CISSP · Question #1316
When assessing an organization's security policy according to standards established by the International Organization for Standardization (ISO) 27001 and 27002, when can management responsibilities be
The correct answer is B. Only when standards are defined. ISO 27001/27002 establishes a hierarchical structure where policies and standards must be defined before management responsibilities can be assigned. Standards provide the baseline requirements that management is then responsible for enforcing.
Question
When assessing an organization's security policy according to standards established by the International Organization for Standardization (ISO) 27001 and 27002, when can management responsibilities be defined?
Options
- AOnly when assets are clearly defined
- BOnly when standards are defined
- COnly when controls are put in place
- DOnly procedures are defined
How the community answered
(38 responses)- A5% (2)
- B84% (32)
- C3% (1)
- D8% (3)
Why each option
ISO 27001/27002 establishes a hierarchical structure where policies and standards must be defined before management responsibilities can be assigned. Standards provide the baseline requirements that management is then responsible for enforcing.
Asset identification is an important component of ISO 27001's risk assessment process, but the definition of management responsibilities is dependent on standards being in place, not on asset classification alone.
Under ISO 27001/27002, the information security framework follows a top-down hierarchy: policies define intent, standards define the measurable requirements, and only after standards are established can management responsibilities be clearly defined and assigned. Without defined standards, there is no baseline against which managers can be held accountable, making it impossible to meaningfully assign or assess management responsibilities.
Controls are implemented as a result of the risk treatment process and come after policies, standards, and management responsibilities are already established, making this the reverse of the correct order.
Procedures are operational, step-by-step documents that sit below standards and controls in the ISO 27001 hierarchy; management responsibilities must be defined before procedures are created, not the other way around.
Concept tested: ISO 27001/27002 policy hierarchy and management responsibilities
Source: https://www.iso.org/standard/27001
Topics
Community Discussion
No community discussion yet for this question.