Annex A of the ISO/IEC 27001 standard provides a reference set of generic information security control objectives and controls. The title "Information security in supplier relationships" is explicitly listed as a control objective in section A.15.1 of ISO/IEC 27001:2013 and as a control in section A.5.19 of the updated ISO/IEC 27001:2022. The purpose of this control is to protect the organization's assets that are accessible by suppliers. The other options represent general security concepts or activities, but their phrasing does not match any specific control titles within Annex A of either the 2013 or 2022 versions of the standard.

B. While roles, responsibilities, and procedures are fundamental to an ISMS, "Responsibilities and procedures" is not a specific control title. The related control is A.6.1.1, "Information security roles and responsibilities" (2013).

C. The concept of protecting documents is covered by multiple controls, such as A.18.1.3 "Protection of records" (2013), but "Protection of documents" is not a verbatim control title.

D. "Change control" is a common term, but the specific control title in the most recent standard is A.8.32 "Change management" (2022). The phrasing is different and therefore incorrect.

1. International Organization for Standardization. (2013). ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements. Annex A, Section A.15.1.

2. International Organization for Standardization. (2022). ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems — Requirements. Annex A, Section A.5.19.

3. The University of Edinburgh. (2023). Information Security Policy. This policy framework is aligned with ISO/IEC 27001, with specific guidance on supplier management that directly maps to the principles of Annex A control A.15 (2013) / A.5.19, A.5.20, A.5.21 (2022). (Available on the University of Edinburgh's official website).

ISO/IEC 27001:2022, Clause 9.2.2, mandates that an organization's internal audit programme must be planned, established, and maintained. A key input for this planning is "the importance of the processes concerned." This risk-based approach ensures that audit efforts and resources are prioritized and focused on the processes most critical to the organization's information security objectives. Audits for high-importance processes may be more frequent or in-depth compared to those for less critical processes, thereby making the audit programme more effective and efficient.

A. The standard requires auditors to be objective and impartial, but does not mandate the use of third parties for internal audits.

B. This is directly contrary to the standard, which requires that the "results of previous audits" MUST be considered when planning the programme.

D. The standard does not prescribe a fixed audit cycle. Audit frequency must be determined based on process importance and risk, not a generic timeframe.

1. ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements.

Clause 9.2.2 states: "The organization shall plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned and the results of previous audits."

2. Calder, A., & Watkins, S. (2020). IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002 (7th ed.). Kogan Page.

Chapter 12, Section 'The Audit Programme', explains that the audit programme should be risk-based, meaning that the frequency and intensity of audits should reflect the business importance and risk level of the processes being audited.

3. Humphreys, E. (2016). Implementing the ISO/IEC 27001:2013 ISMS Standard. Artech House.

Chapter 15, Section '9.2 Internal Audit', clarifies that the audit programme needs to be dynamic, taking into account process importance and past performance (audit results) to determine what to audit and when.

The sentence is a direct reference to the requirements outlined in Clause 4.2 of the ISO/IEC 27001 standard. This clause, titled "Understanding the needs and expectations of interested parties," mandates that an organization must first identify relevant interested parties and then determine their specific information security requirements. These requirements are then considered when establishing the scope and controls of the Information Security Management System (ISMS).

B. number: The standard requires identifying which parties are relevant, not simply counting them. The focus is on the substance of their needs, not the quantity of stakeholders.

C. structure: The internal organizational structure of interested parties is outside the scope of this requirement. The ISMS is concerned with their needs, not their internal hierarchy.

D. influence: While the influence of an interested party might help determine its relevance, the standard explicitly requires the determination of their requirements, not a formal assessment of their influence.

1. International Organization for Standardization (ISO). (2022). ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems — Requirements. Section 4.2, "Understanding the needs and expectations of interested parties," states: "The organization shall determine: a) the interested parties that are relevant to the information security management system; and b) the relevant requirements of these interested parties."

