Who should be involved, among others, in the draft, review, and validation of information security procedures?

Who should be involved, among others, in the draft, review, and validation of information security procedures?
A . An external expert
B . The information security committee
C . The employees in charge of ISMS operation

Answer: B

Explanation:

According to ISO/IEC 27001:2022, clause 7.5.1, the organization shall ensure that the documented information required by the ISMS and by this document is controlled to ensure that it is available and suitable for use, where and when it is needed, and that it is adequately protected. This includes ensuring that the documented information is reviewed and approved for suitability and adequacy. The information security procedures are part of the documented information that supports the operation of the ISMS processes and the implementation of the information security controls. Therefore, they should be drafted, reviewed, and validated by the information security committee, which is the group of people responsible for overseeing the ISMS and ensuring its alignment with the organization’s objectives and strategy. The information security committee should include representatives from different functions and levels of the organization, as well as external experts if needed. The information security committee should also ensure that the information security procedures are communicated to the relevant employees and other interested parties, and that they are periodically reviewed and updated as necessary.

Reference: ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection ― Information security management systems ― Requirements, clauses 5.3, 7.5.1, and 9.3

ISO/IEC 27001:2022 Lead Implementer objectives and content, 4 and 5