PECB Lead Implementer (ISO/IEC 27001) — Question 37

An organization has justified the exclusion of control 5.18 Access rights of ISO/IEC 27001 in the Statement of Applicability (SoA) as follows: “An access control reader is already installed at the main entrance of the building.” Which statement is correct?

Answer options

• A. The justification for the exclusion of a control is not required to be included in the SoA
• B. The justification is not acceptable, because it does not reflect the purpose of control 5.18
• C. The justification is not acceptable because it does not indicate that it has been selected based on the risk assessment results

Correct answer: B

Explanation

The correct answer is B because the justification provided does not align with the specific purpose of control 5.18, which focuses on ensuring proper access rights. Options A and C are incorrect; A is misleading since justifications should be included in the SoA, and C misinterprets the requirement for justification concerning risk assessment results.