ISO 27001 documentation and reporting prompts

Overview

You'll access comprehensive prompts for creating ISO 27001 documentation and management reports using ISMS Copilot, from mandatory ISMS documentation to executive dashboards that demonstrate security program effectiveness.

Who this is for

These prompts are designed for:

• Compliance teams building ISO 27001 documentation libraries

• Security managers creating executive reports and dashboards

• Consultants developing client documentation packages

• Organizations preparing evidence for management review meetings

Before you begin

Mandatory ISMS documentation prompts

Create ISMS scope statement (Clause 4.3)

"Write an ISMS scope statement for ISO 27001:2022 Clause 4.3. Include: scope boundaries (business units, locations, systems, processes included), specific exclusions with justification, interfaces and dependencies with excluded areas, rationale for scope definition aligned to business, external and internal issues considered (from context analysis), interested parties and their requirements addressed, and scope applicability to physical and cloud infrastructure. Ensure scope is specific, measurable, and auditable for [organization description]."

Example: "Write an ISMS scope statement for a fintech company with 150 employees across EU and US offices. Scope includes: customer-facing payment platform, internal systems, cloud infrastructure (AWS), but excludes physical product development and retail partnerships."

Document context and interested parties (Clause 4.1-4.2)

"Create ISMS context documentation for ISO 27001:2022 Clauses 4.1-4.2. Document: external issues affecting information security (regulatory landscape, competitive threats, technology trends, supply chain risks), internal issues (business strategy, organizational culture, resource constraints, legacy systems), interested parties (customers, regulators, employees, suppliers, partners, shareholders), interested party requirements (security expectations, compliance obligations, contractual commitments), and how ISMS scope addresses these contexts. Present as context analysis report."

Define roles and responsibilities (Clause 5.3)

"Document organizational roles and responsibilities for the ISMS per ISO 27001:2022 Clause 5.3. Create: ISMS governance structure (reporting lines, committees), role definitions with security responsibilities (executive management, CISO/security team, IT operations, HR, legal, business units, all employees), authority and accountability for each role, RACI matrix for key ISMS activities (risk assessment, control implementation, incident response, audits, management review), and integration with overall organizational structure. Ensure management accountability is clear."

Document risk assessment methodology (Clause 6.1.2)

"Create risk assessment methodology documentation for ISO 27001:2022 Clause 6.1.2. Include: risk assessment approach and principles, asset identification methodology, threat and vulnerability analysis approach, risk criteria (likelihood scale with definitions, impact scale across multiple dimensions, risk evaluation matrix and acceptance thresholds), risk calculation methodology (formula, qualitative vs quantitative), risk assessment frequency and triggers, roles and responsibilities, and how methodology ensures consistent, repeatable, and comparable results. Ensure methodology is documented before conducting actual risk assessment."

Create Statement of Applicability (Clause 6.1.3d)

"Generate Statement of Applicability (SoA) for ISO 27001:2022 covering all 93 Annex A controls. For each control: control number and title, applicability status (Applicable, Not Applicable, Partially Applicable), justification based on risk assessment (reference specific risk IDs), implementation status and approach, responsible owner, evidence available for audit verification, and exclusion justification for non-applicable controls. Organize by Annex A themes (Organizational, People, Physical, Technological). Ensure every control decision is clearly justified."

Document security objectives (Clause 6.2)

"Define and document information security objectives for ISO 27001:2022 Clause 6.2. For each objective: specific security outcome to achieve, alignment to business goals and risk treatment, measurable criteria and target values (KPIs), resources required, responsible owner, timeline for achievement, monitoring and measurement approach, and reporting frequency. Ensure objectives are SMART (Specific, Measurable, Achievable, Relevant, Time-bound) and address key risk areas identified in risk assessment."

Management system documentation prompts

Create ISMS manual or overview

"Write an ISMS Manual providing overview of our information security management system. Include: purpose and scope of ISMS, organizational context and interested parties, ISMS governance structure, scope statement, information security policy, risk management approach, control framework overview, documentation structure and references, roles and responsibilities, and ISMS lifecycle (Plan-Do-Check-Act). Target audience: management, auditors, and stakeholders needing ISMS overview. Length: 10-15 pages."

Design document control system (Clause 7.5)

"Create document and records control procedure for ISO 27001:2022 Clause 7.5. Define: document categories and classification, document lifecycle (creation, review, approval, distribution, revision, archival, disposal), version control and change tracking, document approval authorities by document type, document distribution and access controls, review schedules and triggers, records retention periods by record type, records storage and protection, and document management system or repository. Ensure controlled documents are identifiable and protected from unauthorized changes."

