PECB Lead Implementer (ISO/IEC 27001) — Question 23

An organization documented each security control that it implemented by describing their functions in detail. Is this compliant with ISO/IEC 27001?

Answer options

• A. No, the standard requires to document only the operation of processes and controls, so no description of each security control is needed
• B. No, because the documented information should have a strict format, including the date, version number and author identification
• C. Yes, but documenting each security control and not the process in general will make it difficult to review the documented information

Correct answer: C

Explanation

The correct answer is C because ISO/IEC 27001 does allow for detailed documentation of security controls, but overly specific documentation can hinder efficient reviews. Options A and B are incorrect as they misinterpret the standard's requirements regarding documentation details and formats.