BLACK KITE’S GUIDELINES FOR WRITING LLM- COMPATIBLE CYBERSECURITY CONTROLS

1. Use Clear, Deterministic Control Statements over Open-Ended or Vague Questions. Avoid vague or open-ended questions as much as possible. Controls should state an expected cybersecurity practice or ask for a specific condition.
"How is your network secured?"
"The organization uses a firewall to restrict unauthorized access to internal networks."
"Explain your approach to endpoint security."
"All endpoints are protected with EDR (Endpoint Detection and Response) solutions."

2. Avoid Conditional or Branching Logic. LLMs do not support logic trees like "If yes, go to control X." Break them into separate controls instead.
"If using a third-party email service, go to Control 5; else, go to Control 6."
"Does the organization use a third-party email provider?"
"The third-party email provider enforces SPF, DKIM, and DMARC for domain protection."
"Do you use cloud services? If yes, are those services configured securely?"
"Does the organization utilize cloud service providers for data storage or processing?"
"Cloud environments are configured to restrict public access, enforce encryption at rest and in transit"

3. Split Compound Controls into Atomic Units. Each control should measure one specific requirement.
"Is multi-factor authentication enabled for privileged accounts and is remote access monitored?"
"Multi-factor authentication is enabled for all privileged accounts."
"Remote access is monitored and logged in real time."

4. Use a Consistent Control Format. Each control should include:
Control ID (e.g., CF-07.2)
Control Category → Area, Category, Domain information to which the control belongs
Control Description → Deterministic statement or yes/no question is preferred (unless you require further information from vendors)