ISO 27000 Foundation Annex A Control Themes Questions and Answers

Question 1

An organization is updating its information security policies to include guidelines for the use of cloud services, threat intelligence, and ICT readiness for business continuity. According to the ISO 27001:2022 Annex A structure, these controls primarily fall under which theme?

Accepted Answer

Organizational Controls

Answer

The ISO 27001:2022 Annex A is structured into four themes. Controls like defining policies, threat intelligence, and ensuring readiness for business continuity are foundational, governance-level activities. These are categorized under Organizational Controls, which deal with the overarching framework and management of information security.

Question 2

A company is implementing a 'Clean Desk and Clear Screen' policy, installing privacy screens on monitors in open-plan offices, and establishing procedures for the secure disposal of storage media. These measures are examples of controls from which Annex A theme?

Accepted Answer

Physical Controls

Answer

These controls are all designed to protect tangible assets and secure the physical environment. 'Clean Desk and Clear Screen' policies, privacy screens, and secure media disposal are all part of the Physical Controls theme, which addresses the protection of the organization's premises and tangible assets from physical threats.

Question 3

A financial institution is conducting a security review. They are evaluating the effectiveness of their employee security awareness training, background verification screening for new hires, and the formal disciplinary process for security violations. Which Annex A control theme are they focusing on?

Accepted Answer

People Controls

Answer

The controls being evaluated—security awareness training, screening, and disciplinary processes—are all centered on managing security risks related to human factors. The People Controls theme specifically covers the entire employee lifecycle to mitigate risks arising from human error, negligence, or malicious intent.

Question 4

Which of the following controls is a primary example of a Technological Control as defined in the ISO 27001:2022 Annex A themes?

Accepted Answer

Management of privileged access rights

Answer

The management of privileged access rights is a Technological Control. This theme includes controls implemented through technology, such as access control systems, encryption, network security, and secure coding. The other options fall under People (training), Physical (securing offices), and Organizational (policies) controls respectively.

Question 5

A startup is building its Information Security Management System (ISMS). To protect its source code and customer data, the IT team is tasked with implementing data masking, web filtering, and secure coding practices. These controls belong to which of the four main Annex A themes?

Accepted Answer

Technological Controls

Answer

Data masking, web filtering, and secure coding are all technical measures applied to systems and applications to protect data. They are quintessential examples of Technological Controls, which focus on strengthening cyber defenses and protecting digital assets through technology.

ISO 27000 Foundation Certification Practice Test

ISO 27000 Foundation Certification Practice Test

ISO 27000 Foundation Annex A Control Themes Questions and Answers