ISO 27001 control implementation prompts

Overview

You'll discover practical prompts for implementing ISO 27001:2022 Annex A controls using ISMS Copilot, from designing technical configurations to creating operational workflows that demonstrate effective security control implementation.

Who this is for

These prompts are designed for:

• IT and security teams implementing Annex A controls

• System administrators configuring security controls

• DevOps engineers building security into infrastructure

• Compliance professionals documenting control implementation

Before you begin

Organizational controls (A.5) prompts

Design information security roles (A.5.1-A.5.3)

"Design the organizational structure for information security roles per ISO 27001:2022 controls A.5.1-A.5.3. Define: information security governance structure (committees, reporting lines), role definitions and responsibilities (CISO, security team, IT team, business units), segregation of duties matrix to prevent conflicts, escalation paths for security decisions, integration with overall organizational structure, management commitment demonstration mechanisms, and resource allocation for security function. Suitable for [company size and structure]."

Implement policy management system (A.5.2)

"Design a policy management system to maintain our ISO 27001 policies per control A.5.2. Include: policy repository structure and access controls, policy lifecycle workflow (draft, review, approval, publication, retirement), version control and change tracking, policy review schedule and reminders, stakeholder consultation process, policy approval authorities by policy type, policy communication and acknowledgment tracking, policy exception management, and integration with employee onboarding."

Configure asset management (A.5.9)

"Implement asset inventory and management system for ISO 27001 control A.5.9. Design: asset discovery methods (automated scanning, manual registration), asset attributes to track (owner, classification, location, dependencies, lifecycle status), asset ownership assignment workflow, classification labeling process, acceptable use enforcement mechanisms, integration with CMDB or IT asset management, asset lifecycle tracking (procurement to disposal), and reporting dashboards for asset oversight."

Design access control framework (A.5.15-A.5.18)

"Design comprehensive access control framework for ISO 27001 controls A.5.15-A.5.18 using [your identity system, e.g., Azure AD, Okta]. Include: identity lifecycle management (provisioning, changes, deprovisioning), role-based access control (RBAC) model with roles mapped to job functions, access request and approval workflow, privileged access management strategy, authentication mechanisms (SSO, MFA, passwordless), authorization models (RBAC, ABAC), access review process and schedule, and technical implementation in [your directory system]."

Example: "Design comprehensive access control framework for controls A.5.15-A.5.18 using Azure AD with conditional access. Our environment: 200 users, SaaS applications, Azure cloud infrastructure, privileged access workstations for admins."

People controls (A.6) prompts

Build security screening process (A.6.1)

"Create an employee screening and background verification process for ISO 27001 control A.6.1. Define: screening requirements by role sensitivity (standard, elevated, privileged), pre-employment checks (criminal records, employment history, education, references, credit for financial roles), screening timeline in hiring process, third-party screening vendor requirements, international candidate considerations, ongoing screening triggers (role changes, security incidents), candidate consent and privacy compliance, record retention, and integration with HR onboarding workflow."

Implement security awareness program (A.6.3)

"Design a comprehensive security awareness and training program for ISO 27001 control A.6.3. Include: baseline security awareness training (content topics, delivery method, duration, frequency), new hire security orientation checklist, role-based training tracks (developers, admins, managers, all staff), phishing simulation program (frequency, difficulty levels, remedial training triggers), security communications strategy (newsletters, alerts, campaigns), training effectiveness measurement (quizzes, surveys, incident correlation), learning management system integration, and compliance tracking and reporting."

Configure disciplinary process (A.6.4)

"Develop disciplinary process for security policy violations per ISO 27001 control A.6.4. Define: violation categories and severity levels, investigation procedures for suspected violations, disciplinary actions by violation type (warning, suspension, termination), escalation and approval authorities, documentation requirements, employee rights and due process, integration with HR disciplinary procedures, privacy and confidentiality during investigations, and communication protocols for sensitive cases."

Physical controls (A.7) prompts

Design physical access controls (A.7.1-A.7.2)

"Design physical security controls for our facilities per ISO 27001 controls A.7.1-A.7.2. Include: security perimeter definition and physical barriers, entry points and access control mechanisms (badge readers, biometrics, mantraps), visitor management process (registration, escort, badge return), security zones and access restrictions (public, employee, restricted, server room), surveillance systems (CCTV placement, recording, retention), security staffing and patrol procedures, after-hours access procedures, and integration between physical and logical access systems."

