ISMS Copilot
All Collections
GRC prompts libraries
ISO 27001 prompt library
ISO 27001 prompt library overview

Overview

Welcome to the comprehensive ISO 27001 prompt library—your complete collection of ready-to-use prompts for implementing, documenting, and maintaining ISO 27001:2022 compliance using ISMS Copilot. This library accelerates every phase of your ISMS journey from initial risk assessment through certification and ongoing management.

Who this library is for

This prompt library is designed for:

  • Organizations implementing ISO 27001 for the first time

  • Security and compliance teams preparing for certification audits

  • Consultants supporting multiple client implementations

  • Certified organizations maintaining and improving their ISMS

  • Teams transitioning from ISO 27001:2013 to 2022

What's included in this library

The ISO 27001 prompt library contains five comprehensive collections covering the complete ISMS lifecycle:

1. Risk assessment prompts

ISO 27001 risk assessment prompts help you conduct comprehensive risk assessments that form the foundation of your control selection.

What's covered:

  • Asset identification and classification

  • Threat and vulnerability analysis

  • Risk calculation and scoring

  • Risk treatment planning

  • Control mapping to Annex A

  • Risk documentation and reporting

  • Stakeholder validation

  • Ongoing risk management

Key use cases: Building asset inventories, generating threat scenarios, calculating risk scores, developing treatment plans, creating Statement of Applicability foundation

Start here if: You're beginning ISO 27001 implementation or need to update your risk assessment for audit readiness.

2. Policy and procedure prompts

ISO 27001 policy and procedure prompts help you create audit-ready documentation that demonstrates control implementation.

What's covered:

  • Information security policy creation

  • Access control policies

  • Asset management policies

  • Cryptography and data protection

  • Operations and infrastructure policies

  • Human resources security

  • Incident management policies

  • Third-party and supplier management

  • Physical security policies

  • Business continuity policies

  • Compliance and audit policies

  • Procedure writing and SoA development

Key use cases: Drafting comprehensive security policies, creating operational procedures, building Statement of Applicability, customizing documentation for your industry

Start here if: You've completed risk assessment and need to document how you'll implement controls through policies and procedures.

3. Control implementation prompts

ISO 27001 control implementation prompts provide practical guidance for implementing all 93 Annex A controls in your environment.

What's covered:

  • Organizational controls (A.5) - governance, roles, asset management

  • People controls (A.6) - screening, training, termination

  • Physical controls (A.7) - facility security, equipment protection

  • Technological controls (A.8) - access control, encryption, logging, backups, vulnerability management, secure development

  • Incident management implementation

  • Business continuity implementation

  • Supplier management implementation

  • Privacy and compliance implementation

  • Testing and verification approaches

  • Integration and automation strategies

Key use cases: Configuring technical security controls, designing operational workflows, implementing authentication and access controls, setting up monitoring and logging, automating control execution

Start here if: You have policies documented and need practical implementation guidance for your specific technology stack.

4. Audit preparation prompts

ISO 27001 audit preparation prompts help you prepare comprehensive evidence and documentation for certification and surveillance audits.

What's covered:

  • Gap analysis and readiness assessment

  • Evidence collection by control area

  • Internal audit planning and execution

  • Audit response preparation

  • Technical evidence compilation

  • Management system evidence

  • Supplier and third-party evidence

  • Specialized audit scenarios (cloud, remote work, multi-site)

  • Post-audit corrective actions

  • Audit readiness self-assessment

Key use cases: Conducting pre-audit gap analysis, collecting evidence packages by Annex A control, preparing for common auditor questions, conducting mock audits, creating corrective action plans

Start here if: Your certification audit is scheduled within 8-12 weeks, or you're preparing for surveillance/recertification.

5. Documentation and reporting prompts

ISO 27001 documentation and reporting prompts help you create mandatory ISMS documentation and communicate security program effectiveness.

