Overview
You'll access ready-to-use prompts for creating audit-ready ISO 27001 policies and procedures using ISMS Copilot, covering everything from high-level security policies to detailed operational procedures that demonstrate Annex A control implementation.
Who this is for
These prompts are designed for:
Compliance teams drafting ISO 27001 documentation from scratch
Security professionals updating policies to ISO 27001:2022
Consultants creating tailored documentation for clients
Organizations preparing their Statement of Applicability (SoA)
Before you begin
Policy and procedure development works best in a dedicated ISO 27001 workspace. Upload your existing policies or risk assessment results to provide context for more relevant, customized outputs.
Pro tip: Start with high-level policies first, then create supporting procedures. This top-down approach ensures procedures align with policy objectives and makes the audit trail clearer.
Information security policy prompts
Create comprehensive security policy
"Write a comprehensive Information Security Policy for a [industry] organization with [number] employees compliant with ISO 27001:2022 Clause 5.2. Include sections for: purpose and scope, policy statement and security objectives, roles and responsibilities (management, employees, IT), compliance requirements (legal, regulatory, contractual), consequences of non-compliance, policy review and update process, and approval/effective date. Target audience: all employees. Tone: clear, authoritative, accessible to non-technical readers."
Example: "Write a comprehensive Information Security Policy for a fintech SaaS organization with 120 employees compliant with ISO 27001:2022 Clause 5.2. Include our specific regulatory requirements: PCI-DSS, SOC 2, GDPR. Target our diverse audience including developers, customer support, and executives."
Define security objectives aligned to business
"Define measurable information security objectives for ISO 27001:2022 that align with our business goals: [list 3-5 business goals]. For each objective, provide: specific security outcome, measurable criteria (KPIs), target values, timeline, responsible owner, and how it supports business goals and risk reduction."
Create acceptable use policy
"Draft an Acceptable Use Policy covering employee use of IT resources including: permitted uses of company systems and data, prohibited activities (specific examples), personal use boundaries, email and internet usage guidelines, social media policies, remote work requirements, BYOD (Bring Your Own Device) rules, monitoring and privacy expectations, and violation consequences. Compliance with ISO 27001:2022 control A.5.10 Acceptable use of information and other associated assets."
Develop data classification policy
"Create a Data Classification and Handling Policy defining classification levels: [list your levels, e.g., Public, Internal, Confidential, Restricted]. For each level: provide clear definition and examples, specify handling requirements (storage, transmission, disposal), define access control requirements, state encryption requirements, list retention periods, and describe breach notification obligations. Align with ISO 27001:2022 control A.5.12 Classification of information."
Access control policy prompts
Write access control policy
"Draft an Access Control Policy for ISO 27001:2022 controls A.5.15-A.5.18. Include: principles (least privilege, need-to-know, separation of duties), user access provisioning process (request, approval, provisioning, review), authentication requirements (password policy, MFA mandate), privileged access management (admin accounts, elevation procedures), access review frequency and process, user deprovisioning (termination, role change), and remote access security. Specify different requirements for employee, contractor, and third-party access."
Create password and authentication policy
"Write a Password and Authentication Policy compliant with ISO 27001:2022 control A.5.17. Include: password complexity requirements (length, character types), password expiration and history rules, account lockout thresholds, multi-factor authentication requirements by user role and system sensitivity, password storage and transmission security, password reset procedures, prohibited practices (sharing, writing down), and exceptions or compensating controls for legacy systems."
Define privileged access management policy
"Create a Privileged Access Management Policy for ISO 27001:2022 control A.5.18 covering: definition of privileged access (admin, root, super user), justification and approval process for granting privileged access, elevated access session management, privileged account monitoring and logging, administrative password management (vaulting, rotation), emergency access procedures (break-glass scenarios), and periodic access recertification requirements."
