Timeline consideration: Begin audit preparation at least 8-12 weeks before your scheduled audit date. This allows time to address identified gaps, collect evidence, and conduct internal audits.
Gap analysis prompts
Conduct comprehensive ISO 27001 gap analysis
"Perform a comprehensive gap analysis of our current information security program against ISO 27001:2022 requirements. For each clause (4-10) and each of the 93 Annex A controls: assess our current state (Fully Implemented, Partially Implemented, Not Implemented, Not Applicable), identify specific gaps or weaknesses, evaluate evidence availability for audit, rate gap severity (Critical, High, Medium, Low), estimate effort to close gap (hours/days), recommend remediation actions, and assign priority. Present as a gap analysis report with executive summary."
Upload your existing policies, procedures, and risk assessment before running this prompt for the most accurate gap analysis based on your actual documentation.
Analyze documentation completeness
"Review our ISO 27001 documentation for completeness and audit readiness. Check: Do we have all mandatory documented information required by Clauses 4-10? Does our risk assessment meet Clause 6.1.2 requirements? Is our Statement of Applicability complete and justified? Do policies reference appropriate ISO clauses? Are procedures detailed enough to demonstrate implementation? Is version control and approval documented? Are there gaps in our document inventory? Create a documentation checklist with status and gaps."
Evaluate control implementation evidence
"For each Annex A control marked 'Implemented' in our Statement of Applicability, identify what evidence auditors will request to verify implementation. For control [control number and name]: list types of evidence needed (policies, procedures, logs, screenshots, reports, records), indicate where evidence exists (system, location, owner), flag evidence gaps requiring creation, assess evidence quality (complete, partial, weak), and recommend additional evidence to strengthen demonstration of compliance."
Assess ISMS maturity level
"Evaluate our ISMS maturity across ISO 27001 requirements using a 5-level maturity model: Level 1 (Initial/Ad-hoc), Level 2 (Managed), Level 3 (Defined), Level 4 (Quantitatively Managed), Level 5 (Optimizing). For each major area (risk management, access control, incident response, change management, business continuity, supplier management): rate current maturity with justification, identify improvement opportunities to reach next level, and recommend priority actions for audit readiness."
Evidence collection prompts
Create evidence collection checklist
"Generate a comprehensive evidence collection checklist for ISO 27001:2022 certification audit. Organize by Annex A control number, and for each control include: evidence type (document, log, screenshot, configuration, report), evidence description, responsible owner for collecting, evidence location (system/folder), collection deadline (weeks before audit), and verification status. Prioritize evidence for high-risk controls and commonly audited areas (access control, incident response, backups)."
Document control implementation
"Create an implementation evidence package for Annex A control [control number and name]. Include: written description of how we implement the control, policy and procedure references, technical implementation details (configurations, tools, workflows), evidence artifacts (log samples, screenshots, reports), control testing results, control owner and responsibilities, implementation timeline, and known limitations or exceptions with compensating controls."
Example: "Create an implementation evidence package for Annex A control A.8.5 Secure authentication. Document our Azure AD implementation with MFA, password policies, privileged access management, and service account rotation."
Prepare access control evidence
"Compile evidence demonstrating our access control program implementation for ISO 27001 controls A.5.15-A.5.18. Include: user access provisioning procedures and sample approval records, access review evidence (last 3 reviews with results), privileged access inventory and management process, authentication policy and MFA enrollment statistics, password policy configuration screenshots, account deprovisioning records for last 10 terminations, access violation incidents and remediation, and role-based access control matrix."
Document incident response capability
"Prepare evidence package for incident response controls A.5.24-A.5.28. Include: incident response plan and procedures, incident response team structure and contact information, incident log from past 12 months (anonymized if needed), sample incident records showing response workflow, incident categorization and severity definitions, evidence of incident response testing or tabletop exercises, post-incident review reports, and security incident metrics reported to management."
Collect backup and recovery evidence
"Compile backup and recovery evidence for control A.8.13. Include: backup policy and procedures, backup schedule and scope (what systems/data), backup success/failure logs from past 30 days, backup storage locations and security measures, backup restoration test results (most recent test), recovery time and recovery point objectives by system, backup encryption verification, and backup monitoring and alerting configurations."