Build competence and awareness records (Clause 7.2-7.3)

"Create documentation system for competence and awareness per ISO 27001:2022 Clauses 7.2-7.3. Document: job role competence requirements (education, experience, skills, training), competence assessment and verification records, training plans and curricula, training completion records, security awareness program evidence, awareness effectiveness measurement, competence gaps and development plans, and contractor/third-party competence verification. Ensure you can demonstrate appropriate competence for all ISMS roles."

Operational documentation prompts

Create operational planning documents (Clause 8.1)

"Develop operational planning and control documentation for ISO 27001:2022 Clause 8.1. Create: ISMS implementation project plan (phases, milestones, resources), control implementation roadmap, risk treatment plan with timelines and owners, resource allocation (budget, headcount, tools), integration with business processes, performance criteria and acceptance, and change management approach for ISMS deployment. Ensure plans address how to achieve security objectives and implement risk treatment."

Document control implementation

"Create standardized control implementation documentation template. For each implemented Annex A control, document: control objective and requirement, implementation approach (how we meet the requirement), technical and operational details, systems and tools involved, roles and responsibilities, operational procedures, monitoring and measurement, evidence artifacts, implementation date, and known limitations or deviations with compensating controls. Use this template to document all 93 Annex A controls consistently."

Build runbook library

"Create operational runbooks for security operations covering ISO 27001 controls. For process [e.g., 'user access provisioning', 'incident response', 'backup restoration'], include: process overview and trigger, step-by-step instructions with decision points, roles and responsibilities, tools and system access required, expected timeframes and SLAs, quality checks and verification, escalation procedures, troubleshooting guide, related processes and handoffs, and documentation/records to maintain. Format for operational teams to execute consistently."

Risk management documentation prompts

Create risk register

"Generate comprehensive risk register for ISO 27001:2022. Include columns for: Risk ID, Asset Affected, Asset Owner, Threat Description, Vulnerability, Existing Controls, Likelihood (1-5 with justification), Impact (1-5 with justification), Inherent Risk Score, Treatment Option (mitigate/avoid/transfer/accept), Selected Controls (Annex A references), Implementation Status, Residual Risk Score, Risk Owner, Review Date, and Approval Status. Populate with risks identified in our risk assessment for [organization/scope]. Include summary statistics and high-risk highlights."

Document risk treatment plan

"Create risk treatment plan documenting how we will address identified risks per ISO 27001:2022 Clause 6.1.3. For each risk requiring treatment: risk description and current score, treatment option selected with rationale, specific controls to implement (reference Annex A controls), implementation approach and milestones, responsible owner and resources required, target completion date, expected residual risk, success criteria, and approval signatures. Organize by priority with critical and high risks first. Include executive summary of treatment strategy and resource requirements."

Build risk acceptance register

"Create risk acceptance register for risks we choose to accept rather than treat. For each accepted risk: risk description and score, business justification for acceptance (why treatment is not pursued), confirmation risk is within risk appetite threshold, compensating controls or monitoring in place, conditions that would trigger reassessment, acceptance approval (which executives approved and when), acceptance validity period (when to review), and potential consequences accepted. Ensure all acceptances have appropriate management authorization."

Performance and monitoring documentation prompts

Define ISMS performance metrics (Clause 9.1)

"Design ISMS monitoring and measurement framework for ISO 27001:2022 Clause 9.1. Define: what to measure (security objectives, control effectiveness, process performance), how to measure (metrics, KPIs, measurement methods), when to measure (frequency, timing), who measures (responsible roles), how to analyze (trending, thresholds, benchmarks), how to report (dashboards, reports, management review), and corrective action triggers. Create metrics library covering: risk trends, incident metrics, vulnerability management, access control, backup success, training completion, audit findings, and control effectiveness."

Create KPI dashboard

"Design security KPI dashboard for executive reporting. Include metrics categories: Security Posture (risk score trends, control implementation status, audit findings), Operational Performance (incident response time, vulnerability remediation time, backup success rate, patch compliance), Compliance Status (training completion, policy acknowledgment, access reviews completed), Threat Management (security events, threat detections, blocked attacks), and Business Impact (security incidents causing downtime, data breach risk, regulatory compliance status). For each metric: current value, target, trend, and status indicator (red/yellow/green)."

Document internal audit program (Clause 9.2)

"Create internal audit program documentation for ISO 27001:2022 Clause 9.2. Include: audit objectives and scope (all ISMS areas over audit cycle), annual audit schedule, audit criteria (ISO 27001:2022 requirements), auditor selection and independence requirements, audit methodology (interviews, document review, technical testing, sampling), audit planning process, audit execution procedures, nonconformity grading (major, minor, observation), audit reporting format and distribution, corrective action tracking, follow-up audit procedures, and auditor competence requirements."

Create audit report template

"Design internal audit report template for ISO 27001 compliance audits. Include sections for: executive summary (overall assessment, key findings, conclusion), audit details (scope, criteria, date, auditors, auditees), audit methodology, areas reviewed with findings, conformities and good practices observed, nonconformities by severity with evidence, observations and recommendations, corrective action requirements, conclusion and opinion on ISMS effectiveness, and distribution list. Ensure reports clearly communicate compliance status and required actions."

Management review documentation prompts

Create management review agenda (Clause 9.3)

"Design management review meeting agenda for ISO 27001:2022 Clause 9.3 covering all required inputs and outputs. Agenda items: previous management review actions status, changes in external and internal issues, feedback on ISMS performance (metrics, KPIs), information security objectives achievement, risk assessment and treatment results, audit results (internal and external), nonconformities and corrective actions, monitoring and measurement results, interested party feedback, improvement opportunities, adequacy of resources, and changes needed to ISMS. Allocate time for each item and specify required presenters and materials."

Prepare management review pack

"Create management review presentation pack for [quarter/period]. Include: executive summary of ISMS status, security metrics dashboard (past 12 months trends), key achievements and successes, internal audit summary and findings status, external audit results (if applicable), risk assessment changes (new risks, risk score changes), security incidents summary and lessons learned, control implementation status, security objectives progress, compliance status (regulatory, contractual), resource needs and budget, improvement initiatives proposed, and decisions required from management. Target 30-45 minute presentation."

Document management review outcomes

"Create management review meeting minutes documenting outcomes per ISO 27001:2022 Clause 9.3. Record: meeting date and attendees, agenda items reviewed, key discussions and concerns raised, management decisions on ISMS improvement, decisions on adequacy of resources, decisions on changes to security objectives, decisions on changes to ISMS scope or policy, opportunities for improvement approved, action items assigned with owners and deadlines, and approval signatures. Ensure minutes demonstrate management commitment and continual improvement."

Incident and problem documentation prompts

Create incident record template

"Design security incident record template for ISO 27001:2022 control A.5.24-A.5.28. Include fields for: incident ID and classification, detection date/time and source, incident description and affected systems/data, severity level and impact assessment, incident response team and roles, containment actions taken, eradication steps, recovery actions, evidence collected, root cause analysis, lessons learned, preventive measures, communication log (who was notified when), regulatory reporting (if required), incident closure date and approval, and post-incident review completion. Ensure template supports compliance with breach notification requirements."

Build problem management log

"Create problem management register to track recurring issues and systemic weaknesses. For each problem: problem ID and description, related incidents (incident IDs), root cause analysis, affected systems and processes, workarounds or temporary solutions, proposed permanent fix, priority and impact, owner and status, target resolution date, and verification approach. Use problem management to identify patterns requiring systemic improvements rather than repeatedly fixing symptoms."

Change and release documentation prompts

Document change control records

"Create change record template for ISO 27001:2022 control A.8.32. Include: change ID and requestor, change description and justification, systems affected, change category (standard, normal, emergency), risk assessment (impact, likelihood, mitigation), approval workflow and approvers, implementation plan and schedule, testing requirements, rollback plan, implementation results, post-implementation review, and related changes or dependencies. Ensure change records provide audit trail of all ISMS-affecting changes."

Build release documentation

"Create release documentation package for significant system changes. Include: release overview and objectives, features and changes included, security implications assessment, testing performed (functional, security, performance), deployment plan and timeline, rollback procedures, known issues and limitations, user communication and training, support plan, and success criteria. Ensure security testing and approval before production release."

Compliance and legal documentation prompts

Create compliance obligations register

"Build compliance obligations inventory for ISO 27001:2022 control A.5.31. Document: legal requirements (data protection laws, breach notification, sector regulations), regulatory requirements (GDPR, HIPAA, PCI DSS, SOX), contractual obligations (customer security requirements, SLAs), organizational commitments (certifications, public statements), for each: description and source, applicability (which systems/processes), responsible owner, compliance verification method, evidence of compliance, last assessment date and result, and next review date. Ensure comprehensive coverage of all obligations."

Document data processing activities (GDPR Article 30)

"Create Record of Processing Activities (RoPA) per GDPR Article 30 and ISO 27001:2022 control A.5.33. For each processing activity: processing purpose, data categories processed (personal data types), data subject categories, recipients or categories of recipients, international transfers (mechanism, countries), retention periods, technical and organizational security measures, and processing legal basis. Maintain updated RoPA as required documentation demonstrating GDPR compliance and privacy by design."

Build data breach register

"Create data breach register for GDPR compliance and ISO 27001:2022 control A.5.26. For each breach or suspected breach: breach ID and discovery date, breach description and affected data, number of data subjects affected, breach assessment (reportable to authority? notify data subjects?), notification timeline (to authority within 72 hours, to individuals without undue delay), notifications sent and dates, breach response actions, root cause, preventive measures, supervisory authority case number, and breach record retention (minimum 3 years under GDPR). Even non-reportable breaches should be documented."

