Of course, ChatGPT cannot completely replace experienced ISMS consultants, but it can be a good support, supplement or even first aid in times of need when no consultant is available.
While a human consultant brings the strategic overview and in-depth experience, ChatGPT can perform quick research, create documents or provide answers to specific questions. Consultants who use ChatGPT have more time to concentrate on the essentials and can therefore focus on the quality assurance of the documents created by ChatGPT.
The European Union's NIS2 Directive, which will shortly become enforceable in Germany through the NIS2 Implementation Act (NIS2UmsuCG), presents companies with significant challenges in the field of information security. It is estimated that over 30,000 companies in Germany will require guidance and assistance in establishing and maintaining an ISMS, or at least specific components thereof, upon the Directive's implementation. However, the number of qualified consultants available to meet this demand is insufficient. This will result in a significant discrepancy between the directive's requirements and the consulting industry's existing capabilities.
In light of this impending gap, AI could prove an invaluable resource for companies lacking the requisite expertise. While engaging advisors can be time-consuming and costly, ChatGPT offers a fast and affordable way to access information and advice at any time. In the context of the NIS2 Directive, the availability and flexibility of ChatGPT will undoubtedly become a key differentiator. It can help bridge the advisor gap, providing immediate support to companies that require it. ChatGPT is capable of handling not only routine tasks such as creating security guidelines or carrying out risk analyses, but also more complex consulting services. This allows companies to streamline the development and maintenance of their ISMS, while reducing their reliance on external consultants and the associated costs.
The remainder of this article will examine how ChatGPT can be used as an ISMS consultant, outlining the benefits and considerations for its use.
Table of contents
What is ChatGPT?
Possible uses of ChatGPT as a consultant in ISMS
Benefits of using ChatGPT as an ISMS consultant
Implementation of ChatGPT as ISMS consultant
Dealing with hallucinations in ChatGPT
The best prompt for your own consultantGPT
Effective prompting for optimal consulting results
Data protection and compliance when using ChatGPT
Challenges and limitations of ChatGPT as a consultant
1. What is ChatGPT?
ChatGPT is an advanced language model developed by OpenAI. It is essentially a software that understands and can respond to natural language. You can think of ChatGPT as a very well-informed assistant that can provide answers to a wide range of questions. It uses large amounts of text data to recognize patterns and provide relevant information. This means it can assist in many areas - be it answering technical questions, creating documentation or even developing strategies.
2. Possible uses of ChatGPT as a consultant in ISMS
In the context of an information security management system (ISMS), ChatGPT can be helpful in several ways:
Creating and updating security policies
One of the most important tasks in ISMS is the development and regular updating of security policies. ChatGPT can help to create initial drafts or revise existing documents. By entering specific requirements, the tool can provide suitable suggestions that can then be reviewed and adjusted by those responsible.
Risk analyses and assessments
Risk analysis is central to identifying and assessing potential threats. ChatGPT can support this by helping to identify potential risks and assess their impact. It can also assist in creating risk matrices or prioritizing actions by quickly summarizing relevant information.
Training materials and awareness raising
Employee training is another important aspect of an ISMS. ChatGPT can help create training materials or update existing content. It can also be used as an interactive tool to answer employee questions and thus deepen the understanding of information security.
Support with documentation and reporting
Documentation of security measures and regular reporting are essential for the continuous improvement of the ISMS. ChatGPT can support this by creating reports, summarizing data and presenting it in a structured manner. This saves time and ensures that all relevant information is taken into account.
Support in the implementation of the NIS2 Directive
With the introduction of the NIS2 Directive, many companies are faced with the challenge of adapting their information security measures accordingly. ChatGPT can act as an advisor by explaining specific requirements of the directive, suggesting implementation steps and supporting the adaptation of existing processes.
3. Benefits of using ChatGPT as an ISMS consultant
When dealing with information security, it quickly becomes clear that there is a lot to consider. This is where ChatGPT comes in and offers some pretty cool benefits that can make the consulting process a lot easier. Let's take a look at what ChatGPT can do.