Asset management policy prompts
Develop asset management policy
"Write an Asset Management Policy for ISO 27001:2022 control A.5.9. Include: asset inventory requirements (what to track, update frequency), asset classification and ownership assignment, acceptable use of assets, asset lifecycle management (acquisition, deployment, maintenance, disposal), physical asset controls (labeling, tracking, return), software asset management (licensing, approved software), and asset disposal/sanitization procedures to prevent data leakage."
Create media handling policy
"Draft a Media Handling and Disposal Policy covering ISO 27001:2022 controls A.7.10 and A.7.14. Address: types of media in scope (paper, USB drives, hard drives, backups, mobile devices), media labeling and classification, secure storage requirements, media transportation and mailing procedures, media disposal and sanitization methods (shredding, degaussing, cryptographic erasure), disposal verification and documentation, and vendor requirements for disposal services."
Cryptography and data protection prompts
Write cryptographic controls policy
"Create a Cryptography Policy for ISO 27001:2022 control A.8.24. Include: encryption requirements for data at rest by classification level, encryption requirements for data in transit (TLS versions, cipher suites), approved cryptographic algorithms and key lengths, key management procedures (generation, storage, rotation, destruction), digital signature and certificate requirements, encryption for mobile devices and removable media, cloud encryption requirements, and cryptographic control exceptions and compensating measures."
Develop data protection and privacy policy
"Draft a Data Protection and Privacy Policy addressing GDPR compliance and ISO 27001:2022 controls A.5.33-A.5.34. Cover: legal basis for processing personal data, data subject rights (access, rectification, erasure, portability), data minimization and purpose limitation, retention periods by data type, privacy by design principles, data breach notification procedures (timeline, authorities, data subjects), cross-border data transfer mechanisms, and privacy impact assessment triggers."
Operations and infrastructure prompts
Create change management policy
"Write a Change Management Policy for ISO 27001:2022 control A.8.32. Include: scope (what changes require formal process), change classification (standard, normal, emergency), change request and approval workflow, risk assessment requirements for changes, testing and rollback procedures, change implementation windows, post-implementation review, emergency change procedures with reduced controls, and documentation requirements for audit trail."
Develop backup and recovery policy
"Draft a Backup and Recovery Policy for ISO 27001:2022 control A.8.13. Specify: what systems and data require backup, backup frequency by system criticality (hourly, daily, weekly), backup retention periods, backup storage location and security (onsite, offsite, cloud), backup encryption requirements, backup testing frequency and procedures, recovery time objectives (RTO) and recovery point objectives (RPO) by system, restoration testing schedule, and backup monitoring and alerting."
Write vulnerability management policy
"Create a Vulnerability Management Policy for ISO 27001:2022 control A.8.8. Include: vulnerability scanning frequency and coverage, critical vulnerability response timeline (24 hours, 7 days, 30 days by severity), patch management process and testing requirements, vulnerability disclosure and communication, compensating controls when patching isn't feasible, third-party vulnerability notification, vulnerability metrics and reporting to management, and exception process for business-critical systems."
Human resources security prompts
Create employee screening policy
"Write an Employee Screening and Vetting Policy for ISO 27001:2022 control A.6.1. Include: pre-employment screening requirements (background checks, reference verification, employment history, education verification, credit checks for financial roles, criminal record checks), screening levels by role sensitivity and data access, screening for contractors and temporary staff, ongoing screening requirements (periodic re-verification), international hiring considerations, candidate consent and privacy requirements, and documentation retention."
Develop security awareness policy
"Draft a Security Awareness and Training Policy for ISO 27001:2022 control A.6.3. Cover: mandatory security awareness training for all employees (frequency, topics, delivery method), role-based training for privileged users and developers, phishing simulation program (frequency, escalation for repeat failures), new hire security orientation requirements, training effectiveness measurement, security communication channels, incident reporting training, and consequences for training non-compliance."
