Using AI for writing ISO 27001, a good idea?
It's not all black and white. AI use is still controversial, but sometimes a middle ground can be found.
There's no doubt confidential information shouldn't be sent to AI systems without proper due diligence.
But the good news is that we can also use AI for requests that don't involve confidential data. 🤷
Take AI for ISO 27001 preparation.
Nothing prevents you to use it for:
1. Asking questions on aspects of the ISO 27001 norm you might not fully understand.
2. Putting in perspective implementation steps and understanding which is your next step.
3. Asking guidance on risk assessment methodologies
4. Requesting assistance on how to elaborate policies and procedures.
5. Helping you select relevant controls from Appendix A. You refer to a control and then ask questions to understand whether it applies to a company with your characteristics.
6. Receiving guidance on establishing an incident response plan.
7. Consulting on strategies for raising information security awareness in your team.
So many things can be done without actually sending a single piece of confidential information!
That's why I think opening the AI discussion is so important.
I believe nuance can be found, and it can benefit most of us.
Of course expertise is still valuable.
And asking help from community professionals shouldn't disappear with AI.
I actually think that ISMS experts and consultants themselves will benefit increasingly from using them.
Because we know these tools are not perfect, which means anybody that uses it still needs to actually know what they're doing.
And the best placed persons are experts.
What do you think?
If you appreciated this post, please share the word.
PS: about AI and ISO 27001, the ISMS Copilot is now accessible to anybody with a ChatGPT+ subscription.
I invite you to try it for non-sensitive use cases (as suggested above) and let me know what you think.
If you fear your colleagues might use AI to process confidential information, it’ still time to educate on ChatGPT and data protection.