Which three statements regarding ISO 27002 and COBIT are correct? (Choose three.)
Click on the arrows to vote for the correct answerA. B. C. D. E.
ISO 27002 and COBIT are two popular frameworks used in the field of information security management. Both frameworks provide guidance and best practices for managing and securing information systems. Here are the explanations for each statement:
A. COBIT and ISO 27002 both define a best practices framework for IT controls. This statement is correct. Both COBIT and ISO 27002 provide guidance and best practices for managing and securing information systems. COBIT focuses on governance and management of IT processes, while ISO 27002 focuses on information security management.
B. COBIT focuses on information system processes, whereas ISO 27002 focuses on the security of the information systems. This statement is not entirely correct. COBIT does focus on information system processes, but it also covers governance and management of IT processes. ISO 27002, on the other hand, focuses on information security management, which includes the security of information systems, but also covers other aspects of information security such as physical security, personnel security, and incident management.
C. ISO 27002 addresses control objectives, whereas COBIT addresses information security management process requirements. This statement is partially correct. ISO 27002 does address control objectives, which are the desired outcomes of implementing security controls. COBIT also addresses control objectives, but it focuses more on the management and governance of IT processes and how security controls should be implemented and managed within those processes.
D. Compared to COBIT, ISO 27002 covers a broader area in planning, operations, delivery, support, maintenance, and IT governance. This statement is not entirely correct. While ISO 27002 does cover a broad range of topics related to information security management, COBIT also covers a wide range of areas, including governance, management, and operational processes. However, it is fair to say that ISO 27002 places more emphasis on security-related aspects of IT management.
E. Unlike COBIT, ISO 27002 is used mainly by the IT audit community to demonstrate risk mitigation and avoidance mechanisms. This statement is not correct. Both COBIT and ISO 27002 are used by IT professionals and organizations to manage and secure their information systems. While ISO 27002 is commonly used in the context of information security audits, COBIT is used more broadly for IT governance and management purposes.
In conclusion, statements A, C, and D are correct regarding ISO 27002 and COBIT. However, statements B and E are not entirely accurate.