FREE ISO 27000 Foundation Annex A Control Themes Questions and Answers

Question 1

The 2022 revision of ISO/IEC 27001 restructured the Annex A controls into four high-level themes. Which of the following correctly lists these four themes?

Accepted Answer

Organizational, People, Physical, and Technological

Answer

The ISO/IEC 27001:2022 standard updated Annex A by consolidating the previous 14 domains into four distinct themes: A.5 Organizational controls, A.6 People controls, A.7 Physical controls, and A.8 Technological controls. This structure simplifies the categorization of the 93 controls.

Question 2

An organization is implementing a new mandatory security awareness training program and updating its disciplinary process for information security policy violations. Under which ISO/IEC 27001:2022 Annex A theme would these controls primarily be classified?

Accepted Answer

People controls

Answer

Controls related to the human element of security, such as screening, awareness training, and disciplinary processes, fall under the 'People controls' theme (A.6). This theme focuses on mitigating risks associated with human error or malicious action throughout the employment lifecycle.

Question 3

An IT department is focused on implementing data leakage prevention measures, managing the secure configuration of servers, and deploying malware protection. These activities are most representative of which Annex A control theme?

Accepted Answer

Technological controls

Answer

Controls such as data leakage prevention (A.8.12), configuration management (A.8.9), and protection against malware (A.8.7) are all examples of 'Technological controls' (A.8). This theme covers the technical safeguards applied to systems, networks, and applications to protect information.

Question 4

Which of the following controls is primarily categorized under the 'Physical controls' theme (A.7) in ISO/IEC 27001:2022 Annex A?

Accepted Answer

Securing offices, rooms, and facilities

Answer

Securing offices, rooms, and facilities (A.7.3) is a core component of the 'Physical controls' theme. This theme is concerned with preventing unauthorized physical access, damage, and interference to the organization's premises and the information within them.

Question 5

A company is defining its overall information security policies, assigning security roles and responsibilities, and establishing its process for information classification. These foundational activities fall under which Annex A control theme?

Accepted Answer

Organizational controls

Answer

The 'Organizational controls' theme (A.5) establishes the governance framework for the ISMS. This includes creating policies (A.5.1), defining roles and responsibilities (A.5.2), and classifying information (A.5.12), which are all high-level, process-oriented controls.

ISO 27000 Foundation Certification Practice Test

ISO 27000 Foundation Certification Practice Test

FREE ISO 27000 Foundation Annex A Control Themes Questions and Answers