What's covered:

  • Mandatory ISMS documentation (scope, context, roles, methodology, SoA, objectives)

  • Management system documentation

  • Operational documentation and runbooks

  • Risk management documentation

  • Performance metrics and KPI dashboards

  • Internal audit documentation

  • Management review materials

  • Incident and problem documentation

  • Change and release documentation

  • Compliance and legal documentation

  • Supplier documentation

  • Training and awareness records

  • Executive reporting and communication

  • Continuous improvement documentation

Key use cases: Creating mandatory ISMS documents, building KPI dashboards, preparing management review packs, documenting incidents, generating executive reports

Start here if: You need to create required ISMS documentation or develop reporting for management and stakeholders.

How to use this prompt library

For first-time implementations

Follow this sequence for comprehensive ISO 27001 implementation:

  1. Risk assessment (Week 1-4): Use risk assessment prompts to identify assets, analyze threats, calculate risks, and develop treatment plans

  2. Documentation (Week 5-8): Use documentation prompts to create mandatory ISMS documents (scope, context, methodology) and policy prompts to draft security policies

  3. Implementation (Week 9-20): Use control implementation prompts to configure and deploy security controls based on your risk treatment plan

  4. Pre-audit preparation (Week 21-24): Use audit preparation prompts to conduct gap analysis, collect evidence, and prepare for certification audit

  5. Certification audit (Week 25-26): Use audit response and closing meeting prompts from the audit preparation collection

For audit preparation

If your audit is approaching:

  1. 12 weeks before: Run gap analysis prompts to identify missing documentation or evidence

  2. 8-10 weeks before: Use evidence collection prompts to gather proof of control implementation

  3. 6-8 weeks before: Conduct internal audits using internal audit prompts

  4. 4 weeks before: Prepare team using interview preparation and auditor question prompts

  5. 2 weeks before: Final readiness check using readiness assessment prompts

  6. During audit: Reference audit response and documentation prompts as needed

  7. After audit: Use corrective action prompts to address findings

For ongoing management

After certification, maintain compliance using:

  • Quarterly: Risk review, performance metrics, and management review prompts

  • Monthly: Executive reporting and KPI dashboard prompts

  • Ongoing: Incident documentation, change management, and continuous improvement prompts

  • Annually: Internal audit, risk assessment update, and policy review prompts

Best practices for prompt usage

Use a dedicated workspace: Create an ISO 27001 workspace in ISMS Copilot to maintain context across conversations. This allows the AI to build on previous outputs and understand your specific environment.

Customize with specifics: Replace bracketed placeholders [like this] with your actual details—company size, industry, technology stack, cloud provider. Specific inputs produce specific, actionable outputs.

Upload existing documentation: Before using prompts, upload your current policies, risk assessments, or technical documentation. AI can analyze what exists and suggest improvements or identify gaps.

Iterate and refine: Start with a basic prompt to get structure, then follow up with "expand section 3 with more detail" or "add examples for healthcare industry." Building iteratively produces better results than one-shot prompts.

Request reasoning: Add "show your reasoning" or "explain your recommendations" to prompts. This creates documentation of decision rationale that auditors appreciate.

Validate AI outputs: Always review AI-generated content with internal experts. AI accelerates creation but requires human validation for accuracy, completeness, and alignment to your actual implementation.

Don't over-rely on templates: Prompts provide frameworks and starting points. Customize outputs to reflect your actual environment, risks, and controls rather than using generic AI-generated content verbatim.

Understanding prompt structure

Prompts in this library follow a consistent structure designed for optimal results:

  1. Task definition: Clear statement of what to create ("Write a...", "Generate a...", "Design a...")

  2. Compliance reference: ISO 27001:2022 clause or Annex A control reference for traceability

  3. Customization points: Bracketed placeholders [like this] for your specific details

  4. Scope and inclusions: Specific elements to include in the output

  5. Format guidance: Target audience, length, tone, or structure preferences

Example anatomy:

"[Task] Write an Access Control Policy [Compliance] for ISO 27001:2022 controls A.5.15-A.5.18. [Scope] Include: user provisioning, MFA requirements, privileged access management, and access reviews. [Customization] For a [industry] company using [identity system]. [Format] Target audience: all employees. Tone: clear and authoritative."

