PECB Lead Implementer (ISO/IEC 27001) — Question 39

Which option below should be addressed in an information security policy?

Answer options

• A. Actions to be performed after an information security incident
• B. Legal and regulatory obligations imposed upon the organization
• C. The complexity of information security processes and their interactions

Correct answer: B

Explanation

The correct answer is B because an information security policy must outline the legal and regulatory obligations that the organization is required to follow. Option A, while important, pertains to incident response rather than policy content, and option C focuses on process complexity, which is not a policy requirement.