PECB Lead Auditor (ISO/IEC 27001) — Question 31

You are an experienced audit team leader conducting a third-party surveillance audit of an organization that designs websites for its clients. You are currently reviewing the organization’s Statement of Applicability.

Based on the requirements of ISO/IEC 27001, which two of the following observations about the Statement of Applicability are true? (Choose two.)

Answer options

• A. The Statement of Applicability must be reviewed at Management Review
• B. The Statement of Applicability must be reviewed at least annualy
• C. Justification is only required for any controls that the organization chooses to exclude
• D. The Statement of Applicability is owned and amended by the organization’s top management
• E. A Statement of Applicability must be produced by organizations seeking ISO/IEC 27001 conformity
• F. Justification for both the inclusion and exclusion of Annex A controls in the Statement of Applicability is required

Correct answer: A, E

Explanation

The correct answers are A and E. According to ISO/IEC 27001, the Statement of Applicability indeed must be reviewed at Management Review (A), and organizations seeking conformity are required to produce one (E). The other options are incorrect as they either misstate the review frequency, the justification requirements, or the ownership of the document.