Which level of maturity does this control refer to?

An organization has adopted a new authentication method to ensure secure access to sensitive areas and facilities of the company. It requires every employee to use a two-factor authentication (password and QR code). This control has been documented, standardized, and communicated to all employees, however its use has been "left to individual initiative, and it is likely that failures can be detected.

Which level of maturity does this control refer to?
A . Optimized
B . Defined
C . Quantitatively managed

Answer: B

Explanation:

According to the ISO/IEC 27001:2022 Lead Implementer objectives and content, the maturity levels of information security controls are based on the ISO/IEC 15504 standard, which defines five levels of process capability: incomplete, performed, managed, established, and optimized1. Each level has a set of attributes that describe the characteristics of the process at that level. The level of defined corresponds to the attribute of process performance, which means that the process achieves its expected outcomes2. In this case, the control of two-factor authentication has been documented, standardized, and communicated, which implies that it has a clear purpose and expected outcomes. However, the control is not consistently implemented, monitored, or measured, which means that it does not meet the attributes of the higher levels of managed, established, or optimized. Therefore, the control is at the level of defined, which is the second level of maturity.

Reference: 1: ISO/IEC 27001:2022 Lead Implementer Course Brochure, page 5

2: ISO/IEC 27001:2022 Lead Implementer Course Presentation, slide 25