
Explanation:
The requirement for guidance in response and recovery from cybersecurity incidents is not a part of ISO27001 compliance. This is a guideline provided by the NIST Framework for Improving Critical Infrastructure Cybersecurity. ISO27001 focuses on the establishment and maintenance of an Information Security Management System (ISMS), risk management, and the implementation of effective controls. While it does require a procedure for responding to and managing information security incidents, it does not specifically require guidance in response and recovery from cybersecurity incidents. Therefore, this is not a requirement for a company to be certified as ISO27001 compliant.
Choice A is incorrect. Having an Information Security Management System (ISMS) that manages its information security risks is indeed a requirement for ISO27001 certification. The ISMS should be designed to ensure the selection of adequate and proportionate security controls that protect information assets and give assurance to interested parties.
Choice B is incorrect. Designing and implementing effective and comprehensive controls for information security is also a requirement for ISO27001 certification. These controls are necessary to manage or reduce the risks identified through the risk assessment process.
Choice C is incorrect. Adopting an ongoing risk management process is another requirement for ISO27001 certification. This involves conducting regular reviews and audits of the ISMS to ensure its continual improvement in line with changes in the threat environment, business circumstances, legal requirements, etc.
Things to Remember
Ultimate access to all questions.
No comments yet.
Q.5116 Which of the following is not a requirement for a company to be certified as ISO27001 compliant?
A
Have an Information Security Management System (ISMS) that manages its information security risks
B
Design and implement information security, including effective and comprehensive controls
C
Adopt an ongoing risk management process
D
Guidance in response and recovery from cybersecurity incidents