Internal audit prompts
Develop internal audit plan
"Create an internal audit plan for ISO 27001:2022 compliance covering all clauses and applicable Annex A controls. Include: audit objectives and scope, audit schedule over 12 months (which controls/areas each quarter), audit criteria (ISO 27001:2022 requirements), auditor assignments ensuring independence, audit methodology (interviews, document review, technical testing), estimated time per audit area, and management review of audit plan. Prioritize high-risk areas and controls with weak evidence."
Generate internal audit checklist
"Create a detailed internal audit checklist for [specific area, e.g., 'access control' or 'incident management']. For each relevant ISO 27001:2022 requirement: list the specific requirement, create audit questions to assess compliance, identify documents to review, specify evidence to examine, include sample testing procedures (e.g., 'select 10 user accounts and verify access approval'), define pass/fail criteria, and provide space for findings and observations."
Example: "Create a detailed internal audit checklist for access control covering ISO 27001:2022 controls A.5.15-A.5.18. Include questions about user provisioning, access reviews, MFA, privileged access, and deprovisioning."
Document audit findings and corrective actions
"Document this internal audit finding: [describe the finding]. Create a nonconformity report including: finding description and evidence, which ISO 27001 requirement is not met, impact and risk of the nonconformity, severity classification (major, minor, observation), root cause analysis, proposed corrective action plan with specific steps, responsible owner for remediation, target completion date, and verification method. Format for presentation to management and external auditors."
Conduct mock audit preparation
"Design a mock audit scenario to prepare our team for the certification audit. Include: mock audit agenda (day 1 opening meeting, document review, interviews; day 2 technical verification, site inspection, closing meeting), sample auditor questions for each major ISMS area, documents auditors will request to review, systems they'll want to see, personnel they'll interview (roles and preparation needed), and evaluation criteria to assess our readiness based on mock audit results."
Audit response preparation prompts
Prepare for common auditor questions
"Generate a list of common questions ISO 27001 auditors ask about [specific area, e.g., 'risk assessment methodology' or 'incident response']. For each question, provide: the question auditors typically ask, what they're really assessing (underlying concern), recommended response structure, evidence to reference in answer, and red flags to avoid in responses. Cover both management review and technical implementation questions."
Create auditor interview preparation guide
"Create an interview preparation guide for personnel who will be interviewed during the ISO 27001 audit. For roles including [list roles: CISO, IT manager, developers, HR, etc.], provide: overview of what auditors will ask them about, their responsibilities in the ISMS, controls they own or operate, evidence they should be familiar with, sample questions they might receive, do's and don'ts during interviews, escalation process if they don't know an answer, and stress management tips."
Develop opening meeting presentation
"Create a presentation for the ISO 27001 audit opening meeting. Include slides covering: company overview and business context, ISMS scope and boundaries, organizational structure and security governance, overview of risk assessment approach and key findings, control implementation highlights and achievements, significant changes since last audit (if surveillance), audit logistics (schedule, participants, facilities), and questions/clarifications. Target 20-minute presentation."
Prepare closing meeting response strategy
"Develop a response strategy for the audit closing meeting where findings will be presented. Include: how to receive and document findings professionally, questions to ask for clarification of findings, how to dispute findings we disagree with (respectfully), initial corrective action planning process, timeline negotiation strategies for remediation, management commitment statements to provide, post-audit action plan template, and follow-up communication protocol with auditors."
Technical evidence preparation prompts
Prepare system configuration evidence
"Create a technical evidence package demonstrating secure configuration for [system name]. Include: hardening standard applied, configuration screenshots for security settings (authentication, encryption, logging, access control), deviation from baseline with justification, vulnerability scan results showing no critical/high findings, patch compliance report, security monitoring coverage, and change control records for security-relevant changes."
Document logging and monitoring evidence
"Compile logging and monitoring evidence for ISO 27001 control A.8.15-A.8.16. Include: inventory of systems with logging enabled, log types collected (authentication, access, changes, security events), log retention periods by log type, log protection measures (integrity, access control), SIEM or log analysis tool configurations, log review procedures and frequency, sample log review reports, security event alerting rules, and incident investigation examples using logs."