Write termination and role change procedures
"Create a Termination and Role Change Procedure for ISO 27001:2022 control A.6.5. Include: notification process and timeline, access revocation checklist by system and data type, physical asset return requirements (laptops, badges, keys, mobile devices), account deactivation procedures, data/email retention and transfer, exit interview security topics, post-termination monitoring for suspicious activity, rehire procedures, and role change access review process."
Incident management policy prompts
Create incident response policy
"Write a Security Incident Response Policy for ISO 27001:2022 control A.5.24-A.5.28. Include: incident definition and classification (security breach, data leak, malware, DDoS, unauthorized access), incident severity levels and escalation criteria, incident response team roles and responsibilities, incident detection and reporting channels (24/7 availability), incident response phases (preparation, detection, containment, eradication, recovery, lessons learned), evidence collection and chain of custody, communication plan (internal, customers, regulators, media), and post-incident review requirements."
Develop breach notification procedure
"Draft a Data Breach Notification Procedure addressing GDPR Article 33-34 and ISO 27001:2022 control A.5.26. Include: breach assessment criteria (when is it reportable?), notification timeline (72 hours to supervisory authority), required breach notification content, data subject notification triggers and methods, internal escalation and approval workflow, documentation requirements for regulatory compliance, external communications coordination (legal, PR, customer support), and breach register maintenance."
Third-party and supplier management prompts
Write supplier security policy
"Create a Supplier and Third-Party Security Policy for ISO 27001:2022 controls A.5.19-A.5.23. Include: supplier security assessment requirements (pre-contract evaluation), due diligence process for supplier selection, minimum security requirements in supplier contracts (SLAs, security controls, audit rights, breach notification, data protection), supplier access controls and monitoring, supplier performance review and compliance verification, incident response coordination with suppliers, and supplier offboarding procedures."
Develop vendor risk assessment procedure
"Draft a Vendor Risk Assessment Procedure. Include: vendor categorization by risk level (high/medium/low based on data access, criticality, regulatory scope), assessment questionnaire structure, required evidence (SOC 2, ISO 27001 certificates, security policies, penetration test results, insurance), risk scoring methodology, assessment frequency by vendor risk level, remediation requirements for identified gaps, ongoing monitoring requirements, and reassessment triggers (security incident, contract renewal, regulatory change)."
Physical and environmental security prompts
Create physical security policy
"Write a Physical Security Policy for ISO 27001:2022 controls A.7.1-A.7.4. Address: facility access controls (badge systems, visitor management, tailgating prevention), security zones and perimeter definitions, visitor procedures (sign-in, escort, badge collection), surveillance and monitoring (CCTV, security guards), server room and data center access (who, when, logging), physical security incidents (tailgating, unauthorized access, theft), and integration with logical access controls."
Develop clear desk and screen policy
"Draft a Clear Desk and Clear Screen Policy for ISO 27001:2022 control A.7.7. Include: clear desk requirements (no confidential information visible, documents locked away at end of day), clear screen requirements (screen lock timeout, privacy screens, position of monitors), storage of sensitive information (locked cabinets, encrypted devices), document disposal (shredding, secure bins), visitor area considerations, remote work applicability, audit and compliance monitoring, and employee training requirements."
Business continuity prompts
Write business continuity policy
"Create a Business Continuity and Disaster Recovery Policy for ISO 27001:2022 controls A.5.29-A.5.30. Include: business impact analysis (BIA) requirements and frequency, critical business functions and maximum tolerable downtime, disaster declaration criteria and authority, continuity strategies for critical functions, disaster recovery site requirements, communication plans during disruptions, roles and responsibilities of continuity team, plan testing and exercise schedule (tabletop, simulation, full test), plan maintenance and update triggers, and integration with incident response."
Create ICT continuity procedure
"Draft an ICT Continuity Procedure covering ISO 27001:2022 control A.8.14. Include: critical system inventory and dependencies, recovery time objectives (RTO) and recovery point objectives (RPO) by system, redundancy and failover mechanisms, data backup and restoration procedures, alternative processing sites or cloud failover, communication systems during outages, supplier dependencies and contingencies, continuity testing procedures, and failback procedures when primary systems restored."
