Dejan Kosutic So, you are an ISO 27001 consultant, and you think generative AI will take away all of your clients? Or you think generative AI will never be accurate enough for some serious work?
Well, I believe none of this is true — I think that AI-powered tools will become very smart, and that skillful consultants will be able to use such AI tools in their everyday work to become even more successful.
How ISO 27001 consultants can use AI for their work:
- AI tools for project management
- AI tools integrated in GRC software
- Specialized AI-powered chatbots
What types of AI tools will be available for consultants?
At the time this article was written (second half of 2023), the trends are such that the following types of AI tools are (or will be very soon) available to ISO 27001 consultants:
- AI tools that help with project management — e.g., Notion.so automatically creates summaries of project tasks (or any documents), while Fireflies.ai automatically creates transcripts and to do lists; in the future, there will most likely be tools that will automatically communicate with project team members and perhaps resolve some less complex organizational tasks.
- AI tools that will be integrated in GRC software — such tools will be able to speed up risk management, document writing, evidence collection, etc.
- AI tools that are text based, and that are used for conversations — currently, these are in the form of chatbots.
Because AI tools in this last category (AI-powered chatbots) are currently the most advanced, I’m going to focus on them in this article.
How can consultants use AI-powered chatbots for ISO 27001?
From my experience, AI-powered chatbots can help ISO 27001 consultants with the following:
- Teach less experienced consultants about ISO 27001
- Save time when checking things
- Speed up implementation
- Help with internal audit and pre-certification check
- Create training materials
I’m going to show you several examples of how to do this using Experta, a specialized AI-powered chatbot-style knowledge base for ISO 27001 (Experta is currently free to use; you can sign up here.)
Teach less experienced consultants about ISO 27001
If you have a junior consultant who has just started to work in your consultancy, or if you are starting your own ISO 27001 career, you can save a lot of time by letting an AI chatbot do the teaching — try asking questions like these (click the question or the image to show the full answer):
“What are the mandatory clauses in ISO 27001?” 
“How to present ISO 27001 benefits to the top management?”
“What is the purpose of ISMS?”
“What are the steps to perform corrective actions?”
“Create a learning program for ISO 27001 for a new consultant”
Save time when checking things
Usually, during a project, a consultant needs to check several sources or simply brainstorm ideas — here’s how an AI chatbot can help you with this:
“Which Annex A controls cover incident management?”
“What are the most common risks related to USB memory drives?”
“How to protect against insider threats?”
Speed up implementation
Once you’re further along in the implementation, you may sometimes need quick reminders on how to perform activities, or you might simply need a second opinion on how to complete a task:
“What are the steps for performing management review?”
“What inputs are needed for ISO 27001 management review?”
“Create a script on what should a consultant present at a management review meeting”
“How to review audit results during management review”
“What to include in management review minutes”
Help with internal audit and pre-certification check
As part of your consulting work, you might do an internal audit, or the client may ask to you check if everything is ready for the certification audit. Here are some questions you might ask:
“How to structure the internal audit checklist?”
“What will the certification auditor look for regarding risk assessment and treatment?”
“What evidence to look for regarding clause 7.4?”
“What evidence is needed for access control?”
Creating training materials
When you have to train your clients, you will be able to create training materials more quickly by using these prompts:
“Create topics for an ISO 27001 training”
“Create a script for a training on identifying requirements of interested parties”
“Create a multiple choice question with 4 answers for a topic of management review”
What to expect from AI-powered chatbots in the future
There are some things that AI tools cannot do (yet); however, these functionalities will certainly come soon:
- Writing personalized documents. AI tools will enable semi-automatic writing of documents that are personalized for a company based on their industry, size, internal context, etc.
- Reviewing the text of policies and procedures. AI tools will be able to read the text of your documents and tell you what needs to be improved — e.g., some parts of the document might not be compliant with the standard, or might not follow best practices.
- Updating policies and procedures. Imagine that you can upload the text of your, e.g., Access Control Policy that is written according to the old 2013 revision, and that it is automatically updated for the 2022 revision? This is no longer science fiction; such features will be available pretty soon.
You can read some other ideas here: The future of compliance with generative AI technology.
How do the AI-powered chatbots work?
An AI-powered chatbot operates on the principle that if you ask it a question, it will use generative AI technology to predict the best answer. “Predict” is the key word here — those technologies are not intelligent; they simply calculate the probability of the best answer from the data that is available to the chatbot.
And here lies the problem with generic chatbots like ChatGPT — their source of data is the whole Internet, and it cannot distinguish whether certain text about ISO 27001 on a particular website was written correctly or not.
On the other hand, specialized AI-powered chatbots use a proprietary knowledge base that is curated by experts — such chatbots provide much more accurate answers because when the source is accurate, the output will be accurate as well.
Adapt and prosper
I have no doubt that the ISO world will change a lot with generative AI technology — it will change not only how companies implement or maintain standards, but also how they train their employees, how the certification is performed, and yes — how consultants do their part.
Therefore, as an ISO 27001 consultant, it is better to start changing how you work, and to start using this new technology to make your work more productive, but also more meaningful.
Experta AI-powered knowledge base is free to use — click here to start using it. Experta is trained on a proprietary knowledge base built by Advisera’s ISO 27001 experts.
