PECB Lead Implementer (ISO/IEC 27001) — Question 24

Which security controls must be implemented to comply with ISO/IEC 27001?

Answer options

• A. Those designed by the organization only
• B. Those included in the risk treatment plan
• C. Those listed in Annex A of ISO/IEC 27001, without any exception

Correct answer: B

Explanation

The correct answer is B because compliance with ISO/IEC 27001 requires implementing controls as outlined in the risk treatment plan, which is tailored to the organization's specific risk assessments. Option A is incorrect as it neglects the requirement for a structured approach, and option C is not accurate because not all controls in Annex A are mandatory; organizations can choose controls based on their unique risks.