Prepare vulnerability management evidence
"Assemble vulnerability management evidence for control A.8.8. Include: vulnerability scanning schedule and coverage (which systems, how often), most recent vulnerability scan results with severity distribution, critical and high vulnerability remediation timelines, patch management procedures and SLAs, patch compliance dashboard or report, vulnerability exceptions with compensating controls, third-party vulnerability disclosure process, and vulnerability metrics trend over past 6 months."
Document encryption implementation
"Create evidence package for cryptographic controls A.8.24. Document: data-at-rest encryption (which systems, encryption methods, key management), data-in-transit encryption (TLS configurations, cipher suites, certificate management), encryption for backups and archives, mobile device and laptop encryption status, encryption key management procedures, cryptographic algorithm standards, encryption exceptions with risk acceptance, and encryption verification testing results."
Management system evidence prompts
Prepare management review evidence
"Compile evidence for management review meetings per ISO 27001 Clause 9.3. Include: management review meeting minutes from past 12 months, agenda covering all required inputs (audit results, risk changes, incidents, performance metrics, improvement opportunities), security metrics and KPI reports presented, management decisions and actions taken, resource allocation decisions, ISMS effectiveness evaluation, strategic security initiatives approved, and evidence of management commitment and leadership."
Document ISMS performance metrics
"Create a performance monitoring dashboard for ISMS effectiveness per Clause 9.1. Include metrics for: security incident trends (volume, severity, time-to-resolution), vulnerability management (scan frequency, remediation time, backlog), access control (provisioning time, review completion, violations), security awareness (training completion, phishing test results), backup success rates, policy compliance rates, audit finding closure rates, and risk treatment progress. Show data for past 12 months with trend analysis."
Prepare continual improvement evidence
"Document continual improvement activities per Clause 10. Include: corrective actions from previous audits (findings and resolution), preventive actions taken to address potential issues, ISMS improvement initiatives implemented, lessons learned from security incidents, changes to risk assessment methodology or scope, policy and procedure updates and rationale, employee feedback on ISMS effectiveness, and improvement opportunities identified for next period."
Compile training and awareness evidence
"Assemble security awareness evidence for control A.6.3. Include: security awareness training program description, training curriculum and materials, training completion records and statistics, new hire security orientation process, role-based training (privileged users, developers, managers), phishing simulation results and improvement trends, security communications sent to employees, security awareness campaign materials, training effectiveness measurement, and remedial training for non-compliant staff."
Supplier and third-party evidence prompts
Prepare vendor management evidence
"Compile third-party management evidence for controls A.5.19-A.5.23. Include: supplier inventory and risk categorization, supplier security assessment process and questionnaire, security requirements in supplier contracts (sample contracts), supplier due diligence evidence (SOC 2 reports, ISO certificates, assessments), supplier access controls and monitoring, supplier performance reviews and compliance verification, supplier incident response procedures, and supplier offboarding checklist."
Document supplier security requirements
"Create a template showing how we incorporate information security requirements in supplier contracts per control A.5.20. Include: standard security clauses (data protection, access control, incident notification, audit rights, compliance, confidentiality), service level agreements for security (response times, availability, breach notification timelines), data processing agreement terms (GDPR compliance), subcontractor approval requirements, termination and data return provisions, and liability and indemnification for security failures."
Specialized audit scenarios
Prepare for remote/cloud audit considerations
"Prepare for ISO 27001 audit of our cloud-based infrastructure on [cloud provider]. Address: how to demonstrate cloud security controls (shared responsibility model), evidence from cloud provider (SOC 2, ISO 27001, security features documentation), our configuration and management of cloud security (IAM, encryption, logging, monitoring), data location and sovereignty demonstration, cloud access controls and privileged access management, cloud-specific incident response, backup and disaster recovery in cloud, and screen-sharing or remote access for auditor review of cloud consoles."
Prepare for remote work environment audit
"Prepare evidence for ISO 27001 audit considering our [percentage] remote workforce. Address: remote access security (VPN, zero trust, MFA), endpoint protection for remote devices (EDR, encryption, patch management), secure collaboration tools and data sharing, home network security guidance, physical security of remote work locations, remote employee training and awareness, monitoring of remote access and activities, incident response for remote workers, and equipment provisioning/deprovisioning for remote staff."
