ISO 27001 risk assessment prompts

Overview

You'll discover copy-paste prompts to conduct comprehensive ISO 27001 risk assessments using ISMS Copilot, from building asset inventories to calculating risk scores and developing treatment plans aligned with Annex A controls.

Who this is for

These prompts are designed for:

• Security professionals conducting ISO 27001 risk assessments

• Risk managers implementing risk-based control selection

• Consultants performing risk assessments for multiple clients

• Organizations preparing for ISO 27001 certification audits

Before you begin

Asset identification prompts

Generate comprehensive asset inventory

"Create an information asset inventory template for a [industry] company with [number] employees that [business description]. Include categories for: data assets, application systems, infrastructure, third-party services, and personnel. For each category, provide 10-15 relevant examples specific to our industry and operations."

Example: "Create an information asset inventory template for a healthcare SaaS company with 75 employees that provides patient engagement platforms to medical practices. Include categories for: data assets, application systems, infrastructure, third-party services, and personnel. For each category, provide 10-15 relevant examples specific to our industry and operations."

Analyze architecture for asset discovery

"Analyze this [architecture diagram/network map/system documentation] and identify all information assets that should be included in our ISO 27001 asset inventory. For each asset, suggest an appropriate owner based on business function and accountability for security."

Define asset classification criteria

"Define information classification levels (Public, Internal, Confidential, Restricted) for ISO 27001:2022. For each level, provide: clear definition, 5 specific examples relevant to [your industry], handling requirements, storage requirements, access controls, and consequences of unauthorized disclosure."

Identify asset owners and responsibilities

"For each asset type in a [company size and description] organization, who should be the asset owner? Define criteria for assigning ownership based on business function, technical responsibility, accountability for security, and decision-making authority."

Create process-based asset mapping

"For the business process '[process name, e.g., customer onboarding]', identify all information assets involved including: data created/processed, systems used, infrastructure dependencies, third-party services, and personnel roles. Present as a process flow with assets mapped to each step."

Threat and vulnerability analysis prompts

Generate asset-specific threat scenarios

"For [asset name and type] containing [data description] in a [hosting environment], identify realistic threats considering: cyber attacks (ransomware, phishing, DDoS), insider threats (malicious employees, privilege abuse), system failures (hardware, software, network), third-party risks (vendor breaches, supply chain attacks), and physical threats (theft, disasters). For each threat, describe the attack scenario and potential business impact."

Example: "For our customer database containing PII and payment card data in an AWS-hosted PostgreSQL environment, identify realistic threats considering: cyber attacks, insider threats, system failures, third-party risks, and physical threats. For each threat, describe the attack scenario and potential business impact."

Identify technology-specific vulnerabilities

"What are common vulnerabilities in [your technology stack] that could be exploited by attackers? Include: configuration weaknesses (default settings, hardening gaps), access control gaps (authentication, authorization), encryption issues (data at rest, in transit), patch management challenges, and insecure integrations."

Analyze industry threat landscape

"What information security threats are most relevant to [your industry] companies in [region]? Include: regulatory and compliance risks, competitor intelligence gathering, sector-specific attack patterns, supply chain vulnerabilities, and emerging threats based on recent industry incidents."

Assess third-party vendor risks

"Create a third-party risk assessment for our key vendors: [list vendor names and services they provide]. For each vendor, identify risks related to: data access and processing, service availability and continuity, security incidents and breach notification, compliance failures (GDPR, SOC 2), and contract termination scenarios."

Evaluate human factor vulnerabilities

"Identify human factor vulnerabilities in our organization considering: employee security awareness level ([current state]), remote work arrangements ([percentage remote]), access to sensitive data ([number of users]), security training frequency ([current frequency]), and phishing susceptibility. Suggest specific vulnerability scenarios that could be exploited."

Risk calculation prompts

Assess threat likelihood

"For the threat '[specific threat]' exploiting '[specific vulnerability]' in our [asset description], assess the likelihood on a 1-5 scale where 1=rare, 2=unlikely, 3=possible, 4=likely, 5=almost certain. Consider: our existing controls ([list current controls]), threat actor capabilities and motivation, historical incidents in our industry, current security posture, and any compensating factors. Show your reasoning for the score."

Example: "For the threat 'ransomware attack via phishing email' exploiting 'insufficient employee security awareness training' in our 50-person SaaS company, assess the likelihood on a 1-5 scale. Consider: we have basic email filtering but no advanced threat protection, no security awareness training program, 80% work-from-home employees, and healthcare sector has seen 40% increase in ransomware attacks year-over-year. Show your reasoning for the score."

Evaluate business impact

"For the risk '[threat] to [asset]', assess the impact on a 1-5 scale where 1=negligible, 2=minor, 3=moderate, 4=major, 5=severe. Consider: financial loss (revenue impact, regulatory fines, recovery costs), operational disruption (downtime duration, service degradation, productivity loss), regulatory consequences (GDPR penalties, compliance violations, reporting requirements), reputation damage (customer trust, media coverage, market position), and legal liability. Show your reasoning for the score."

Generate risk matrix and thresholds

"Create a 5x5 risk matrix for ISO 27001 where Likelihood (1-5) and Impact (1-5) produce risk scores. Define risk levels: Low (scores 1-6, green), Medium (scores 8-12, yellow), High (scores 15-20, orange), Critical (scores 25, red). For each level, specify: required treatment timeline, approval authority, acceptable residual risk range, and monitoring frequency."

Calculate residual risk after controls

"For the risk '[risk description]' with initial score [X], if we implement controls '[list controls]', what would be the residual risk score? Explain how each control reduces likelihood or impact, estimate the new likelihood and impact scores, calculate residual risk, and confirm whether residual risk is within acceptable limits."

Risk treatment prompts

Generate control recommendations

"For the risk '[risk description]' with score [X], suggest ISO 27001:2022 Annex A controls that would effectively mitigate this risk. For each recommended control: cite the control number and name, explain how it reduces likelihood or impact, describe the implementation approach, estimate cost and effort (low/medium/high), provide expected residual risk score, and list evidence needed to demonstrate effectiveness."

Compare treatment options cost-effectively

"Compare treatment options for the risk '[risk description]' with current score [X]: Option A - [control approach with estimated cost], Option B - [alternative control approach with estimated cost], Option C - [third option with estimated cost]. For each option, evaluate: risk reduction effectiveness, implementation complexity, ongoing maintenance burden, compatibility with existing controls, and return on security investment. Recommend the most cost-effective approach considering our risk appetite is [risk appetite statement]."

Example: "Compare treatment options for 'unauthorized access to customer database' with current score 20: Option A - implement MFA, RBAC, and SIEM monitoring ($50k), Option B - enhanced database encryption and access logging ($25k), Option C - move to managed database service with built-in security ($30k annually). Recommend the most cost-effective approach considering our risk appetite is 'no residual risk above 12 for critical assets'."

Create comprehensive treatment plan

"Generate a risk treatment plan for the risk '[risk description]'. Include: risk ID and description, current risk score (likelihood × impact), selected treatment option (mitigate/avoid/transfer/accept), specific controls to implement with Annex A references, implementation owner and accountable executive, target completion date, required budget and resources, expected residual risk score, monitoring and verification approach, and approval status. Format as an audit-ready treatment plan."

Develop risk acceptance justification

"Create a risk acceptance justification for '[risk description]' with score [X] that we plan to accept rather than treat. Include: business rationale for acceptance (cost-benefit analysis), confirmation that score is within our risk appetite of [appetite threshold], compensating controls or monitoring in place, conditions that would trigger reassessment, approval requirements (which executives must sign off), and documentation for audit trail."

Control mapping prompts

Map risks to Annex A controls

"Which ISO 27001:2022 Annex A controls address the risk '[risk description]'? For each relevant control: cite the control number and name, explain the specific control objective, describe how it mitigates this particular risk (reduces likelihood or impact), outline implementation requirements, list evidence needed to demonstrate compliance, and note any dependencies on other controls."

Create control selection matrix

"Generate a control selection matrix showing which Annex A controls address which risks in our risk register. Structure as a table with columns: Risk ID, Risk Description, Risk Score, Selected Controls (with control numbers), Control Implementation Status, Justification for Control Selection. Show relationships for our top 15 risks organized by risk score (highest first)."

Justify control exclusions

"For Annex A control [control number and name], explain why we might exclude this from our Statement of Applicability. Consider: is the control relevant to risks we've identified? Does our business model or technology make it not applicable? Are there alternative controls that achieve the same objective? Provide audit-ready justification if exclusion is recommended."

Documentation prompts

Generate executive risk summary

"Create an executive summary of our ISO 27001 risk assessment for presentation to leadership. Include: total number of assets assessed by category, number of risks identified organized by severity level (critical/high/medium/low), risk score distribution across business units, key findings and critical vulnerabilities, top 5 priority risks requiring immediate action, recommended treatment approach and budget requirements, timeline for risk mitigation, and expected compliance status after treatment. Target audience: non-technical executives. Format as 2-page executive brief."

Document risk assessment methodology

"Write a comprehensive risk assessment methodology document for ISO 27001:2022 compliance. Include sections for: scope and objectives (what we're assessing and why), asset identification process (how we discover and catalog assets), threat and vulnerability analysis approach (sources and methods), likelihood scale with definitions and examples, impact scale with definitions across multiple dimensions (financial, operational, regulatory, reputational), risk calculation formula and matrix, risk acceptance criteria and thresholds, roles and responsibilities (who does what), assessment frequency and triggers for reassessment, and documentation requirements. Format for audit submission with proper ISO clause references."

Create audit-ready risk register

"Generate a complete risk register template compliant with ISO 27001:2022 Clause 6.1.2 requirements. Include columns for: Risk ID (unique identifier), Asset Affected, Threat Description, Vulnerability Exploited, Existing Controls, Likelihood Score (1-5 with justification), Impact Score (1-5 with justification), Inherent Risk Score (L×I), Treatment Option (mitigate/avoid/transfer/accept), Selected Controls (Annex A references), Implementation Status, Residual Risk Score, Risk Owner, Review Date, and Approval Status. Provide 10 sample entries for a [your industry] organization."

Build Statement of Applicability foundation

"Using our risk assessment results, create a Statement of Applicability (SoA) draft for ISO 27001:2022. For each of the 93 Annex A controls: list the control number and name, indicate applicability (Yes/No/Partial), reference which specific risks justify the control selection, describe our implementation approach, note implementation status (Implemented/In Progress/Planned), and identify gaps or exclusion justification. Organize by Annex A themes (Organizational, People, Physical, Technological)."

Stakeholder validation prompts

Prepare review meeting materials

"Create a presentation for a risk assessment review meeting with department heads. Include slides for: overview of ISO 27001 risk assessment methodology, summary of risks identified in their specific department, proposed treatment plans affecting their team, required actions and resource commitments from their department, budget implications and cost allocation, timeline and milestones, and approval requirements. Target 30-minute presentation with opportunities for discussion."

Generate validation questions

"Create a list of validation questions to ask department heads when reviewing risk assessments for their areas. Organize by topic: Asset Completeness (Have we identified all critical assets?), Threat Realism (Are these threats realistic given our environment?), Vulnerability Accuracy (Do these weaknesses actually exist?), Impact Assessment (Is the business impact correctly evaluated?), Control Feasibility (Can we actually implement these controls?), Resource Availability (Do you have budget and staff?), and Timeline Reasonableness (Are deadlines achievable?)."

Ongoing risk management prompts

Define reassessment triggers

"Define specific triggers that would require reassessing information security risks per ISO 27001:2022 Clause 6.1.3. Include: technology changes (new systems, cloud migrations, architecture updates), business changes (expansion, new products, M&A), regulatory updates (new compliance requirements, enforcement actions), security incidents (breaches, near-misses, control failures), threat landscape changes (new attack vectors, industry incidents), organizational changes (restructuring, leadership changes), and control effectiveness changes (audit findings, testing results). For each trigger, specify who initiates reassessment, timeline requirements, and scope of review."

Create quarterly risk review process

"Design a quarterly risk review process for ISO 27001 including: key risk indicators to track (trending metrics), risk register updates required, changes in threat landscape to consider, control effectiveness validation, new risks to assess, review meeting agenda with time allocations, reporting templates for management review, criteria for escalating risks that have increased, and documentation requirements for audit trail."

Build change-driven reassessment workflow

"Design a workflow for updating the ISO 27001 risk assessment when [specific change occurs, e.g., 'launching a new customer-facing application']. Include: change notification and approval process, who performs the risk assessment (roles and responsibilities), which specific assets and risks to review, threat and vulnerability analysis requirements, risk scoring and treatment decisions, updates needed to risk register and SoA, approval and sign-off requirements, and documentation to maintain for audit evidence."

Quality assurance prompts

Review risk assessment for completeness

"Review this risk assessment against ISO 27001:2022 Clause 6.1.2 requirements. Check for: Are all information assets in scope identified? Are threats and vulnerabilities comprehensive and realistic? Is the risk scoring methodology consistently applied? Are all high and critical risks addressed with treatment plans? Is the control selection justified by specific risks? Are risk acceptance decisions properly approved? Are documentation and evidence sufficient for audit? Identify any gaps, missing elements, or areas needing strengthening."

Validate consistency across assessments

"Compare these two risk assessments [for similar assets or scenarios] and check for consistency in: likelihood scoring (are similar threats scored similarly?), impact evaluation (are similar consequences rated comparably?), control selection (are equivalent risks treated with similar controls?), risk acceptance decisions (is risk appetite applied uniformly?). Identify inconsistencies that should be resolved before audit."

Tips for using these prompts effectively

Related prompt libraries

Expand your ISO 27001 implementation with these related prompt collections:

• ISO 27001 policy and procedure prompts (coming soon)

• ISO 27001 audit preparation prompts (coming soon)

• ISO 27001 gap analysis prompts (coming soon)

• SOC 2 prompt library

Getting help

For support with risk assessment prompts:

• Learn best practices: Review our guide on How to conduct ISO 27001 risk assessment using AI

• Understand AI limitations: Read How to Use ISMS Copilot Responsibly

• Optimize your workflow: See How to manage multi-client compliance projects using workspaces