2. von Solms, R., & von Solms, B. (2018). "Information Security Governance." In Cybersecurity and Privacy in Cyber Physical Systems. CRC Press. This academic text, when discussing the foundational clauses of ISO 27001, explains that Clause 4.2 is a critical input for the ISMS, requiring the organization to understand stakeholder requirements to define the system's scope and objectives.

3. The University of Alabama in Huntsville. (n.d.). Courseware for IS 660: Information Security Management. In modules covering ISO 27001 implementation, the curriculum details Clause 4.2, emphasizing the process of identifying stakeholders (interested parties) and documenting their specific information security requirements as a foundational step.

According to ISO/IEC 27000:2018, "risk analysis" is explicitly defined as the "process to comprehend the nature of risk and to determine the level of risk." This process involves a systematic use of information to identify sources and to estimate the risk. It provides the input for risk evaluation and decisions on whether risk treatment is needed. The key activities are understanding the causes and sources of risk, their positive and negative consequences, and the likelihood that those consequences can occur, which collectively determine the level of risk.

A. Evaluation: This is the process of comparing the results of risk analysis against established risk criteria to determine the significance of the risk.

C. Assessment: This is a broader, overall process that encompasses risk identification, risk analysis, and risk evaluation. The definition provided is for a specific component, not the whole.

D. Management: This refers to the complete set of coordinated activities to direct and control an organization with regard to risk, a much wider framework.

1. ISO/IEC 27000:2018, Information technology — Security techniques — Information security management systems — Overview and vocabulary.

Clause 3.63: Defines risk analysis as the "process to comprehend the nature of risk and to determine the level of risk."

Clause 3.65: Defines risk evaluation as the "process of comparing the results of risk analysis with risk criteria..."

Clause 3.62: Defines risk assessment as the "overall process of risk identification, risk analysis and risk evaluation."

Clause 3.61: Defines risk management as "coordinated activities to direct and control an organization with regard to risk."

2. Von Solms, R., & Von Solms, B. (2018). Cybersecurity and Information Security: What Everyone Needs to Know. In Information Security. Jones & Bartlett Learning. (Citing ISO/IEC 27000 series definitions).

This academic text, often used in university curricula, reinforces the ISO definitions, explaining that risk analysis is the specific step focused on understanding and determining the level of risk, distinct from the broader concepts of assessment and management.

3. Aalto University, School of Science. (2021). ELEC-E7130 - Information Security Management, Lecture 4: Risk Management.

Course materials directly reference and explain the definitions from the ISO/IEC 27000 family of standards, clarifying that risk analysis is the component for comprehending and determining the risk level, which fits the question's definition precisely.

According to ISO/IEC 27001:2022, Clause 5.2 "Policy," top management must establish an information security policy that includes specific elements. Among these, sub-clause 5.2 c) explicitly requires the policy to include "a commitment to satisfy applicable requirements related to information security." These requirements can stem from legal, statutory, regulatory, or contractual obligations, as well as from the needs and expectations of interested parties. This commitment is a foundational element of the Information Security Management System (ISMS), demonstrating management's intent and direction.

B. The policy requires a commitment to continual improvement (Clause 5.2 d), not the detailed plan itself.

C. This is not a mandated component of the policy document as specified in Clause 5.2 of the standard.

D. The Statement of Applicability (SoA) is a separate, mandatory document required by Clause 6.1.3 d), not a part of the information security policy.

1. ISO/IEC 27001:2022, "Information security, cybersecurity and privacy protection — Information security management systems — Requirements":

Clause 5.2 Policy: This clause outlines the mandatory contents of the information security policy. Specifically, Clause 5.2 c) states the policy shall "include a commitment to satisfy applicable requirements related to information security".

Clause 6.1.3 d) defines the Statement of Applicability as a separate output of the risk treatment process.

2. Calder, A., & Watkins, S. (2019). IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002 (7th ed.). Kogan Page Publishers.

Chapter 11, Section: '5.2 Policy': This section explains that the information security policy must contain "a commitment to satisfy applicable requirements related to information security." It reinforces that the SoA is a different artifact.

3. University of Fairfax. (n.d.). Course IAT 631: Information Security Management. Course Syllabus.

The curriculum covering ISO/IEC 27001 implementation details the requirements of Clause 5.2, emphasizing that the policy must document top management's commitment to satisfying all relevant information security requirements as a core principle of the ISMS.

The implementation of an Information Security Management System (ISMS) according to ISO/IEC 27001 is designed to provide significant organizational benefits. These include assessing and treating risks (D), tailoring controls to the organization's specific context (C), and increasing stakeholder confidence through demonstrable compliance (A).

However, an ISMS does not inherently guarantee or require that staff will achieve a specific qualification, such as the "ISO/IEC 27001 Foundation level." While the standard (Clause 7.2) mandates that personnel must be competent based on appropriate education, training, or experience, it does not prescribe any particular certification. Obtaining such a certification is a means to achieve competence, not a direct benefit or outcome of the ISMS implementation itself.

A. Information security compliance will increase stakeholder trust in the organization

This is a primary benefit. Achieving compliance or certification provides objective evidence to customers, partners, and regulators that the organization manages information security effectively, thereby building trust.

C. Information security controls are tailored to suit the organization's specific circumstances

This is a core strength of ISO/IEC 27001. The standard mandates a risk assessment to determine necessary controls, ensuring they are relevant and proportional, not a one-size-fits-all application.

D. Information security risks are assessed and the probability and/or impact reduced

This is the fundamental purpose of an ISMS. The entire framework is built around a continual process of identifying, assessing, and treating information security risks to reduce them to an acceptable level.

---

1. ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements.

Clause 0.1 (Introduction): States that an ISMS "gives confidence to interested parties that risks are adequately managed." This supports the validity of option A.

Clause 6.1.2 (Information security risk assessment) & 6.1.3 (Information security risk treatment): These clauses define the risk-based approach, which is the mechanism for achieving the benefits described in options C and D. The process ensures controls are selected based on identified risks, thus tailoring them and reducing risk impact/probability.

Clause 7.2 (Competence): This clause requires the organization to "determine the necessary competence" and ensure persons are competent through "education, training, or experience." It does not mandate any specific external certification, making option B an incorrect statement of a direct ISMS benefit.

2. Calder, A., & Watkins, S. G. (2019). IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002 (7th ed.). Kogan Page Publishers.

Chapter 11, "The benefits of ISMS certification": This chapter details key benefits, including "demonstrating credibility and trust" (supporting option A) and "managing and minimizing risk exposure" (supporting option D). It emphasizes that the standard provides a framework for managing security, not a list of required staff certifications.

3. von Solms, B., & von Solms, R. (2018). Cybersecurity and information security – what’s the difference? The VIRTE-Journal, 1(1), 1-5.

This academic paper discusses how standards like ISO/IEC 27001 provide a structured, risk-based approach to managing information security. It reinforces that the primary benefit is systematic risk management (supporting option D) and tailored security posture (supporting option C), leading to increased assurance for stakeholders (supporting option A).

ISO/IEC 27013 is an international standard that provides specific guidance on the integrated implementation of an Information Security Management System (ISMS) according to ISO/IEC 27001 and an IT Service Management System (ITSMS) according to ISO/IEC 20000-1. It addresses the challenges of combining these two management systems, offering a framework for aligning policies, processes, and objectives. The standard helps organizations to reduce duplication of effort, streamline documentation, and conduct more efficient, integrated audits. It is the only standard listed that is explicitly designed to guide the implementation of an integrated management system involving ISO/IEC 27001.

A. ISO/IEC 27003: This standard provides implementation guidance for ISO/IEC 27001 alone; it does not cover integration with other management system standards.

C. ISO 9001: This is a requirements standard for a Quality Management System (QMS). While it can be integrated with ISO/IEC 27001, it does not provide the guidance on how to perform the integration.

D. None of the above: This is incorrect because ISO/IEC 27013 is the correct standard that provides guidance for integrated implementation with ISO/IEC 27001.

1. International Organization for Standardization (ISO). (2021). ISO/IEC 27013:2021 Information security, cybersecurity and privacy protection — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1. Geneva, Switzerland: ISO.

Scope (Section 1): "This document provides guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 for organizations that are intending to either: a) implement ISO/IEC 27001 when ISO/IEC 20000-1 is already implemented, or vice versa; b) implement both ISO/IEC 27001 and ISO/IEC 20000-1 together; or c) integrate existing management systems based on ISO/IEC 27001 and ISO/IEC 20000-1."

2. International Organization for Standardization (ISO). (2017). ISO/IEC 27003:2017 Information technology — Security techniques — Information security management systems — Guidance. Geneva, Switzerland: ISO.

Scope (Section 1): This document is described as providing "explanation and guidance on ISO/IEC 27001:2013," confirming its focus is solely on the ISMS standard itself.

3. Graňa, M., & Grolmus, M. (2014). Integration of Management Systems according to ISO 9001, ISO/IEC 27001 and ISO/IEC 20000-1. Procedia Engineering, 96, 588-596.

Section 3, Paragraph 2: The paper explicitly mentions that "The standard ISO/IEC 27013 provides guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1." This peer-reviewed source confirms the specific purpose of ISO/IEC 27013.

DOI: https://doi.org/10.1016/j.proeng.2014.12.200

The ISO/IEC 27001 risk management process requires that after a risk treatment plan is implemented, the remaining risk, known as residual risk, must be formally addressed. The standard mandates that risk owners review these residual risks against the organization's established risk acceptance criteria. If the level of residual risk is within these criteria, the risk owner must formally accept it. This act of acceptance is a required step, ensuring accountability and that the organization knowingly and willingly accepts the level of risk that remains after controls have been applied.

A. Awareness and training is one of many possible controls, not a default or required response for every residual risk.

B. Delegation of risk treatment to risk owners happens earlier in the process, not as a response to the identified residual risk.

D. Risk avoidance is a risk treatment option applied to the initial risk, not a mandatory action for the remaining residual risk.

1. ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection — Information security management systems — Requirements.

Clause 6.1.3 c): This clause outlines the requirements for information security risk treatment, which culminates in determining the residual information security risk.

Clause 8.3: This clause requires the organization to implement the risk treatment plan and retain documented information. The note to this clause clarifies that the results of the risk treatment (which includes the accepted residual risk) should be approved by the risk owners. The 2013 version was more explicit in clause 6.1.3 e), stating the need to "obtain risk owners’ approval of the risk treatment plan and acceptance of the residual information security risks." The principle remains unchanged in the 2022 version.

2. Humphreys, E. (2016). Implementing the ISO/IEC 27001:2013 ISMS Standard. Artech House.

Chapter 6, Section 6.4, "Accepting Residual Risks": This section details the process, stating, "The final step in the risk treatment process is to have the risk owners formally accept the residual risks... This is a key step in the process as it ensures that management is aware of the risks that the organization is carrying and has formally accepted them." (p. 93). This text is frequently used in university-level cybersecurity management courses.

3. Von Solms, R., & Von Solms, B. (2018). "Cyber Security and Information Security–What’s the Difference?". In The Cyber Security Body of Knowledge (pp. 13-24). Springer, Cham.

This publication, often used in academic settings, discusses the risk management lifecycle inherent in ISO 27001. It explains that after treatment, residual risk must be formally accepted by management (the risk owners) as being within the organization's risk appetite, which is a fundamental governance activity. (DOI: https://doi.org/10.1007/978-3-319-95538-12)

Statement 2 is correct. An internal audit is conducted by the organization itself to review its own Information Security Management System (ISMS) for conformity and is therefore classified as a first-party (1st party) audit. A certification audit is conducted by an independent, accredited certification body to assess conformity with the ISO/IEC 27001 standard, making it a third-party (3rd party) audit.

Statement 1 is incorrect because the certification process involves a three-year cycle. It begins with an initial certification audit, followed by annual surveillance audits, and concludes with a re-certification audit before the certificate expires. Describing the "certification audit" as an annual event is an inaccurate simplification of this cycle.

A. Only 1 is true: This is incorrect. Statement 1 is factually inaccurate regarding the frequency and terminology of certification audits, which operate on a three-year cycle, not a single annual event.

C. Both 1 and 2 are true: This is incorrect because Statement 1 is inaccurate. While Statement 2 is true, the combination is false.

D. Neither 1 or 2 is true: This is incorrect because Statement 2 provides a standard, correct definition of internal (1st party) and certification (3rd party) audits.

1. ISO/IEC 19011:2018, Guidelines for auditing management systems.

Section 3.1, Note 3 to entry: This standard explicitly defines the types of audits. It states, "Internal audits, sometimes called first-party audits, are conducted by, or on behalf of, the organization itself... Third-party audits are conducted by independent auditing organizations, such as those providing certification/registration of conformity to the requirements of ISO 9001 or ISO 14001." (This principle applies directly to ISO 27001 certification audits).

2. ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements.

Clause 9.2.1 General: This clause mandates that "The organization shall conduct internal audits at planned intervals..." This supports the first part of Statement 1 but does not specify the frequency of external audits.

3. Calder, A., & Watkins, S. G. (2019). IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002 (7th ed.). Kogan Page Publishers.

Chapter 14, "Certification and continual improvement," p. 188: This chapter details the certification process, explaining, "Certification is for a fixed period, usually three years, at the end of which you will need to apply for recertification... In the intervening years, your certification body will carry out periodic surveillance audits to ensure that you are continuing to maintain the ISMS." This confirms that the certification audit is not a single annual event.

According to ISO/IEC 27001, Clause 6.2, information security objectives must be established at relevant functions and levels. A key requirement is that these objectives "shall be consistent with the information security policy." This ensures that the specific, measurable goals set by the organization directly support and align with the overall intentions and direction regarding information security, as formally expressed by top management in the policy. The policy provides the high-level framework, and the objectives provide the concrete targets to be achieved within that framework.

B. They shall all be measurable

The standard states objectives shall be measurable "if practicable," acknowledging that some qualitative objectives may be valid even if not easily quantifiable.

C. They shall be contractually transferred to third parties

While security requirements for suppliers are addressed, the standard does not mandate that an organization's internal security objectives be contractually transferred to third parties.

D. They shall be reviewed at least annually

The standard requires objectives to be monitored and updated "as appropriate," but does not prescribe a specific "at least annually" review frequency within Clause 6.2.

1. ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements.

Section 6.2, "Information security objectives and planning to achieve them": This clause explicitly states that "The information security objectives shall: a) be consistent with the information security policy; b) be measurable (if practicable); ... e) be communicated; and f) be updated as appropriate." This directly supports answer A and refutes B and D.

2. Calder, A., & Watkins, S. (2019). IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002 (7th ed.). Kogan Page Publishers.

Chapter 11, "Clause 6: Planning": This chapter explains that the information security policy (Clause 5.2) sets the overall direction, and the objectives (Clause 6.2) must be established in line with that policy to provide clear goals for the ISMS.

3. Humphreys, E. (2016). Implementing the ISO/IEC 27001:2013 ISMS Standard. Artech House.

Page 51, "6.2 Information security objectives and planning to achieve them": The text clarifies the linkage: "The objectives must be consistent with the policy... The policy sets out what you want to achieve in broad terms; the objectives are the specific things you need to do to get there." This reinforces the correctness of option A.