Which security controls must be implemented to comply with ISO/IEC 27001?

Which security controls must be implemented to comply with ISO/IEC 27001?
A . Those designed by the organization only
B . Those included in the risk treatment plan
C . Those listed in Annex A of ISO/IEC 27001, without any exception

Answer: B

Explanation:

ISO/IEC 27001:2022 does not prescribe a specific set of security controls that must be implemented by all organizations. Instead, it allows organizations to select and implement the controls that are appropriate for their context, based on the results of a risk assessment and a risk treatment plan. The risk treatment plan is a document that specifies the actions to be taken to address the identified risks, including the selection of controls from Annex A or other sources, the allocation of responsibilities, the expected outcomes, the priorities and the resources. Therefore, the security controls that must be implemented to comply with ISO/IEC 27001 are those that are included in the risk treatment plan, which may vary from one organization to another.

Reference: ISO/IEC 27001:2022, clause 6.1.3

PECB ISO/IEC 27001 Lead Implementer Course, Module 5, slide 18

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments