Pass the APMG-International ISO/IEC 27001 ISO-IEC-27001-Foundation Questions and answers with CertsForce

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A.5.1 (Policies for information security) states:

“Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.”

This confirms that the missing words are“published, communicated to.”The control emphasizes not just defining and approving policies but ensuring they are actively distributed and communicated so that relevant stakeholders are aware of and acknowledge them. Options A, B, and D are partial but incomplete.

Thus, the correct answer isC.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A.5.12 (Classification of information) states:

“Information should be classified according to the information security needs of the organization based on confidentiality, integrity and availability.”

This aligns directly with option B. Option A (labelling) is a separate control (Annex A.5.13). Option C (security perimeters) is under physical controls (Annex A.7.1). Option D (access control rules) relates to Annex A.5.15 and A.8.2.

Thus, the verified correct statement for the Classification of information control isB.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:

Annex A.6.1 (Terms and conditions of employment) states:

“The contractual agreements with employees and contractors shall state their and the organization’s responsibilities for information security.”

This means the control applies not just to employees, but also contractors and, where relevant, third-party users who are subject to contractual obligations with the organization. The goal is to ensure thatall parties engaged in work under the organization’s control understand their security responsibilities before, during, and after employment or contract engagement.

Options A and B are too narrow, excluding key groups. Option C misrepresents the scope by implying a mutual responsibility but not identifying the individuals covered. The explicit scope includesemployees, contractors, and third-party users.

Therefore, the correct answer isD.

Clause 6.1.3 (e) specifies:

“The organization shall obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks.”

This confirms that residual risks — those remaining after risk treatment — must be reviewed and formally accepted by the designated risk owner. Option A is incorrect; awareness training is not a default control for all residual risks. Option B misrepresents leadership responsibility; top management ensures processes exist, butrisk ownersformally approve residual risk. Option D (avoiding risk) is a treatment option, not the mandated requirement for residual risks.

Thus, the required response isC: Review and acceptance by the risk owner.

ISO/IEC 27001 makes clear that the ISMS is intended to be tailored to the organization. The standard states: “This document also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in this document are generic and are intended to be applicable to all organizations regardless of type, size or nature.” This means implementation is scaled based on each organization’s risk, context, and needs, not a fixed one-size-fits-all set of activities or controls. Clause 6.1.3 further reinforces that control selection is flexible and risk-driven: “Organizations can design controls as required or identify them from any source,” and “Annex A contains a list of possible information security controls… The information security controls listed in Annex A are not exhaustive and additional information security controls can be included if needed.” Together, these extracts verify that the ISMS implementation is influenced by and scaled to the organization’s needs and selected controls, not separated from management processes (A, D) nor mandated to include “all controls” (B).