Dejan Kosutic If you’re implementing an Information Security Management System (ISMS), you’re probably wondering how to implement ISO 27001 controls from Annex A. There are 93 controls listed in this annex of ISO 27001, and most people get confused over which documents to use, which technology they need, what kind of evidence to produce for the certification audit, etc.
Actually, you can get this information by using generative AI chatbots, and I’ll show you examples of prompts you can use for that purpose.
AI chatbots can help you with the following types of questions about ISO 27001 controls implementation:
- The basics of Annex A
- How to implement controls
- How to write documents
- Which technology to use
- What kind of evidence is needed
In this article, I’ll use Experta, an AI-powered chatbot-style knowledge base focused on ISO 27001. The reason for using this chatbot is that ChatGPT and other generic chatbots are trained using data available on the Internet, which means that the quality of their answers depends on the quality of their inputs — sometimes you’ll get a correct answer, but sometimes you won’t (the “garbage in — garbage out” concept). As opposed to that, Experta is trained with the proprietary knowledge base that was created by Advisera’s experts, and it provides much more accurate answers.
To learn how to implement the whole ISO 27001 standard, read this article: How to implement ISO 27001 using generative AI.
Learn about Annex A basics
To start, you can ask a couple of questions to learn general things about Annex A controls (click the question or the image to show the full answer):
“List all controls from ISO 27001 Annex A” 
“Are any of Annex A controls mandatory?”
“Which controls to use for hacker attack?”
“What is control A.5.7 Threat intelligence?”
How to implement controls
Once you decide which controls you need, you can ask questions like these about the implementation of ISO 27001 controls:
“Does ISO 27001 Annex A specify how each security control needs to be implemented?”
“How to implement ISO 27001 controls?”
“What are the steps for implementing ISO 27001 controls?”
“Who should be in charge of implementing Annex A controls?”
“How to implement control A.8.9 Configuration management?”
How to write documents for Annex A controls
To get a better picture of how to write policies and procedures related to Annex A, you can ask the following questions:
“Do we need to document each Annex A control?”
“Which documents are mandatory for Annex A?”
“How to structure documentation for Annex A?”
“How to document control A.8.13 Information backup?”
“How to structure a Classification Policy?”
Which technology to use for Annex A controls
When deciding if you need any new technology, or if your existing technology is good enough, you can ask something like this:
“Does ISO 27001 specify which technology must be used?”
“Is VPN required for ISO 27001 implementation?”
“Which technology to use for control A.8.23 Web filtering?”
What kind of evidence is needed?
Once you have completed the implementation, you must start preparing evidence that will be needed at the certification audit. For that purpose, you can ask the following questions:
“What will the certification auditor ask regarding secure software development?”
“What kind of evidence is needed for control A.5.23 Information security for use of cloud services?”
“How to make sure employees comply with security policies and procedures?”
AI speeds up your learning considerably
Here, I have presented only some questions that you can ask – of course, you’ll probably have hundreds (if not thousands) of questions during the project, but the chances are, chatbots like Experta will probably answer most of them.
In some cases, chatbots will not be able to answer a very complicated question, but at least you can get the majority of answers without researching the Internet or waiting for a consultation with an expert.
Experta AI-powered knowledgebase is free to use — click here to start using it. Experta is trained on a proprietary knowledge base built by Advisera’s ISO 27001 experts.