Implement equipment security (A.7.7-A.7.8)

"Create clear desk, clear screen, and equipment security procedures for ISO 27001 controls A.7.7-A.7.8. Define: clear desk requirements (end of day, confidential material handling), clear screen policies (lock timeout, privacy screens, monitor positioning), secure storage provisions (locked cabinets, safes), equipment placement to prevent unauthorized viewing, visitor area restrictions, remote work applicability, audit and compliance checks, employee training and reminders, and enforcement mechanisms."

Design secure disposal process (A.7.10, A.7.14)

"Implement secure disposal process for equipment and media per ISO 27001 controls A.7.10 and A.7.14. Include: media types in scope (paper, hard drives, SSDs, USB drives, mobile devices, backup tapes), disposal methods by media type (shredding, degaussing, cryptographic erasure, physical destruction), data sanitization verification procedures, certificate of destruction requirements, disposal vendor management and oversight, disposal tracking and audit logs, disposal approval workflow for sensitive systems, and environmental and regulatory compliance."

Technological controls (A.8) prompts

Configure secure authentication (A.8.5)

"Implement secure authentication controls for ISO 27001 control A.8.5 using [your identity provider]. Configure: multi-factor authentication (MFA) enrollment and enforcement by user risk level, authentication methods (authenticator apps, hardware tokens, biometrics, SMS as fallback), conditional access policies (location, device, risk level), single sign-on (SSO) for integrated applications, session management (timeout, concurrent sessions), service account authentication, API authentication and authorization, passwordless authentication options, and monitoring of authentication failures and anomalies."

Example: "Implement secure authentication for control A.8.5 using Azure AD. Configure MFA for all users, conditional access based on sign-in risk, device compliance, and location. Enable passwordless for executives using Windows Hello and FIDO2 keys."

Design privileged access management (A.8.2-A.8.3)

"Implement privileged access management system for ISO 27001 controls A.8.2-A.8.3. Design: privileged account inventory and classification, privileged access request and approval workflow (just-in-time access), privileged access workstations (PAWs) for administrative tasks, session recording and monitoring for privileged activities, password vaulting for privileged credentials (using [PAM solution]), automatic password rotation, emergency break-glass procedures, privileged access reviews and recertification, and privileged activity audit logging."

Implement access restriction (A.8.1)

"Configure network and information access restrictions for ISO 27001 control A.8.1. Implement: network segmentation and micro-segmentation strategy, firewall rules based on least privilege, application-level access controls (authentication, authorization), data access restrictions by classification level, need-to-know enforcement mechanisms, segregation of development, testing, and production environments, remote access controls (VPN, zero trust, conditional access), and access logging and monitoring for all restricted resources."

Configure information systems security (A.8.9-A.8.11)

"Implement configuration management and hardening for ISO 27001 controls A.8.9-A.8.11. Include: security baseline configurations for [your OS/platforms], configuration management database (CMDB) maintenance, hardening standards and checklists, configuration drift detection and remediation, secure configuration templates for new systems, regular configuration audits, change control for configuration changes, configuration backup and recovery, and integration with vulnerability management to identify misconfigurations."

Design data leakage prevention (A.8.12)

"Implement data leakage prevention controls for ISO 27001 control A.8.12. Design: data classification integration (automatic labeling), DLP policies for different data types (PII, payment data, intellectual property, confidential), monitoring channels (email, web, USB, cloud apps, printing), policy actions (alert, block, encrypt, quarantine), user education for DLP alerts, DLP policy exceptions and approval workflow, incident response for DLP violations, and DLP effectiveness metrics and tuning."

Implement backup controls (A.8.13)

"Configure backup and recovery system for ISO 27001 control A.8.13. Implement: backup scope (all critical systems and data), backup frequency by system tier (continuous, hourly, daily, weekly), backup retention policy (GFS - Grandfather-Father-Son), backup storage (onsite, offsite, cloud), backup encryption in transit and at rest, backup integrity verification, restoration testing schedule, automated backup monitoring and alerting, and disaster recovery integration with RTO/RPO objectives."

Configure logging and monitoring (A.8.15-A.8.16)

"Implement comprehensive logging and monitoring for ISO 27001 controls A.8.15-A.8.16 using [your SIEM tool]. Configure: log sources and event types to collect (authentication, access, changes, security events, errors), log centralization and aggregation in SIEM, log retention by log type and regulatory requirements, log protection (integrity, access control, encryption), real-time monitoring and alerting rules, security use cases and detection logic, log review procedures and responsibilities, incident investigation workflows, and monitoring dashboard for security operations."

Example: "Implement logging and monitoring for controls A.8.15-A.8.16 using Microsoft Sentinel. Collect logs from Azure AD, Office 365, Azure resources, on-prem AD, firewalls, and endpoints. Configure detection for brute force, privilege escalation, data exfiltration, and malware."

Design cryptographic controls (A.8.24)

"Implement cryptographic controls for ISO 27001 control A.8.24. Configure: encryption for data at rest (databases, file storage, backups) using [encryption method], encryption for data in transit (TLS 1.2+, approved cipher suites), key management system (generation, storage, rotation, destruction), encryption key escrow for recovery scenarios, digital certificates and PKI management, approved cryptographic algorithms and key lengths, cloud encryption (customer-managed keys vs. provider-managed), and cryptographic control auditing and compliance verification."

Implement vulnerability management (A.8.8)

"Design vulnerability management program for ISO 27001 control A.8.8 using [your scanning tools]. Implement: vulnerability scanning schedule (weekly authenticated scans for critical systems, monthly for all systems), scan coverage (network, applications, containers, cloud infrastructure), vulnerability severity classification and SLAs (critical within 24 hours, high within 7 days, medium within 30 days), patch management workflow and testing, compensating controls for unpatchable systems, vulnerability disclosure handling, metrics and reporting to management, and integration with asset and change management."

Configure secure development (A.8.25-A.8.31)

"Implement secure development lifecycle for ISO 27001 controls A.8.25-A.8.31. Design: security requirements in development process, threat modeling for new features, secure coding standards for [your programming languages], code review process with security focus, static application security testing (SAST) in CI/CD pipeline, dynamic testing (DAST) before deployment, dependency and third-party library scanning, security testing in QA phase, development/test data management (data masking, synthetic data), and production deployment security checks."

Design change management (A.8.32)

"Implement change management system for ISO 27001 control A.8.32 using [your change management tool]. Configure: change request process and approvals, change categorization (standard, normal, emergency), risk assessment for changes, change advisory board (CAB) process, testing requirements before implementation, implementation windows and blackout periods, rollback procedures and criteria, post-implementation review, emergency change process with retroactive approval, and change analytics and metrics (success rate, incidents caused by changes)."

Incident management implementation prompts

Build incident response capability (A.5.24-A.5.28)

"Implement security incident response program for ISO 27001 controls A.5.24-A.5.28. Design: incident detection sources (SIEM, EDR, user reports, threat intelligence), incident classification and severity levels, incident response team structure and on-call rotation, incident response playbooks by incident type (ransomware, data breach, DDoS, insider threat), evidence collection and forensic procedures, communication plan (internal escalation, customer notification, regulatory reporting), incident tracking and case management system, post-incident review and lessons learned process, and tabletop exercises and IR testing."

Configure security event detection (A.8.16)

"Design security event detection and response using [your SIEM/EDR tools]. Implement: security use cases and detection rules (authentication anomalies, lateral movement, data exfiltration, privilege escalation, malware execution), threat intelligence integration, behavioral analytics and machine learning for anomaly detection, alert tuning and false positive reduction, alert triage and investigation workflow, automated response actions (account disable, quarantine, block IP), SOC playbooks for common scenarios, and MTTR (mean time to respond) tracking and improvement."

Business continuity implementation prompts

Design business continuity program (A.5.29-A.5.30)

"Implement business continuity and disaster recovery program for ISO 27001 controls A.5.29-A.5.30. Create: business impact analysis (BIA) to identify critical functions, recovery time objectives (RTO) and recovery point objectives (RPO) by business function, continuity strategies (redundancy, failover, workarounds, manual processes), alternate processing sites or cloud DR, communication plans during disruptions, BC team roles and responsibilities, BC plan testing schedule (tabletop annually, full test every 2 years), plan maintenance triggers, and integration with incident response and crisis management."

Implement ICT continuity (A.8.14)

"Design ICT continuity and redundancy for ISO 27001 control A.8.14. Implement: system redundancy and high availability for critical systems, automated failover mechanisms, data replication (synchronous for critical, asynchronous for others), disaster recovery site or cloud region, RTO and RPO verification through testing, failback procedures when primary recovered, supplier redundancy for critical services, and integration with backup restoration processes from control A.8.13."

