Management should define and approve an information security policy to provide direction and support for information security. In ISO/IEC 27002:2022, Control 5.1 requires policies for information security to be defined, approved by management, published, communicated to relevant personnel and interested parties, and reviewed at planned intervals or when significant changes occur. The policy establishes management intent, expectations, responsibilities, and the basis for more detailed topic-specific policies. Option B, a risk management program, is important, but it is not the specific item required by this control to provide overall direction and support. Option C, a list of assets, is also important because asset inventories support control implementation, but it does not replace the policy framework. The policy is the governing statement that aligns information security with business objectives, legal requirements, and risk treatment. It gives authority to procedures, standards, and operational controls. Therefore, the correct answer is option A, understood as the organization’s information security policy. References/Chapters: ISO/IEC 27002:2022, Control 5.1 Policies for information security; Control 5.2 Information security roles and responsibilities; Control 5.9 Inventory of information and other associated assets.
==========
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit