PECB Lead Implementer (ISO/IEC 27001) — Question 96

An organization has justified the exclusion of control 5.18 Access rights of ISO/IEC 27001 in the Statement of Applicability (SoA) as follows: “An access control reader is already installed at the main entrance of the building.” Which statement is correct?

Answer options

• A. The justification is not acceptable, because it does not specify the time when the control was implemented
• B. The justification is not acceptable, because it does not reflect the purpose of control 5.18
• C. The justification is not acceptable because it does not indicate that it has been selected based on the risk assessment results

Correct answer: B

Explanation

The correct answer is B because the justification provided does not address the specific purpose of control 5.18, which is to manage access rights comprehensively, rather than relying solely on a physical access control system. Options A and C are incorrect as they focus on the timing of implementation and risk assessment selection, which are not the primary concerns regarding the purpose of the control.