ISO/IEC 27001 ISO-IEC-27001-Foundation Book

Clause 6.1.3 (e) specifies:

“The organization shall obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks.”

This confirms that residual risks — those remaining after risk treatment — must be reviewed and formally accepted by the designated risk owner. Option A is incorrect; awareness training is not a default control for all residual risks. Option B misrepresents leadership responsibility; top management ensures processes exist, butrisk ownersformally approve residual risk. Option D (avoiding risk) is a treatment option, not the mandated requirement for residual risks.

Thus, the required response isC: Review and acceptance by the risk owner.

ISO/IEC 27001 makes clear that the ISMS is intended to be tailored to the organization. The standard states: “This document also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in this document are generic and are intended to be applicable to all organizations regardless of type, size or nature.” This means implementation is scaled based on each organization’s risk, context, and needs, not a fixed one-size-fits-all set of activities or controls. Clause 6.1.3 further reinforces that control selection is flexible and risk-driven: “Organizations can design controls as required or identify them from any source,” and “Annex A contains a list of possible information security controls… The information security controls listed in Annex A are not exhaustive and additional information security controls can be included if needed.” Together, these extracts verify that the ISMS implementation is influenced by and scaled to the organization’s needs and selected controls, not separated from management processes (A, D) nor mandated to include “all controls” (B).

Clause 5.1 (Leadership and Commitment) requires that:

“Top management shall demonstrate leadership and commitment with respect to the information security management system by… ensuring that the resources needed for the ISMS are available… and supporting persons to contribute to the effectiveness of the ISMS.”

This makes it explicit thattop managementhas the responsibility to ensure personnel are supported so they can contribute to the ISMS. Option B (line management) may provide local support, but ultimate accountability rests with top management. Auditors (C) only evaluate compliance, not provide support. Practitioners (D) help implement, but they don’t bear formal responsibility under the standard.

Thus, the verified answer isA: Top management of the organization.

Clause 6.1.1 (Planning) states:

“The organization shall plan:

d) actions to address these risks and opportunities; and

e) how to:

integrate and implement the actions into its ISMS processes; and

evaluate the effectiveness of these actions.”

This confirms the missing words are“evaluate the effectiveness of”. Communication (A), applying resources (B), and improving effectiveness (C) are important concepts elsewhere but not the direct requirement stated in this clause.