PECB ISO-IEC-27001-Lead-Implementer Exam With Confidence Using Practice Dumps

According to the ISO/IEC 27001:2022 standard, an information security policy is a high-level document that defines the management approach and objectives for information security within the organization. It should include, among other things, the legal and regulatory obligations imposed upon the organization, such as compliance with laws, contracts, agreements, and standards that are relevant to information security. The information security policy should also provide the basis for establishing, implementing, maintaining, and continually improving the information security management system (ISMS).

ISO/IEC 27001:2022, Clause 5.2 Policy

ISO/IEC 27002:2022, Clause 5.1 Policies for information security

PECB ISO/IEC 27001 Lead Implementer Course, Module 3: Information Security Management System (ISMS)

ISO/IEC 27001:2022 does not prescribe a specific set of security controls that must be implemented by all organizations. Instead, it allows organizations to select and implement the controls that are appropriate for their context, based on the results of a risk assessment and a risk treatment plan. The risk treatment plan is a document that specifies the actions to be taken to address the identified risks, including the selection of controls from Annex A or other sources, the allocation of responsibilities, the expected outcomes, the priorities and the resources. Therefore, the security controls that must be implemented to comply with ISO/IEC 27001 are those that are included in the risk treatment plan, which may vary from one organization to another.

ISO/IEC 27001:2022, clause 6.1.3

PECB ISO/IEC 27001 Lead Implementer Course, Module 5, slide 18