Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27002:2022 standards:
Annex A.5.1 (Policies for information security) specifies:
“Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.”
This clearly identifies the review frequency requirement: planned intervalsandwhenever there are significant changes. Options A and B (six-monthly or annually) are not prescribed by ISO — timing is left to the organization. Option C is also wrong, since Certification Bodies do not dictate policy review schedules.
Therefore, the verified correct answer isD.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit