How to implement ISO 27001 Annex A controls by using AI

If you’re implementing an Information Security Management System (ISMS), you’re probably wondering how to implement ISO 27001 controls from Annex A. There are 93 controls listed in this annex of ISO 27001, and most people get confused over which documents to use, which technology they need, what kind of evidence to produce for the certification audit, etc.

Actually, you can get this information by using generative AI chatbots, and I’ll show you examples of prompts you can use for that purpose.

AI chatbots can help you with the following types of questions about ISO 27001 controls implementation:

  • The basics of Annex A
  • How to implement controls
  • How to write documents
  • Which technology to use
  • What kind of evidence is needed

In this article, I’ll use Experta, an AI-powered chatbot-style knowledge base focused on ISO 27001. The reason for using this chatbot is that ChatGPT and other generic chatbots are trained using data available on the Internet, which means that the quality of their answers depends on the quality of their inputs — sometimes you’ll get a correct answer, but sometimes you won’t (the “garbage in — garbage out” concept). As opposed to that, Experta is trained with the proprietary knowledge base that was created by Advisera’s experts, and it provides much more accurate answers.

To learn how to implement the whole ISO 27001 standard, read this article: How to implement ISO 27001 using generative AI.

Learn about Annex A basics

To start, you can ask a couple of questions to learn general things about Annex A controls (click the question or the image to show the full answer):

“How is Annex A structured?” How to implement ISO 27001 Annex A controls by using AI - 27001Academy

How to implement ISO 27001 Annex A controls by using AI - 27001Academy

“List all controls from ISO 27001 Annex A” How to implement ISO 27001 Annex A controls by using AI - 27001Academy

How to implement ISO 27001 Annex A controls by using AI - 27001Academy

“Are any of Annex A controls mandatory?” How to implement ISO 27001 Annex A controls by using AI - 27001Academy

How to implement ISO 27001 Annex A controls by using AI - 27001Academy

“Which controls to use for hacker attack?” How to implement ISO 27001 Annex A controls by using AI - 27001Academy

How to implement ISO 27001 Annex A controls by using AI - 27001Academy

“What is control A.5.7 Threat intelligence?” How to implement ISO 27001 Annex A controls by using AI - 27001Academy

How to implement ISO 27001 Annex A controls by using AI - 27001Academy

How to implement controls

Once you decide which controls you need, you can ask questions like these about the implementation of ISO 27001 controls:

“Does ISO 27001 Annex A specify how each security control needs to be implemented?” How to implement ISO 27001 Annex A controls by using AI - 27001Academy

How to implement ISO 27001 Annex A controls by using AI - 27001Academy

“How to implement ISO 27001 controls?” How to implement ISO 27001 Annex A controls by using AI - 27001Academy

How to implement ISO 27001 Annex A controls by using AI - 27001Academy

“What are the steps for implementing ISO 27001 controls?” How to implement ISO 27001 Annex A controls by using AI - 27001Academy

How to implement ISO 27001 Annex A controls by using AI - 27001Academy

“Who should be in charge of implementing Annex A controls?” How to implement ISO 27001 Annex A controls by using AI - 27001Academy

How to implement ISO 27001 Annex A controls by using AI - 27001Academy

“How to implement control A.8.9 Configuration management?” How to implement ISO 27001 Annex A controls by using AI - 27001Academy

How to implement ISO 27001 Annex A controls by using AI - 27001Academy

How to write documents for Annex A controls

To get a better picture of how to write policies and procedures related to Annex A, you can ask the following questions:

“Do we need to document each Annex A control?” How to implement ISO 27001 Annex A controls by using AI - 27001Academy

How to implement ISO 27001 Annex A controls by using AI - 27001Academy

“Which documents are mandatory for Annex A?” How to implement ISO 27001 Annex A controls by using AI - 27001Academy

How to implement ISO 27001 Annex A controls by using AI - 27001Academy

“How to structure documentation for Annex A?” How to implement ISO 27001 Annex A controls by using AI - 27001Academy

How to implement ISO 27001 Annex A controls by using AI - 27001Academy

“How to document control A.8.13 Information backup?” How to implement ISO 27001 Annex A controls by using AI - 27001Academy

How to implement ISO 27001 Annex A controls by using AI - 27001Academy

“How to structure a Classification Policy?” How to implement ISO 27001 Annex A controls by using AI - 27001Academy

How to implement ISO 27001 Annex A controls by using AI - 27001Academy

Which technology to use for Annex A controls

When deciding if you need any new technology, or if your existing technology is good enough, you can ask something like this:

“Does ISO 27001 specify which technology must be used?” How to implement ISO 27001 Annex A controls by using AI - 27001Academy

How to implement ISO 27001 Annex A controls by using AI - 27001Academy

“Is VPN required for ISO 27001 implementation?” How to implement ISO 27001 Annex A controls by using AI - 27001Academy

How to implement ISO 27001 Annex A controls by using AI - 27001Academy

“Which technology to use for control A.8.23 Web filtering?” How to implement ISO 27001 Annex A controls by using AI - 27001Academy

How to implement ISO 27001 Annex A controls by using AI - 27001Academy

What kind of evidence is needed?

Once you have completed the implementation, you must start preparing evidence that will be needed at the certification audit. For that purpose, you can ask the following questions:

“What will the certification auditor ask regarding secure software development?” How to implement ISO 27001 Annex A controls by using AI - 27001Academy

How to implement ISO 27001 Annex A controls by using AI - 27001Academy

“What kind of evidence is needed for control A.5.23 Information security for use of cloud services?” How to implement ISO 27001 Annex A controls by using AI - 27001Academy

How to implement ISO 27001 Annex A controls by using AI - 27001Academy

“How to make sure employees comply with security policies and procedures?” How to implement ISO 27001 Annex A controls by using AI - 27001Academy

How to implement ISO 27001 Annex A controls by using AI - 27001Academy

AI speeds up your learning considerably

Here, I have presented only some questions that you can ask – of course, you’ll probably have hundreds (if not thousands) of questions during the project, but the chances are, chatbots like Experta will probably answer most of them.

In some cases, chatbots will not be able to answer a very complicated question, but at least you can get the majority of answers without researching the Internet or waiting for a consultation with an expert.

Experta AI-powered knowledgebase is free to use — click here to start using it. Experta is trained on a proprietary knowledge base built by Advisera’s ISO 27001 experts.

Advisera Dejan Kosutic
Author
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.