ISO-IEC-27001-Foundation Exam Dumps : ISO/IEC 27001 (2022) Foundation Exam

Clause 5.1 (Leadership and Commitment) requires top management to demonstrate leadership by:

“ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization;”

“ensuring the integration of the ISMS requirements into the organization’s processes;”

“ensuring that the resources needed for the ISMS are available;”

Among the options, the one explicitly mandated isensuring that information security objectives are established. Risk assessments (C) and implementing audit actions (D) are responsibilities of management but not the direct leadership evidence required in Clause 5.1. Communicating interested party feedback (A) is relevant but not specifically cited as leadership evidence. Thus, the verified answer isB.

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27005 standards:

ISO/IEC 27005:2022 is titled:

“Information security, cybersecurity and privacy protection — Guidance on managing information security risks.”

This standard provides structured methodologies for identifying, analyzing, evaluating, and treating risks, in alignment with ISO/IEC 27001’s risk management requirements (Clause 6.1.2 and 6.1.3). It supports organizations in implementing the risk management process that underpins an ISMS. Options A and B are titles of other ISO standards (ISO/IEC 27007 for auditing, ISO/IEC 27001 for requirements). Option D refers to ISO/IEC 27002 (controls).

Thus, the correct answer isC: Guidance on managing information security risks.

ISO/IEC 27001 makes clear that the ISMS is intended to be tailored to the organization. The standard states: “This document also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in this document are generic and are intended to be applicable to all organizations regardless of type, size or nature.” This means implementation is scaled based on each organization’s risk, context, and needs, not a fixed one-size-fits-all set of activities or controls. Clause 6.1.3 further reinforces that control selection is flexible and risk-driven: “Organizations can design controls as required or identify them from any source,” and “Annex A contains a list of possible information security controls… The information security controls listed in Annex A are not exhaustive and additional information security controls can be included if needed.” Together, these extracts verify that the ISMS implementation is influenced by and scaled to the organization’s needs and selected controls, not separated from management processes (A, D) nor mandated to include “all controls” (B).