nerdexam
(ISC)2

CISSP · Question #1316

When assessing an organization's security policy according to standards established by the International Organization for Standardization (ISO) 27001 and 27002, when can management responsibilities be

The correct answer is B. Only when standards are defined. ISO 27001/27002 establishes a hierarchical structure where policies and standards must be defined before management responsibilities can be assigned. Standards provide the baseline requirements that management is then responsible for enforcing.

Submitted by packet_pusher· Mar 5, 2026Security and Risk Management

Question

When assessing an organization's security policy according to standards established by the International Organization for Standardization (ISO) 27001 and 27002, when can management responsibilities be defined?

Options

  • AOnly when assets are clearly defined
  • BOnly when standards are defined
  • COnly when controls are put in place
  • DOnly procedures are defined

How the community answered

(38 responses)
  • A
    5% (2)
  • B
    84% (32)
  • C
    3% (1)
  • D
    8% (3)

Why each option

ISO 27001/27002 establishes a hierarchical structure where policies and standards must be defined before management responsibilities can be assigned. Standards provide the baseline requirements that management is then responsible for enforcing.

AOnly when assets are clearly defined

Asset identification is an important component of ISO 27001's risk assessment process, but the definition of management responsibilities is dependent on standards being in place, not on asset classification alone.

BOnly when standards are definedCorrect

Under ISO 27001/27002, the information security framework follows a top-down hierarchy: policies define intent, standards define the measurable requirements, and only after standards are established can management responsibilities be clearly defined and assigned. Without defined standards, there is no baseline against which managers can be held accountable, making it impossible to meaningfully assign or assess management responsibilities.

COnly when controls are put in place

Controls are implemented as a result of the risk treatment process and come after policies, standards, and management responsibilities are already established, making this the reverse of the correct order.

DOnly procedures are defined

Procedures are operational, step-by-step documents that sit below standards and controls in the ISO 27001 hierarchy; management responsibilities must be defined before procedures are created, not the other way around.

Concept tested: ISO 27001/27002 policy hierarchy and management responsibilities

Source: https://www.iso.org/standard/27001

Topics

#ISO 27001/27002#security policy#management responsibilities#information security standards

Community Discussion

No community discussion yet for this question.

Full CISSP Practice