Which two of the following statements are true?

Which two of the following statements are true?
A . The benefits of implementing an ISMS primarily result from a reduction in information security risks
B . The benefit of certifying an ISMS is to obtain contracts from governmental institutions
C . The purpose of an ISMS is to apply a risk management process for preserving information security
D . The purpose of an ISMS is to demonstrate compliance with regulatory requirements

Answer: AC

Explanation:

The benefits of implementing an ISMS are not limited to a reduction in information security risks, but also include improved business performance, customer satisfaction, legal compliance, and stakeholder confidence. The benefit of certifying an ISMS is not only to obtain contracts from governmental institutions, but also to demonstrate the organisation’s commitment to information security to other potential customers, partners, and regulators. The purpose of an ISMS is to apply a risk management process for preserving information security, which means identifying, analysing, evaluating, treating, monitoring, and reviewing the information security risks that the organisation faces. The purpose of an ISMS is not to demonstrate compliance with regulatory requirements, but rather to ensure that the organisation meets its own information security objectives and obligations.

Reference: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) objectives and content from Quality.org and PECB

ISO/IEC 27001:2013 Information technology ― Security techniques ― Information security management systems ― Requirements [Section 0.1] and [Section 1]