Supplier management implementation prompts

Design supplier security program (A.5.19-A.5.23)

"Implement third-party security management program for ISO 27001 controls A.5.19-A.5.23. Create: supplier risk classification (high/medium/low based on data access and criticality), supplier security assessment process and questionnaire, security requirements in procurement process, contractual security requirements (security controls, audit rights, incident notification, compliance obligations), supplier onboarding security verification, ongoing supplier monitoring and performance reviews, supplier access management and restrictions, supplier incident response coordination, and supplier offboarding and data return procedures."

Configure cloud service security (A.5.23)

"Implement cloud service security controls per ISO 27001 control A.5.23 for [your cloud providers]. Address: shared responsibility model understanding and documentation, cloud provider security verification (SOC 2, ISO 27001, FedRAMP), cloud-specific security configurations (IAM, encryption, network, logging), data sovereignty and residency requirements, cloud security posture management (CSPM) tools, cloud access security broker (CASB) if using multiple SaaS, multi-cloud security consistency, and cloud provider incident response coordination."

Compliance and legal implementation prompts

Implement privacy controls (A.5.33-A.5.34)

"Design privacy protection program for ISO 27001 controls A.5.33-A.5.34 and GDPR compliance. Implement: data subject rights fulfillment process (access, rectification, erasure, portability), privacy by design in new projects and systems, privacy impact assessments (PIAs) triggers and process, consent management for marketing and optional processing, data processing records and inventory, data retention and deletion automation, cross-border transfer mechanisms (SCCs, adequacy decisions), and data protection officer (DPO) or privacy team responsibilities."

Design compliance management (A.5.31)

"Implement compliance management system for ISO 27001 control A.5.31. Create: compliance obligation inventory (legal, regulatory, contractual requirements), compliance monitoring and control mapping, compliance assessment schedule, regulatory change monitoring process, compliance training for relevant staff, compliance reporting to management and board, compliance risk assessment, external compliance verification (audits, assessments), and records retention for compliance evidence per [applicable regulations]."

Testing and verification prompts

Design control effectiveness testing

"Create a control testing and validation program to verify Annex A control effectiveness. For control [control number], design: testing objectives and scope, testing methodology (document review, observation, technical testing, re-performance), sampling approach and sample size, testing frequency (continuous monitoring, quarterly, annually), expected evidence and pass/fail criteria, testing tools and automation, tester independence requirements, deficiency reporting and remediation, and testing documentation for audit evidence."

Conduct control walkthrough

"Create a control walkthrough document for Annex A control [control number and name]. Include: control description and objective, policy and procedure references, step-by-step process flow (narrative and diagram), roles and responsibilities at each step, systems and tools involved, inputs and outputs, control points and verifications, exceptions and escalations, and evidence generated by the control. Use this to train staff and demonstrate to auditors."

Integration and automation prompts

Automate control implementation

"Design automation for ISO 27001 control [control number] using [your automation tools, e.g., PowerShell, Terraform, Ansible]. Create: automation objectives and scope, technical implementation approach, automation scripts or infrastructure-as-code, testing and validation of automation, error handling and rollback, scheduling and orchestration, logging and audit trail of automated actions, manual intervention points, and documentation for automation maintenance and troubleshooting."

Integrate security tools

"Design integration strategy for security tools supporting ISO 27001 controls. Integrate: identity provider (AD/Azure AD/Okta), SIEM (Splunk/Sentinel/Chronicle), EDR (CrowdStrike/Defender/SentinelOne), vulnerability scanner (Qualys/Rapid7/Tenable), PAM solution, DLP tool, CASB, and ticketing system. For each integration: define data flows, API configurations, alert workflows, automation opportunities, and unified dashboard reporting."

Tips for using these prompts effectively

Related prompt libraries

Complete your ISO 27001 implementation with these related prompt collections:

• ISO 27001 risk assessment prompts

• ISO 27001 policy and procedure prompts

• ISO 27001 audit preparation prompts

• SOC 2 prompt library

Getting help

For support with control implementation:

• Understand requirements: Review the ISO 27001 risk assessment guide to see which controls address your risks

• Create documentation: Use the policy and procedure prompts to document your implementations

• Use AI responsibly: Read How to Use ISMS Copilot Responsibly for implementation guidance