Support in decision-making
Sometimes you're faced with a huge amount of information and don't know where to start. This is where ChatGPT can help. It can help you weigh up different security measures and filter out the best options. Imagine you have a list of possible risks - ChatGPT can help you set priorities and tackle the most important points first.
Complementing human expertise
Of course, ChatGPT cannot completely replace experienced ISMS consultants, but it can be a good support, supplement or even first aid in an emergency when no consultant is available. While a human consultant brings the strategic overview and in-depth experience, ChatGPT can carry out quick research, create documents or provide answers to specific questions. Consultants who use ChatGPT have more time to concentrate on the essentials and can therefore focus on the quality assurance of the documents created by ChatGPT.
Increase efficiency through rapid provision of information
Time is often a scarce commodity, especially when the demand for ISMS advice is increasing due to the NIS2 Directive. ChatGPT can work around the clock and respond to requests immediately. Do you need a security policy template or a risk analysis checklist quickly? No problem, ChatGPT has the information ready and can deliver it in a flash.
Cost reduction
External consultants are often expensive and if suddenly more than 30,000 companies need advice, the cost of the consultants still available on the market can quickly skyrocket. This is where ChatGPT comes in: it can take over many of the routine tasks that would otherwise cost a lot of time and money. This allows companies to take the necessary action without breaking the budget. Of course, there are areas where human expertise is essential, but for many standard tasks, ChatGPT is a cost-effective alternative.
Accessibility and availability
One of the biggest advantages of ChatGPT is its constant availability. Whether it's the middle of the night or the weekend, ChatGPT is always ready to help. This is especially convenient for companies with global locations or different working hours. Plus, ChatGPT can be used from anywhere as long as there's an internet connection, making it super flexible and easily accessible.
Consistency and standardization
Another plus point is ChatGPT's ability to provide consistent and standardized answers. This is important when it comes to creating uniform security policies and procedures. Different consultants may sometimes take different approaches, but ChatGPT ensures that the information and recommendations are always consistent. This contributes to the clarity and reliability of the ISMS documentation.
Scalability
When demand for ISMS consulting increases, as is the case with the NIS2 Directive, the consulting infrastructure must also be scalable. ChatGPT can easily keep up with increasing demand without the need for additional resources. This means that companies can react quickly and flexibly to changes without having to accept long waiting times or bottlenecks in consulting.
Personalization and adaptability
ChatGPT can be easily adapted to the specific needs of a company. Whether it is industry-specific requirements or special security standards, ChatGPT can be trained to provide tailor-made solutions.
4. Implementation of ChatGPT as ISMS consultant
The idea of using ChatGPT as an ISMS consultant sounds exciting at first. But how do you actually put it into practice? Don't worry, it's not as complicated as it may seem at first glance. Here are a few steps and tips on how to integrate ChatGPT into your existing processes.
Integration of ChatGPT into existing consulting processes
Before ChatGPT can really get started, it must first fit into the team. This means that you should look at exactly where ChatGPT provides the best support. Perhaps there are certain tasks that come up again and again and take up a lot of time - such as creating reports or answering frequently asked questions. ChatGPT can be really helpful in these areas. A good start is to run ChatGPT in parallel to the existing processes. This way you can test where it is most effective and which areas still need to be optimized. It is important that ChatGPT does not suddenly take over all tasks, but is integrated step by step. This leaves enough room for adjustments and improvements.
Adaptation and fine-tuning of the consulting interface
For ChatGPT to be truly useful, it needs to be tailored to your company's needs. This means that you need to feed ChatGPT the right information. For example, you can add anonymized policies or frequently asked questions so that ChatGPT can access them.
Collaboration between ChatGPT and human advisors
Even though ChatGPT can take on many tasks, the human element remains indispensable. You will achieve the best results when ChatGPT and your consultants work hand in hand. While ChatGPT takes care of the routine tasks and provides quick answers, the consultants can concentrate on more complex topics.
