PECB Lead Implementer (ISO/IEC 27001) — Question 19

Socket Inc. has implemented a control for the effective use of cryptography and cryptographic key management. Is this compliant with ISO/IEC 27001? Refer to scenario 3.

Answer options

• A. No, the control should be implemented only for defining rules for cryptographic key management
• B. Yes, the control for the effective use of the cryptography can include cryptographic key management
• C. No, because the standard provides a separate control for cryptographic key management

Correct answer: B

Explanation

The correct answer is B because ISO/IEC 27001 allows for controls that involve both cryptography and cryptographic key management as part of an effective security strategy. Option A is incorrect as it limits the scope of controls unnecessarily, while option C is misleading since the standard does not require separate controls for these aspects.