APMG-International ISO-IEC-27001-Foundation Exam Dumps

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27001 & 27002:2022 standards:

ISO/IEC 27001 Annex A lists reference controls. ISO/IEC 27002 provides detailed guidance on the implementation of those controls, including purpose, guidance, and examples. Clause 6.1.3 of ISO/IEC 27001 makes the link explicit: controls from Annex A are referenced, but ISO/IEC 27002 explains how to implement them.

However, ISO/IEC 27002 does not provide a process for risk management---that is covered by ISO/IEC 27005. Risk management requirements are in ISO/IEC 27001 (Clauses 6.1.2 and 6.1.3).

Therefore, statement 1 is true, but statement 2 is false. Correct answer: A.

Clause 5.1 (Leadership and Commitment) requires top management to demonstrate leadership by:

''ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization;''

''ensuring the integration of the ISMS requirements into the organization's processes;''

''ensuring that the resources needed for the ISMS are available;''

Among the options, the one explicitly mandated is ensuring that information security objectives are established. Risk assessments (C) and implementing audit actions (D) are responsibilities of management but not the direct leadership evidence required in Clause 5.1. Communicating interested party feedback (A) is relevant but not specifically cited as leadership evidence. Thus, the verified answer is B.

Clause 6.1.3 (e) specifies:

''The organization shall obtain risk owners' approval of the information security risk treatment plan and acceptance of the residual information security risks.''

This confirms that residual risks --- those remaining after risk treatment --- must be reviewed and formally accepted by the designated risk owner. Option A is incorrect; awareness training is not a default control for all residual risks. Option B misrepresents leadership responsibility; top management ensures processes exist, but risk owners formally approve residual risk. Option D (avoiding risk) is a treatment option, not the mandated requirement for residual risks.

Thus, the required response is C: Review and acceptance by the risk owner.

Clause 10.1 (Nonconformity and corrective action) specifies:

''The organization shall react to the nonconformity and, as applicable: take action to control and correct it; deal with the consequences; evaluate the need for action to eliminate the cause(s)... Corrective actions shall be appropriate to the effects of the nonconformities encountered.''

This confirms option B. Option A is inaccurate---ISO requires actions appropriate to effects, not probability alone. Option C is false---policies may need updating to correct nonconformities. Option D is incorrect, as not every cause can always be eliminated; residual issues may exist.

Thus, the verified requirement is B.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

In ISO/IEC 27002:2022, which provides control guidance for Annex A of ISO/IEC 27001, Clause 5.19 is titled: ''Information security in supplier relationships.''

This control requires organizations to ensure that information security is addressed in supplier agreements and relationships. It is part of the Organizational Controls theme. The other options are not control titles in Annex A:

''Responsibilities and procedures'' (B) was used in older standards like ISO/IEC 27001:2005 but no longer exists.

''Protection of documents'' (C) relates to document control but is not a specific Annex A control.

''Change control'' (D) is relevant to ITIL/ITSM but not listed as a control title in Annex A.

Therefore, the correct Annex A control title is A: Information security in supplier relationships.