Common use patterns

Creating from scratch

When you need to create new documentation or controls:

  1. Select the appropriate prompt from the library

  2. Replace all [bracketed] customization points with your specifics

  3. Add any additional context about your environment in a brief sentence

  4. Review the output and ask follow-up questions to refine

Improving existing content

When you have existing documentation that needs enhancement:

  1. Upload your existing document to the workspace

  2. Use prompts like "Review this [policy/procedure] against ISO 27001:2022 requirements and identify gaps"

  3. Follow up with specific improvement requests based on identified gaps

  4. Iterate until the document meets audit requirements

Gap analysis workflow

When preparing for an audit or assessing current state:

  1. Upload all existing ISMS documentation

  2. Use gap analysis prompts to identify missing or weak areas

  3. Prioritize gaps by audit impact and implementation effort

  4. Use appropriate library prompts to address high-priority gaps

  5. Re-run gap analysis to verify improvements

Integration with implementation guides

This prompt library complements our comprehensive implementation guides:

Recommended approach: Read the implementation guides to understand the methodology and requirements, then use the prompt library to accelerate actual deliverable creation.

Industry-specific adaptations

While prompts are designed to be industry-agnostic, you can adapt them for specific sectors:

  • Healthcare/HIPAA: Add "addressing HIPAA privacy and security rules" to policy and control prompts

  • Financial services/PCI DSS: Add "including PCI DSS requirements for [relevant SAQ level]" to relevant prompts

  • Public sector/FedRAMP: Add "aligned with FedRAMP [Low/Moderate/High] baseline controls" to control implementation prompts

  • SaaS/Cloud: Specify cloud provider and architecture in all technical implementation prompts

  • Manufacturing/OT: Add "including operational technology and SCADA systems" to scope and asset prompts

Multi-client consulting workflows

For consultants managing multiple client implementations:

  1. Create client-specific workspaces: Separate workspace per client maintains context isolation

  2. Establish client baseline: Document client specifics (industry, size, tech stack, regulations) at the start of each workspace

  3. Reuse refined prompts: Save prompts you've customized and refined for one client to accelerate future clients

  4. Build template library: Generate comprehensive templates in one workspace, then adapt for each client

  5. Scale expertise: Use prompts to maintain consistent quality across all clients regardless of team size

Learn more: How to manage multi-client compliance projects using workspaces

Staying current with ISO 27001:2022

This prompt library is designed for ISO 27001:2022 including:

  • All 93 Annex A controls (updated from 114 in 2013 version)

  • New control themes (Organizational, People, Physical, Technological)

  • Updated clause requirements (simplified documented information)

  • Cloud and remote work considerations

  • Privacy and data protection alignment with GDPR

  • Threat intelligence and security monitoring focus

If transitioning from ISO 27001:2013, use gap analysis prompts to identify changes needed in existing documentation and controls to meet 2022 requirements.

Getting help and support

Additional resources to support your ISO 27001 journey:

Expand beyond ISO 27001 with our other prompt libraries:

Contributing and feedback

This prompt library continuously evolves based on user feedback and ISO 27001 implementation experience. If you:

  • Discover particularly effective prompt variations

  • Identify gaps in coverage

  • Have suggestions for new prompt categories

  • Find prompts that need clarification or improvement

Your feedback helps improve this resource for the entire compliance community.

Ready to accelerate your ISO 27001 implementation? Choose the prompt library section that matches your current phase, create your ISO 27001 workspace, and start building your ISMS with AI assistance today.

Quick start checklist

Follow these steps to maximize value from this prompt library:

  1. ☐ Create dedicated ISO 27001 workspace in ISMS Copilot

  2. ☐ Define your starting point: new implementation, audit preparation, or ongoing management

  3. ☐ Select the appropriate prompt library section for your phase

  4. ☐ Gather context: company details, tech stack, industry, existing documentation

  5. ☐ Upload any existing ISMS documentation to workspace

  6. ☐ Start with foundation prompts (scope, context, risk methodology)

  7. ☐ Customize prompts with your specific details

  8. ☐ Review and validate AI outputs with internal experts

  9. ☐ Iterate and refine based on your actual implementation

  10. ☐ Document what works to build your own prompt best practices

Your journey to ISO 27001 compliance just became significantly faster and more efficient. Let's get started.

Was this helpful?