CertiProf Updated I27001F Exam Questions and Answers by montgomery

In ISO/IEC 27001:2022, the Statement of Applicability is a required documented output of the information security risk treatment process. It must contain the necessary controls, including whether they are implemented, and the justification for their inclusion. It must also include justification for excluding controls from Annex A when they are not applicable. Therefore, all three elements listed in options A, B, and C are part of a proper Statement of Applicability, making option D the correct answer.

=======

ISO/IEC 27001:2022 requires the organization to establish and maintain information security risk criteria, identify information security risks, and identify risk owners as part of the risk assessment process. These activities are core elements of clause 6 on planning and risk assessment. Since all of the listed options are required parts of the process, the correct answer is D.

ISO/IEC 27001:2022 requires the organization to determine what needs to be monitored and measured, including information security processes and controls, the methods for monitoring, measurement, analysis, and evaluation, when these activities will be performed, and when the results will be analyzed and evaluated. The standard does not mandate a specific tool, consultant, or designated individual for compliance. Therefore, option C is the correct answer.

=======

ISO/IEC 27001:2022 requires the information security policy to be appropriate to the purpose of the organization, include information security objectives or provide a framework for setting them, include a commitment to satisfy applicable requirements, and include a commitment to continual improvement of the ISMS. The other options are not mandatory contents of the policy. Therefore, option D is correct.

=======