I27001F Certified ISO/IEC 27001:2022 Foundation Questions and Answers

ISO/IEC 27001:2022 requires the information security policy to be available as documented information, communicated within the organization, and available to interested parties as appropriate. In practical terms, this means the policy must be communicated to relevant persons in the organization so they understand the direction and expectations related to information security. Among the options provided, the best and correct answer is D, because the policy is intended to be known broadly across the organization, not restricted to a single role or department.

Under ISO/IEC 27001:2022, the information security policy must be appropriate to the purpose of the organization, include information security objectives or provide the framework for setting them, and include a commitment to satisfy applicable requirements and to continual improvement of the ISMS. The standard does not require technical product names, company history, or prior audit results to appear in the policy. Therefore, option C is the best and correct answer.

=======

The Statement of Applicability is a documented result of the risk treatment process. It must include the necessary controls and justification for their inclusion, whether the controls are implemented, and justification for excluding controls from Annex A when they are not applicable. It does not need to be a list of risks, proof of management authorization, or the policy itself. Therefore, option C is correct.

=======

ISO/IEC 27001:2022 requires documented information to be controlled so that it is adequately protected. The standard specifically refers to protection from issues such as loss of confidentiality, improper use, and loss of integrity. It also requires documented information to be available and suitable for use where and when needed. The standard does not require a consultancy, specific tools, or a single designated expert to meet this requirement. Therefore, option D is correct.

Clause 4.4 of ISO/IEC 27001:2022 requires the organization to establish, implement, maintain, and continually improve an information security management system. This is one of the core statements of the standard and defines the lifecycle expectation for the ISMS. Therefore, the missing word is implement, making option A correct.

=======

ISO/IEC 27001:2022 requires top management to demonstrate leadership and commitment with respect to the ISMS. This includes ensuring that the information security policy and objectives are established, ensuring that the resources needed for the ISMS are available, and promoting continual improvement. Top management is also responsible for supporting relevant roles and ensuring that the ISMS achieves its intended outcomes. Since all of the listed activities align with top management responsibilities, option D is correct.

=======

ISO/IEC 27001:2022 requires the organization to determine what needs to be monitored and measured, including information security processes and controls, the methods for monitoring, measurement, analysis, and evaluation, when these activities will be performed, and when the results will be analyzed and evaluated. The standard does not mandate a specific tool, consultant, or designated individual for compliance. Therefore, option C is the correct answer.

=======