Supplier and contract documentation prompts

Create supplier inventory

"Build supplier and third-party inventory for ISO 27001:2022 controls A.5.19-A.5.23. For each supplier: supplier name and contact, services provided, data access level (none, limited, extensive), system access provided, risk classification (high/medium/low), contract details (start date, renewal date, terms), security assessment date and results, certifications held (ISO 27001, SOC 2), insurance coverage, last review date, compliance status, and escalation contacts. Maintain current inventory for third-party risk management."

Document supplier assessments

"Create supplier security assessment documentation. For supplier [name], document: assessment date and methodology, questionnaire responses, evidence reviewed (policies, SOC 2 report, ISO certificate, penetration test results), security control evaluation by category (access control, encryption, incident response, business continuity), identified risks and gaps, required remediation actions, compensating controls if gaps accepted, overall risk rating, assessment conclusion (approve/approve with conditions/reject), approval signatures, and next assessment date. Retain for audit evidence."

Training and awareness documentation prompts

Create training curriculum

"Design security awareness training curriculum for ISO 27001:2022 control A.6.3. Include: baseline security awareness training (topics: password security, phishing, social engineering, acceptable use, incident reporting, physical security, data classification, remote work security), role-based training tracks (developers: secure coding; admins: privileged access; managers: security leadership; all staff: awareness), training delivery methods (e-learning, instructor-led, videos), training duration and frequency, assessment methods (quizzes, certifications), and training effectiveness measurement."

Build training records system

"Create training records management system. Track for each employee: employee ID and name, job role, required training (based on role), training completed (course name, date, score), training status (current, overdue, upcoming), certification expiration dates, remedial training assignments (for failed phishing tests, policy violations), and training acknowledgments. Generate reports for: training compliance by department, overdue training, upcoming renewals, and effectiveness metrics (pre/post test scores, phishing resilience)."

Executive reporting and communication prompts

Create monthly security report

"Design monthly security report for executive leadership. Include sections: executive summary (month highlights, key concerns, actions needed), security metrics dashboard (incidents, vulnerabilities, compliance), risk updates (new risks, risk score changes, risk treatment progress), security incidents and response, threat intelligence highlights, control implementation status, compliance status (certifications, audits, regulatory), security initiatives and projects, budget and resource status, and upcoming focus areas. Keep to 3-5 pages with visualizations."

Generate board-level security briefing

"Create quarterly security briefing for board of directors. Include: cyber risk landscape for our industry, organizational security posture assessment, key security investments and ROI, major incidents and lessons learned, compliance and regulatory status, third-party and supply chain risks, security strategy and roadmap, resource requirements and budget, emerging threats and preparedness, and strategic recommendations requiring board input or approval. Focus on business risk and strategic decisions, minimize technical jargon. Target 15-20 minute presentation."

Design stakeholder communication

"Create security communication plan for different stakeholder groups. For stakeholders (executive leadership, employees, customers, partners, regulators), define: communication objectives, key messages, communication frequency, communication channels, information to share vs. withhold, escalation triggers for urgent communications, and communication templates (security newsletters, incident notifications, policy updates, awareness campaigns). Ensure consistent, appropriate messaging to each audience."

Continuous improvement documentation prompts

Create improvement register (Clause 10)

"Build continual improvement register for ISO 27001:2022 Clause 10. Track: improvement opportunity description and source (audit finding, incident lesson, risk assessment, employee feedback, metric analysis), business case and expected benefits, priority and effort estimate, assigned owner, implementation plan, status, completion date, effectiveness verification, and lessons learned. Use register to demonstrate systematic approach to ISMS improvement and track from identification through implementation and verification."

Document corrective action process

"Create corrective action procedure and tracking system for ISO 27001:2022 Clause 10.1. For each nonconformity: nonconformity description and evidence, source (audit, incident, review), ISO requirement not met, impact and risk, root cause analysis (5 whys, fishbone), immediate correction (fix the symptom), corrective action (address root cause), implementation plan and owner, target completion date, effectiveness verification method, status tracking, and closure approval. Ensure corrective actions prevent recurrence, not just fix symptoms."

Tips for using these prompts effectively

Related prompt libraries

Complete your ISO 27001 implementation with these related prompt collections:

• ISO 27001 risk assessment prompts

• ISO 27001 policy and procedure prompts

• ISO 27001 audit preparation prompts

• ISO 27001 control implementation prompts

• SOC 2 prompt library

Getting help

For support with documentation and reporting:

• Understand requirements: Review How to conduct ISO 27001 risk assessment using AI to see what documentation flows from risk assessment

• Create consistent content: Use the policy and procedure prompts for aligned documentation

• Use AI responsibly: Read How to Use ISMS Copilot Responsibly for documentation development