APMG-International ISO-IEC-27001-Foundation Exam With Confidence Using Practice Dumps

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27005 standards:

ISO/IEC 27005:2022 is titled:

“Information security, cybersecurity and privacy protection — Guidance on managing information security risks.”

This standard provides structured methodologies for identifying, analyzing, evaluating, and treating risks, in alignment with ISO/IEC 27001’s risk management requirements (Clause 6.1.2 and 6.1.3). It supports organizations in implementing the risk management process that underpins an ISMS. Options A and B are titles of other ISO standards (ISO/IEC 27007 for auditing, ISO/IEC 27001 for requirements). Option D refers to ISO/IEC 27002 (controls).

Thus, the correct answer isC: Guidance on managing information security risks.

Clause 5.1 (Leadership and Commitment) requires top management to demonstrate leadership by:

“ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization;”

“ensuring the integration of the ISMS requirements into the organization’s processes;”

“ensuring that the resources needed for the ISMS are available;”

Among the options, the one explicitly mandated isensuring that information security objectives are established. Risk assessments (C) and implementing audit actions (D) are responsibilities of management but not the direct leadership evidence required in Clause 5.1. Communicating interested party feedback (A) is relevant but not specifically cited as leadership evidence. Thus, the verified answer isB.

Clause 10.2 (Continual Improvement) specifies that the organization must“continually improve the suitability, adequacy and effectiveness of the information security management system.”

This makes it clear that three attributes are explicitly required to be addressed:

Suitability: ensuring the ISMS continues to meet organizational needs in changing contexts.

Adequacy: ensuring the ISMS covers the necessary scope and provides sufficient control coverage.

Effectiveness: ensuring the ISMS achieves intended outcomes in protecting information security.

The word“importance”is not part of the continual improvement requirement. Importance is implicit in prioritization of risks and actions, but it is not a required continual improvement attribute in ISO/IEC 27001. Therefore, optionD: Importanceis the correct choice as it is not specified.

This distinction reinforces that continual improvement is not about subjective importance, but about systematic enhancement of the ISMS’ssuitability, adequacy, and effectiveness.