Annex A of the ISO/IEC 27001 standard provides a reference set of generic information security control objectives and controls. The title "Information security in supplier relationships" is explicitly listed as a control objective in section A.15.1 of ISO/IEC 27001:2013 and as a control in section A.5.19 of the updated ISO/IEC 27001:2022. The purpose of this control is to protect the organization's assets that are accessible by suppliers. The other options represent general security concepts or activities, but their phrasing does not match any specific control titles within Annex A of either the 2013 or 2022 versions of the standard.

B. While roles, responsibilities, and procedures are fundamental to an ISMS, "Responsibilities and procedures" is not a specific control title. The related control is A.6.1.1, "Information security roles and responsibilities" (2013).

C. The concept of protecting documents is covered by multiple controls, such as A.18.1.3 "Protection of records" (2013), but "Protection of documents" is not a verbatim control title.

D. "Change control" is a common term, but the specific control title in the most recent standard is A.8.32 "Change management" (2022). The phrasing is different and therefore incorrect.

1. International Organization for Standardization. (2013). ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements. Annex A, Section A.15.1.

2. International Organization for Standardization. (2022). ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems — Requirements. Annex A, Section A.5.19.

3. The University of Edinburgh. (2023). Information Security Policy. This policy framework is aligned with ISO/IEC 27001, with specific guidance on supplier management that directly maps to the principles of Annex A control A.15 (2013) / A.5.19, A.5.20, A.5.21 (2022). (Available on the University of Edinburgh's official website).