Compliance and audit prompts
Develop compliance management policy
"Write a Compliance Management Policy for ISO 27001:2022 control A.5.31. Include: compliance obligations identification process (legal, regulatory, contractual), compliance monitoring and measurement, internal audit program (frequency, scope, independence), compliance training requirements, compliance reporting to management, non-compliance escalation and remediation, records and evidence retention requirements, and regulatory change management process."
Create internal audit procedure
"Draft an Internal Audit Procedure for ISO 27001:2022 Clause 9.2. Include: annual audit schedule and scope, auditor independence requirements, audit planning (risk-based approach, audit criteria), audit execution (opening meeting, evidence gathering, sampling, interviews), nonconformity identification and grading (major, minor, observation), corrective action requests and tracking, audit reporting format and distribution, follow-up audit procedures, and management review of audit results."
Procedure writing prompts
Convert policy to detailed procedure
"Convert this [policy name] into a detailed operational procedure. Include: procedure purpose and scope, roles and responsibilities (who does what), prerequisite requirements, step-by-step instructions with decision points, required tools and systems, expected timeframes, quality checks and verification steps, documentation and record-keeping requirements, exception handling, related procedures and references, and revision history. Format with numbered steps for easy following."
Create procedure for Annex A control
"Write an operational procedure to implement ISO 27001:2022 Annex A control [control number and name]. Address: what the control requires, who is responsible for implementation, detailed implementation steps, technical configuration if applicable, evidence to collect for audit, verification and testing procedures, frequency of control execution (daily, weekly, on-demand), monitoring and measurement, and how to document control effectiveness."
Example: "Write an operational procedure to implement ISO 27001:2022 Annex A control A.8.5 Secure authentication. Cover our specific environment: Azure AD SSO with MFA, privileged access workstations, service account management, and API key rotation."
Document workflow process
"Create a procedure documenting the workflow for [process name, e.g., 'user access provisioning']. Use a flowchart-style format with: trigger event, decision points (approval gates, conditions), actions at each step, responsible role for each action, system interactions, approval requirements, timeframes/SLAs, and completion criteria. Include both normal flow and exception paths."
Policy review and maintenance prompts
Create policy review schedule
"Generate a policy review and maintenance schedule for our ISO 27001 documentation. For each policy category (security, access control, incident response, HR, physical security, etc.), specify: review frequency (annual, semi-annual, trigger-based), review owner, review criteria (relevance, accuracy, compliance, effectiveness), approval authority, version control requirements, and distribution process for updated policies. Create a 12-month calendar view."
Develop policy exception process
"Draft a Policy Exception and Waiver Procedure. Include: valid reasons for requesting exceptions, exception request form and required justification, risk assessment for exception, compensating controls requirement, approval levels by policy type and risk, exception duration and renewal process, exception monitoring and reporting, exception revocation criteria, and documentation for audit trail."
Statement of Applicability (SoA) prompts
Generate complete SoA structure
"Create a Statement of Applicability (SoA) for ISO 27001:2022 covering all 93 Annex A controls. For each control: list control number and name, indicate applicability status (Applicable, Not Applicable, Partially Applicable), reference specific risks from our risk assessment that justify the control, describe our implementation approach, note implementation status (Implemented, In Progress, Planned with target date), identify responsible owner, list evidence available for audit, and provide justification for any exclusions. Organize by Annex A themes."
Justify control exclusions
"For these Annex A controls that we plan to mark 'Not Applicable' [list control numbers], provide audit-ready justification. For each: explain why the control doesn't apply to our organization considering our business model, technology stack, and identified risks; cite any compensating controls that provide similar protection; confirm that no identified risks require this control; and format justification suitable for auditor review and SoA documentation."