A practical example: ChatGPT can create initial drafts of security policies or prepare a risk analysis. The human consultant then reviews these drafts, supplements them and adapts them to the company's specific requirements. This makes work more efficient without compromising on quality.
5. Dealing with hallucinations in ChatGPT
When using ChatGPT as an ISMS consultant, it is important to also deal with the so-called hallucinations. Don't worry, this sounds more complicated than it is. Let's take a look at what is behind it and how to deal with it.
What are hallucinations?
In the context of ChatGPT, we talk about hallucinations when the tool provides information that is incorrect or even made up. Imagine you ask about a specific security policy and ChatGPT gives you an answer that doesn't exist or is incorrect. This happens because the model answers based on probabilities and sometimes loses the thread.
Examples of hallucinations
A concrete example could be if you ask ChatGPT for the latest NIS2 Directive requirements. Instead of accurately reflecting the current requirements, it could provide outdated or incorrect information. Another example would be if you ask for a risk analysis and ChatGPT presents you with a list of risks that have no relevance to your business at all.
Risks and impacts on the ISMS
These hallucinations can have serious consequences. Incorrect information could lead to important security measures being overlooked or unnecessary resources being put into unimportant areas. This can not only affect the efficiency of your ISMS, but can also lead to legal consequences if legal requirements are not implemented correctly.
Strategies to minimize and control hallucinations
Fortunately, there are some tricks you can use to improve the quality of ChatGPT's responses and minimize hallucinations:
Ask clear and precise questions
The more specific your question, the better the answer. Instead of asking about security policies in general, specify which aspects you are interested in. For example: "What technical measures does the NIS2 directive require for medium-sized companies?"
Verify answers
Don't blindly rely on the information provided by ChatGPT. Check the answers with official sources such as the latest NIS2 documents or trusted technical articles to make sure you are always up to date.
Provide context
Give ChatGPT enough context to help it better understand your specific needs. For example, if you work in the financial industry, mention that. This will help the tool provide more relevant and accurate information.
Give feedback
If you notice that an answer is not quite right, tell ChatGPT. For example: "That's not quite right, my source says otherwise." This way the model learns to better understand your preferences and improve future answers.
Use of templates and checklists
Use ready-made templates and checklists that you have from reliable sources. ChatGPT can help you fill these in or customize them, but the foundation should always be based on verified information.
Maintain human control
Although ChatGPT can do a lot of the work for you, it is best to have a human expert make the final decisions and review the documents created to ensure that everything is correct and complete.
6. The best prompt for a ConsultantGPT
In order to use ChatGPT optimally as an ISMS consultant, it is crucial to create your own GPT, train it and provide it with the right information and prompts. A well-trained GPT ensures that you receive precise and correct answers. Here I will show you how to do this best.
Preparation: Create the file “Index.txt”
Before you use ChatGPT as a consultant, you should create a special text file. In my example, this file is called “Index.txt” and contains all the numbers and headings of the chapters and sub-chapters of the standard that forms the basis of the ISMS. This file is important to ensure that ChatGPT refers to the specific requirement and the likelihood of hallucinations is massively reduced.
Needless to say, such a file can only be created and used if this is allowed and possible under the license!
The optimal prompt
When you have created and uploaded the file, you can use the following prompt. Simply copy the text and paste it into ChatGPT:
You are an expert in information security and support companies in setting up, expanding and maintaining an information security management system.
No matter what you are asked or what text you are provided with, ALWAYS read the file “Index.txt“ first and COUNT the number of words it contains!
DO NOT HALLUCINATE!
Do not make up factual information!
ALWAYS use colloquial language when replying!This prompt causes ChatGPT to first check the contents of your index file before responding. This makes the responses more accurate and relevant as the model focuses on the specific chapters of the standard.
Why this approach works
By creating the "Index.txt" file and using the specific prompt, you ensure that ChatGPT stays focused. It prevents the model from adding unnecessary or incorrect information and significantly increases the quality of the advice. This additional step is especially helpful when you need detailed and compliant answers.