Prepare for multi-site certification
"Prepare for ISO 27001 audit covering multiple sites/locations: [list locations]. Address: how ISMS scope covers all locations, site-specific risks and controls, consistent policy implementation across sites, local regulatory compliance considerations, centralized vs. local management responsibilities, evidence from each location, remote site audit logistics, inter-site communication and coordination, and demonstration of ISMS integration across the organization."
Post-audit prompts
Develop corrective action plan
"Create a corrective action plan for audit findings. For finding: [describe finding], include: finding details and nonconformity reference, root cause analysis (why did this gap exist?), immediate corrective action (fix the specific issue), systematic corrective action (prevent recurrence), implementation steps with timeline, responsible owner and resources required, verification method (how will we prove it's fixed?), target completion date, status tracking, and evidence to submit to auditors for closure."
Prepare finding closure evidence
"Prepare evidence package to close audit finding [finding number]. Include: original finding description and requirement, corrective action plan that was approved, evidence of corrective action implementation (before/after comparison, updated documents, system changes), verification testing results showing issue is resolved, preventive measures implemented to avoid recurrence, communication of changes to relevant personnel, and request for auditor verification and finding closure."
Conduct post-audit lessons learned
"Facilitate a post-audit lessons learned session. Create discussion guide covering: what went well during the audit, what challenges did we face, how effective was our preparation, which evidence was strong vs. weak, how well did team handle auditor questions, surprises or unexpected findings, auditor feedback on our ISMS, improvements for next audit cycle, skills or knowledge gaps identified, and action items to strengthen ISMS before next surveillance audit."
Audit readiness self-assessment prompts
Conduct pre-audit readiness check
"Perform a final readiness check 2 weeks before our ISO 27001 certification audit. Assess: Is all mandatory documentation complete and approved? Is evidence organized and accessible? Have internal audits been completed with findings closed? Are staff trained and prepared for interviews? Are technical systems configured correctly for demonstration? Are facilities ready for site inspection? Is audit schedule confirmed with participants? Are backup plans in place for audit week? Rate readiness as Red/Yellow/Green with justification and identify any last-minute actions needed."
Evaluate audit preparedness by role
"Assess audit preparedness for each role participating in the audit. For roles [list roles: executive management, IT team, security team, HR, operations, etc.]: evaluate their understanding of ISMS, knowledge of their responsibilities, familiarity with relevant controls, availability during audit, readiness to answer questions, access to necessary evidence, backup coverage if unavailable, and training needs before audit. Identify any gaps requiring immediate attention."
Review audit logistics and coordination
"Create an audit week logistics plan and checklist. Include: audit schedule with timing and participants, conference room reservations and setup (projector, whiteboard, guest WiFi), lunch and break arrangements, parking and building access for auditors, welcome package and orientation materials, document repository access for auditors, technical system access or demo environments, printing and copying facilities, private space for auditor deliberation, IT support contact for technical issues, and contingency plans for common disruptions."
Tips for using these prompts effectively
Start with gap analysis: Before diving into evidence collection, use gap analysis prompts to identify where to focus your efforts. This prevents wasting time collecting evidence for areas that are already strong.
Create evidence packages by control: Organize evidence by Annex A control number, not by system or department. This matches how auditors will evaluate compliance and makes evidence retrieval faster during the audit.
Practice with mock scenarios: Use the mock audit and interview preparation prompts to conduct practice sessions with your team. This builds confidence and identifies gaps in understanding.
Don't over-prepare documentation: Auditors verify implementation, not documentation volume. Focus on clear, concise evidence that demonstrates actual control operation rather than creating extensive documentation that may not reflect reality.
Upload and iterate: Upload your existing evidence packages and ask "What's missing from this evidence for ISO 27001 control [X]?" This targeted approach identifies specific gaps rather than generic recommendations.
Related prompt libraries
Complete your ISO 27001 implementation with these related prompt collections:
ISO 27001 gap analysis prompts (coming soon)
Getting help
For support with audit preparation:
Learn audit process: Review How to prepare for ISO 27001 internal audits using AI
Prepare for certification: See How to prepare for ISO 27001 certification audit using AI
Use AI responsibly: Read How to Use ISMS Copilot Responsibly for audit preparation
Ready to prepare for your audit? Open your ISO 27001 workspace at chat.ismscopilot.com and start with the gap analysis prompts to assess your current readiness.