ISO27001 ISMS: Mandatory Documents | 400-251 CCIE Security Exam Answers

ISO27001 ISMS: Mandatory Documents

Prev Question Next Question


According ISO27001 ISMS, which of the following are mandatory documents? (Choose 4)



Click on the arrows to vote for the correct answer

A. B. C. D. E.


ISO 27001 is a widely recognized standard for information security management. It outlines a comprehensive set of requirements for implementing, maintaining, and continually improving an information security management system (ISMS). An ISMS is a framework of policies, procedures, and controls that organizations use to protect their sensitive information.

In accordance with ISO 27001, there are several mandatory documents that an organization must create and maintain to demonstrate compliance with the standard. These mandatory documents include:

A. ISMS Policy: This document outlines an organization's overall approach to information security management. It sets out the objectives, principles, and guidelines for implementing, maintaining, and continually improving the ISMS.

B. Corrective Action Procedure: This document outlines the process for identifying, reporting, and correcting security incidents or breaches. It also includes procedures for preventing similar incidents from occurring in the future.

C. IS Procedures: This document outlines the procedures for implementing the controls that are defined in the risk treatment plan. These controls may include technical, administrative, or physical controls, as well as procedures for monitoring, reviewing, and improving them.

D. Risk Assessment Reports: This document outlines the results of the organization's risk assessment process. It includes a description of the information assets that are being protected, the threats and vulnerabilities that have been identified, and the risk treatment plan that has been developed to address these risks.

E. Complete Inventory of all information assets: While not a mandatory document under ISO 27001, maintaining an up-to-date inventory of all information assets is considered best practice. This includes identifying and cataloging all sensitive information, hardware, software, and other technology assets that are used to store or process this information.

In summary, four of the mandatory documents required by ISO 27001 include the ISMS Policy, Corrective Action Procedure, IS Procedures, and Risk Assessment Reports. While not mandatory, maintaining a complete inventory of all information assets is also considered best practice.