Map controls to policies and procedures
"Create a control-to-documentation mapping matrix. For each of the 93 ISO 27001:2022 Annex A controls: list the control number and name, identify which policy/policies address the control, identify which procedure/procedures implement the control, note evidence artifacts (logs, records, reports), and flag any controls lacking adequate documentation requiring new policy or procedure creation."
Customization and industry-specific prompts
Adapt policy for industry regulations
"Adapt this [policy name] to address industry-specific regulations: [list regulations, e.g., HIPAA, PCI-DSS, FedRAMP]. For each regulation: identify specific requirements not covered by base ISO 27001, add required policy sections or controls, reference specific regulatory clauses, adjust language for regulatory terminology, and add compliance verification procedures."
Simplify policy for readability
"Rewrite this policy using plain language accessible to non-technical employees. Simplify jargon and technical terms, use shorter sentences and paragraphs, add practical examples of do's and don'ts, include visual elements (icons, checklists), maintain compliance requirements but improve readability, target 8th-grade reading level, and ensure key requirements stand out (bold, callouts)."
Create executive policy summary
"Create a one-page executive summary of our [policy name] for leadership review. Include: policy purpose in business terms (why it matters), key requirements and obligations, roles and responsibilities for executives, business impact and benefits, compliance and risk implications, resource requirements (budget, headcount, tools), implementation timeline, and approval recommendation."
Quality assurance prompts
Review policy for compliance gaps
"Review this [policy name] against ISO 27001:2022 requirements for [relevant clause or control]. Check for: Are all mandatory requirements addressed? Is the policy specific enough for implementation? Are roles and responsibilities clearly defined? Are measurable criteria included? Is the policy enforceable? Are exceptions and violations addressed? Is audit evidence collection described? Identify gaps and recommend additions."
Upload your draft policy before using this prompt to get a comprehensive compliance review and gap analysis.
Check policy consistency across documents
"Compare these policies [list policy names] for consistency in: terminology (are terms used consistently?), requirements (any contradictions?), approval authorities (consistent delegation?), review frequencies (aligned schedules?), references and cross-links (accurate?), and formatting/structure (professional appearance?). Identify inconsistencies requiring resolution."
Validate procedure against policy
"Verify that this procedure for [topic] correctly implements the requirements in our [related policy name]. Check that: all policy requirements have corresponding procedure steps, procedure doesn't contradict policy, roles in procedure match policy definitions, approval workflows align, documentation requirements are met, and procedure fills any implementation gaps in policy. Identify misalignments."
Tips for using these prompts effectively
Provide context first: Before requesting a policy, tell ISMS Copilot about your organization: "We're a 50-person healthcare SaaS company using AWS and Microsoft 365, subject to HIPAA and GDPR." This context dramatically improves relevance.
Iterate in stages: Start with "create an outline for [policy]", review the structure, then ask "expand section 3 with detailed requirements and examples." This prevents overwhelming outputs and lets you guide the direction.
Request multiple options: Ask "provide 3 different approaches to [policy requirement]" to evaluate alternatives before committing to a specific implementation approach.
Always legal review: AI-generated policies should be reviewed by legal counsel, especially for privacy, data protection, employment, and contractual obligations. ISMS Copilot accelerates drafting but doesn't replace legal expertise.
Related prompt libraries
Complete your ISO 27001 implementation with these related prompt collections:
ISO 27001 audit preparation prompts (coming soon)
ISO 27001 gap analysis prompts (coming soon)
Getting help
For support with policy and procedure development:
Learn the framework: Understand How to conduct ISO 27001 risk assessment using AI to ensure policies address identified risks
Use AI responsibly: Review How to Use ISMS Copilot Responsibly for policy development best practices
Manage documentation: Optimize your workspace organization for multi-client projects
Ready to create your policies? Open your ISO 27001 workspace at chat.ismscopilot.com and start with your Information Security Policy using the prompts above.