PECB Lead Implementer (ISO/IEC 27001) — Question 32

Which of the actions presented in scenario 4 is NOT compliant with the requirements of ISO/IEC 27001?

Answer options

• A. TradeB selected only ISO/IEC 27001 controls deemed applicable to the company
• B. The Statement of Applicability was drafted before conducting the risk assessment
• C. The external experts selected security controls and drafted the Statement of Applicability

Correct answer: B

Explanation

The correct answer is B because the Statement of Applicability should be developed after the risk assessment to ensure it reflects the identified risks. Options A and C are compliant actions as they align with the requirements of ISO/IEC 27001 regarding the selection of applicable controls.