7. Effective prompting for optimal consulting results
If you want to use ChatGPT as an ISMS consultant, it really depends on how you ask your questions. Good prompting is the key to getting really helpful and precise answers. Here are a few tips and tricks to get the most out of ChatGPT.
Basics of prompting
First of all, prompting simply means how you speak to ChatGPT. The clearer and more specific you are, the better the answers. Remember that ChatGPT is only as good as the information you give it. If your question is too vague, the answer will be more general.
Example:
Less good: “Tell me about information security.”
Better: “What technical measures should a medium-sized company implement according to the NIS2 Directive to ensure information security?”
Best practices for precise and helpful input
Be specific and detailed. The more precisely you describe what you need, the better ChatGPT can help you. For example, if you want to do a risk analysis, give specific information about your company and the areas you want to cover.
Example:
Instead of: “Help me with a risk analysis.”
Better: “Can you provide me with a risk analysis for the IT infrastructure of a small financial company that uses cloud services?”
Use clear language
Avoid technical jargon or complicated wording unless necessary. Clear and simple language helps ChatGPT to better understand your request.
Example:
Instead of: “Which countermeasures are essential for risk minimization in an SME according to NIS2?”
Better: “What measures does the NIS2 Directive recommend to reduce risks in a small or medium-sized enterprise?”
Make structured inquiries
Sometimes it helps to formulate your questions in lists or clear paragraphs. This helps ChatGPT to better process the information and give you a structured answer.
Example:
“I need a security policy for the following areas:
1. access control
2. data encryption
3. emergency management
Can you suggest a short policy for each area?“Provide context
Provide as much context as possible. If ChatGPT knows the background, it can respond in a more targeted and relevant manner.
Example:
“Our company is a small start-up in the e-commerce sector with around 50 employees. We mainly use cloud services such as AWS and have recently implemented the NIS2 policy. What specific security measures should we prioritise now?“Examples of successful prompts in the ISMS context
Here are a few concrete examples of how you can use ChatGPT effectively:
Example 1: Creating policies
Prompt:
“I need a template for an IT security policy for a medium-sized company. The policy should include sections on access controls, password management and regular security checks.“Expected answer:
ChatGPT provides a structured template with clear sections and practical tips for each area.
Example 2: Risk analysis
Prompt:
“Can you provide me with a simple risk analysis for the IT infrastructure of a small company that mainly uses email and online shopping?“Expected answer:
ChatGPT provides an overview of possible risks such as phishing attacks, data loss due to hackers and offers suggestions for risk minimization.
Example 3: Training materials
Prompt:
“Create a short training guide to raise employee awareness of cybersecurity risks in a small office.“Expected answer:
ChatGPT creates an easy-to-understand guide with key points and practical examples for employees to go through.
Example 4: Compliance
Prompt:
“What steps do we need to take to implement the NIS2 directive in our company?“Expected answer:
ChatGPT lists the necessary steps, such as conducting an inventory, implementing specific security measures and regular audits.
8. Data protection and compliance when using ChatGPT
Data protection and compliance are not nice-to-haves, but essential components of every ISMS. With ChatGPT as a consultant, you have a tool at hand that can help you implement your information security measures efficiently. But that is precisely why it is important that you take the right precautions to ensure data integrity and confidentiality, comply with legal requirements and handle information sensitively.
Compliance with legal and regulatory requirements
Laws and regulations surrounding data protection and information security are constantly changing, so it's important to stay up to date and make sure you meet all requirements. Here are a few things to keep in mind:
Working in compliance with GDPR
The General Data Protection Regulation (GDPR) is the be-all and end-all in Europe when it comes to protecting personal data. Make sure that when using ChatGPT you do not process any personal data without the consent of the person concerned. Find out exactly which data you can share and which you cannot.
Make sure that when using ChatGPT you do not process any personal data without the consent of the person concerned. Find out exactly which data you can share and which you cannot.
Industry-specific regulations
Depending on your industry, there are additional regulations that you must comply with. In the healthcare industry, for example, stricter rules apply than in retail. Find out about the specific requirements of your industry and adapt the use of ChatGPT accordingly.
