PECB Updated ISO-IEC-27001-Lead-Implementer Exam Questions and Answers by santiago

According to ISO/IEC 27001:2022, clause 7.5.1, the organization shall ensure that the documented information required by the ISMS and by this document is controlled to ensure that it is available and suitable for use, where and when it is needed, and that it is adequately protected. This includes ensuring that the documented information is reviewed and approved for suitability and adequacy. The information security procedures are part of the documented information that supports the operation of the ISMS processes and the implementation of the information security controls. Therefore, they should be drafted, reviewed, and validated by the information security committee, which is the group of people responsible for overseeing the ISMS and ensuring its alignment with the organization’s objectives and strategy. The information security committee should include representatives from different functions and levels of the organization, as well as external experts if needed. The information security committee should also ensure that the information security procedures are communicated to the relevant employees and other interested parties, and that they are periodically reviewed and updated as necessary.

ISO/IEC 27001:2022 clause 6.1.3 (Information Security Risk Treatment) explicitly states:

"Organizations can design controls as required or identify them from any source."

Annex A provides a reference list, but it is not exhaustive. Organizations are encouraged to adopt additional controls if they are needed based on the results of risk assessment or contextual relevance. This supports flexibility and context-based tailoring of the ISMS.