Documentation and evidence
Record exactly how you use ChatGPT and what data protection measures you have taken. In the event of an inspection or audit, you can prove that you comply with all legal requirements.
Responsible handling of sensitive information
Responsible handling of sensitive information is crucial to gaining and maintaining the trust of your customers and partners. Here are a few approaches you can take:
Minimizing data sharing
Only share information that has been approved for disclosure and is absolutely necessary. Avoid company names and other information that could establish a direct connection. The less data you share, the lower the risk of sensitive information falling into the wrong hands.
Only share information that has been approved for disclosure and is absolutely necessary. Avoid company names and other information that could establish a direct connection.
Anonymization and pseudonymization
Wherever possible, you should anonymize or pseudonymize data. This allows you to use information without directly addressing individual people or confidential details.
Training of employees
Your employees should know how to handle sensitive data and what rules apply. Regular training and awareness-raising measures help to raise awareness of data protection and information security.
Clear guidelines and processes
Create clear guidelines and processes for handling data. Define who is allowed to process which data and how the protection of this data is guaranteed. This way you ensure transparency and reliability in the handling of information.
9. Challenges and limitations of ChatGPT as a consultant
Although ChatGPT offers many advantages, there are of course also some pitfalls that should be kept in mind. No tool is perfect, and especially in the area of information security, there are a few points that cannot be ignored. Let's take a look at where the limits of ChatGPT lie and what challenges we might face.
Technological barriers
Understanding complex relationships
Information security is a complex field with many technical terms and deep connections. ChatGPT can access a lot of knowledge, but sometimes it lacks the deeper understanding that an experienced consultant brings. This can lead to the answers sounding correct but not always being implementable or optimal in practice.
Timeliness of information
The world of cybersecurity is constantly changing. New threats emerge and standards are adjusted. ChatGPT is based on a fixed level of knowledge and does not have real-time access to current developments. This means that it may not have the latest information on hot topics or the latest threats.
Organizational challenges
Integration into existing structures
Every company has its own processes and structures. ChatGPT must be seamlessly integrated into these in order to provide truly effective support. This can be a real challenge depending on the complexity of the existing systems and IT infrastructure.
Acceptance in the team
Not everyone on the team is immediately enthusiastic about integrating AI into the consulting process. Some employees prefer direct interaction with human consultants and may be skeptical about ChatGPT's suggestions. So it takes time and perhaps training to build trust in the tool.
Quality of advice
Lack of empathy and human sensitivity
A human consultant can respond to the mood and specific needs of a team. ChatGPT lacks this human element entirely. While it can provide information, it lacks the empathy and personal advice that are often crucial.
Error susceptibility
As already mentioned in the chapter on hallucinations, ChatGPT can sometimes provide incorrect or incomplete information. Without careful checking, such errors could lead to serious problems in the consultation process. It therefore always requires additional control by a human expert.
Legal and ethical aspects
Liability issues
Who is liable if ChatGPT provides incorrect advice and damage is caused as a result? This question has not yet been conclusively clarified and can be handled differently depending on the country and legislation. Companies must be aware of this and take appropriate precautions.
Privacy concerns
Even though we have already discussed data protection in the previous chapter, it remains an ongoing issue. Handling sensitive data requires the utmost care, and even with the best security measures, there is always a residual risk.
Limits of adaptability
Specific industry requirements
A company in the financial industry will have different information security needs than an e-commerce company. While ChatGPT can be customized, the depth and specificity that a human advisor can provide is often difficult to achieve.
Complex problem solving
Sometimes problems require creative and innovative solutions that go beyond what an AI model like ChatGPT can deliver. This is where human ingenuity and experience are indispensable.
As part of our Audit Coaching (https://www.auditmanufaktur.de/coaching), we help you to create and implement AI usage guidelines in your company. This includes the development of customised policies that promote the responsible use of artificial intelligence in your company. We can also assist you with quality assurance to ensure that the guidelines, work instructions and other documents that have already been created comply with the standards.
